Loading ...

Play interactive tourEdit tour

Windows Analysis Report ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe

Overview

General Information

Sample Name:ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe
Analysis ID:458836
MD5:8e6c4dd7ce47a6a456438eb5df06e52c
SHA1:838e6c7f24bef22088d140c851cd1a3c35c9f241
SHA256:9b985974efb3d7555b61cec77f2667cd6aca5f74a07f712b3aa58a54aa03bebb
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe (PID: 6816 cmdline: 'C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe' MD5: 8E6C4DD7CE47A6A456438EB5DF06E52C)
    • ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe (PID: 6832 cmdline: 'C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe' MD5: 8E6C4DD7CE47A6A456438EB5DF06E52C)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • control.exe (PID: 6344 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
        • cmd.exe (PID: 6796 cmdline: /c del 'C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.sutsci.com/d8ak/"], "decoy": ["slingshots305.com", "egemv.com", "purplewrld.com", "thaipayakorn.com", "crontabcyber.com", "wolfalike.com", "tedstbrice.com", "bbwtrip.com", "clothestokidsri.com", "experienanidworks.com", "acuityhealthcare.xyz", "applepai.net", "happytownmayor.net", "xn--vltadvisors-2eb.com", "garbagegenius.com", "ndddxs.com", "accuratearrangements.com", "wraptecny.com", "torontomassage.club", "ifem-ci.com", "highestmargin.com", "rahsiaboya.com", "cafe2hk.com", "peakreia.com", "michelleurena.com", "teentera.com", "highendsmokeshops.com", "one-san.net", "marketplace-576268732.com", "thesiswritinghelpfvb.com", "35fengbei.com", "thewindsurfinggypsy.com", "magnoliaranchkennels.com", "scottkenan.com", "rasaenterprise.com", "sanidom.com", "boydyourvoice.com", "akasoutheastern.com", "neryder.com", "pharmpolis.online", "bainrix.com", "bonaldi-marbrerie.com", "onefitearth.com", "theharkapp.com", "geaux-la.com", "therestingspot.com", "soulfxjuice.com", "lakestateallstars.com", "cristofiam.com", "findersinvestigationsinc.com", "faithhonorsupport.com", "bw985.com", "crosschainconsulting.com", "credit-du-nord-connexion.net", "leedermeyer.com", "4157709022.com", "zyxoothgy.xyz", "hotel-met-hond.com", "hibiskurpiest.site", "zx776.com", "intothought.com", "jardin-rent.com", "zwtouzi.com", "santapaularotary.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.924326052.00000000042E0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000A.00000002.924326052.00000000042E0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000A.00000002.924326052.00000000042E0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.662640189.0000000003860000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.662640189.0000000003860000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        1.1.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.1.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000A.00000002.924326052.00000000042E0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.sutsci.com/d8ak/"], "decoy": ["slingshots305.com", "egemv.com", "purplewrld.com", "thaipayakorn.com", "crontabcyber.com", "wolfalike.com", "tedstbrice.com", "bbwtrip.com", "clothestokidsri.com", "experienanidworks.com", "acuityhealthcare.xyz", "applepai.net", "happytownmayor.net", "xn--vltadvisors-2eb.com", "garbagegenius.com", "ndddxs.com", "accuratearrangements.com", "wraptecny.com", "torontomassage.club", "ifem-ci.com", "highestmargin.com", "rahsiaboya.com", "cafe2hk.com", "peakreia.com", "michelleurena.com", "teentera.com", "highendsmokeshops.com", "one-san.net", "marketplace-576268732.com", "thesiswritinghelpfvb.com", "35fengbei.com", "thewindsurfinggypsy.com", "magnoliaranchkennels.com", "scottkenan.com", "rasaenterprise.com", "sanidom.com", "boydyourvoice.com", "akasoutheastern.com", "neryder.com", "pharmpolis.online", "bainrix.com", "bonaldi-marbrerie.com", "onefitearth.com", "theharkapp.com", "geaux-la.com", "therestingspot.com", "soulfxjuice.com", "lakestateallstars.com", "cristofiam.com", "findersinvestigationsinc.com", "faithhonorsupport.com", "bw985.com", "crosschainconsulting.com", "credit-du-nord-connexion.net", "leedermeyer.com", "4157709022.com", "zyxoothgy.xyz", "hotel-met-hond.com", "hibiskurpiest.site", "zx776.com", "intothought.com", "jardin-rent.com", "zwtouzi.com", "santapaularotary.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeVirustotal: Detection: 43%Perma Link
          Source: ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeReversingLabs: Detection: 40%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.3860000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.3860000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.924326052.00000000042E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.662640189.0000000003860000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.743665193.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.743690882.0000000000900000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.743119378.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.923052100.0000000002680000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.659551308.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.924164143.00000000042B0000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeJoe Sandbox ML: detected
          Source: 1.1.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.37e0000.1.unpackAvira: Label: TR/Patched.Gen
          Source: 10.2.control.exe.4a27960.4.unpackAvira: Label: TR/Patched.Gen
          Source: 10.2.control.exe.26fa4c0.1.unpackAvira: Label: TR/Patched.Gen
          Source: 1.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.3860000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: Binary string: C:\xampp\htdocs\Cryptor\29ac7b4b858c4a8fa4d3adf2ae8478f9\Loader\pr1\Release\pr1.pdb source: ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.709770988.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe, 00000000.00000003.658729775.00000000020C0000.00000004.00000001.sdmp, ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe, 00000001.00000002.744007158.0000000000ABF000.00000040.00000001.sdmp, control.exe, 0000000A.00000002.925139848.000000000460F000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe, 00000001.00000002.744618720.0000000002A20000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe, control.exe
          Source: Binary string: control.pdbUGP source: ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe, 00000001.00000002.744618720.0000000002A20000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.709770988.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 0_2_004049F7 FindFirstFileExW,0_2_004049F7
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 4x nop then pop esi1_2_00415831
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 4x nop then pop edi1_2_00416286
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 4x nop then pop ebx1_2_00406A9D
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 4x nop then pop edi1_2_0040C3C1
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi10_2_02696286
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop ebx10_2_02686A9D
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi10_2_0268C3C1
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop esi10_2_02695831

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 195.12.172.229:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 195.12.172.229:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 195.12.172.229:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49773 -> 172.67.176.89:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49773 -> 172.67.176.89:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49773 -> 172.67.176.89:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.sutsci.com/d8ak/
          Source: Joe Sandbox ViewIP Address: 160.153.136.3 160.153.136.3
          Source: Joe Sandbox ViewASN Name: GO-DADDY-COM-LLCUS GO-DADDY-COM-LLCUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000000.666158910.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.686302103.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.3860000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.3860000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.924326052.00000000042E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.662640189.0000000003860000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.743665193.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.743690882.0000000000900000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.743119378.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.923052100.0000000002680000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.659551308.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.924164143.00000000042B0000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.3860000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.3860000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.3860000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.3860000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.924326052.00000000042E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.924326052.00000000042E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.662640189.0000000003860000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.662640189.0000000003860000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.743665193.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.743665193.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.743690882.0000000000900000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.743690882.0000000000900000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.743119378.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.743119378.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.923052100.0000000002680000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.923052100.0000000002680000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.659551308.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.659551308.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.924164143.00000000042B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.924164143.00000000042B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeStatic file information: Suspicious name
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_004181B0 NtCreateFile,1_2_004181B0
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00418260 NtReadFile,1_2_00418260
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_004182E0 NtClose,1_2_004182E0
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00418390 NtAllocateVirtualMemory,1_2_00418390
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_004181AD NtCreateFile,1_2_004181AD
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00418202 NtCreateFile,1_2_00418202
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_004182DA NtClose,1_2_004182DA
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_0041838A NtAllocateVirtualMemory,1_2_0041838A
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A098F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00A098F0
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00A09860
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09840 NtDelayExecution,LdrInitializeThunk,1_2_00A09840
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A099A0 NtCreateSection,LdrInitializeThunk,1_2_00A099A0
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00A09910
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09A20 NtResumeThread,LdrInitializeThunk,1_2_00A09A20
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00A09A00
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09A50 NtCreateFile,LdrInitializeThunk,1_2_00A09A50
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A095D0 NtClose,LdrInitializeThunk,1_2_00A095D0
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09540 NtReadFile,LdrInitializeThunk,1_2_00A09540
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A096E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00A096E0
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00A09660
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A097A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00A097A0
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09780 NtMapViewOfSection,LdrInitializeThunk,1_2_00A09780
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09FE0 NtCreateMutant,LdrInitializeThunk,1_2_00A09FE0
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09710 NtQueryInformationToken,LdrInitializeThunk,1_2_00A09710
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A098A0 NtWriteVirtualMemory,1_2_00A098A0
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09820 NtEnumerateKey,1_2_00A09820
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A0B040 NtSuspendThread,1_2_00A0B040
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A099D0 NtCreateProcessEx,1_2_00A099D0
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09950 NtQueueApcThread,1_2_00A09950
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09A80 NtOpenDirectoryObject,1_2_00A09A80
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09A10 NtQuerySection,1_2_00A09A10
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A0A3B0 NtGetContextThread,1_2_00A0A3B0
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09B00 NtSetValueKey,1_2_00A09B00
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A095F0 NtQueryInformationFile,1_2_00A095F0
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09520 NtWaitForSingleObject,1_2_00A09520
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A0AD30 NtSetContextThread,1_2_00A0AD30
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09560 NtWriteFile,1_2_00A09560
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A096D0 NtCreateKey,1_2_00A096D0
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09610 NtEnumerateValueKey,1_2_00A09610
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09670 NtQueryInformationProcess,1_2_00A09670
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09650 NtQueryValueKey,1_2_00A09650
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09730 NtQueryVirtualMemory,1_2_00A09730
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A0A710 NtOpenProcessToken,1_2_00A0A710
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09760 NtOpenProcess,1_2_00A09760
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A09770 NtSetInformationFile,1_2_00A09770
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A0A770 NtOpenThread,1_2_00A0A770
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_1_004181B0 NtCreateFile,1_1_004181B0
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_1_00418260 NtReadFile,1_1_00418260
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_1_004182E0 NtClose,1_1_004182E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559840 NtDelayExecution,LdrInitializeThunk,10_2_04559840
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559860 NtQuerySystemInformation,LdrInitializeThunk,10_2_04559860
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559540 NtReadFile,LdrInitializeThunk,10_2_04559540
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_04559910
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_045595D0 NtClose,LdrInitializeThunk,10_2_045595D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_045599A0 NtCreateSection,LdrInitializeThunk,10_2_045599A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559650 NtQueryValueKey,LdrInitializeThunk,10_2_04559650
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559A50 NtCreateFile,LdrInitializeThunk,10_2_04559A50
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_04559660
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_045596D0 NtCreateKey,LdrInitializeThunk,10_2_045596D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_045596E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_045596E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559710 NtQueryInformationToken,LdrInitializeThunk,10_2_04559710
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559FE0 NtCreateMutant,LdrInitializeThunk,10_2_04559FE0
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559780 NtMapViewOfSection,LdrInitializeThunk,10_2_04559780
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0455B040 NtSuspendThread,10_2_0455B040
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559820 NtEnumerateKey,10_2_04559820
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_045598F0 NtReadVirtualMemory,10_2_045598F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_045598A0 NtWriteVirtualMemory,10_2_045598A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559950 NtQueueApcThread,10_2_04559950
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559560 NtWriteFile,10_2_04559560
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0455AD30 NtSetContextThread,10_2_0455AD30
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559520 NtWaitForSingleObject,10_2_04559520
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_045599D0 NtCreateProcessEx,10_2_045599D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_045595F0 NtQueryInformationFile,10_2_045595F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559670 NtQueryInformationProcess,10_2_04559670
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559610 NtEnumerateValueKey,10_2_04559610
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559A10 NtQuerySection,10_2_04559A10
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559A00 NtProtectVirtualMemory,10_2_04559A00
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559A20 NtResumeThread,10_2_04559A20
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559A80 NtOpenDirectoryObject,10_2_04559A80
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559770 NtSetInformationFile,10_2_04559770
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0455A770 NtOpenThread,10_2_0455A770
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559760 NtOpenProcess,10_2_04559760
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0455A710 NtOpenProcessToken,10_2_0455A710
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559B00 NtSetValueKey,10_2_04559B00
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04559730 NtQueryVirtualMemory,10_2_04559730
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0455A3B0 NtGetContextThread,10_2_0455A3B0
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_045597A0 NtUnmapViewOfSection,10_2_045597A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_02698260 NtReadFile,10_2_02698260
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_026982E0 NtClose,10_2_026982E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_02698390 NtAllocateVirtualMemory,10_2_02698390
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_026981B0 NtCreateFile,10_2_026981B0
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_02698202 NtCreateFile,10_2_02698202
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_026982DA NtClose,10_2_026982DA
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0269838A NtAllocateVirtualMemory,10_2_0269838A
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_026981AD NtCreateFile,10_2_026981AD
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 0_2_0040A90D0_2_0040A90D
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_0041BAB81_2_0041BAB8
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00408C4C1_2_00408C4C
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00408C501_2_00408C50
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_0041CCF81_2_0041CCF8
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_0041B4931_2_0041B493
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00402D8D1_2_00402D8D
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_0041BFC81_2_0041BFC8
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_0041C7E61_2_0041C7E6
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A920A81_2_00A920A8
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_009DB0901_2_009DB090
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_009F20A01_2_009F20A0
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A810021_2_00A81002
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_009CF9001_2_009CF900
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_009E41201_2_009E4120
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A922AE1_2_00A922AE
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_009FEBB01_2_009FEBB0
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A92B281_2_00A92B28
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_009D841F1_2_009D841F
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_009F25811_2_009F2581
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_009DD5E01_2_009DD5E0
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A92D071_2_00A92D07
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_009C0D201_2_009C0D20
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A91D551_2_00A91D55
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A92EF71_2_00A92EF7
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_009E6E301_2_009E6E30
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: 1_2_00A91FF11_2_00A91FF1
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0452841F10_2_0452841F
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_045D100210_2_045D1002
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0452B09010_2_0452B090
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_045420A010_2_045420A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_045E20A810_2_045E20A8
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_045E1D5510_2_045E1D55
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0451F90010_2_0451F900
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_045E2D0710_2_045E2D07
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04510D2010_2_04510D20
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0453412010_2_04534120
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0452D5E010_2_0452D5E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0454258110_2_04542581
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04536E3010_2_04536E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_045E2EF710_2_045E2EF7
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_045E22AE10_2_045E22AE
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_045E2B2810_2_045E2B28
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_045DDBD210_2_045DDBD2
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_045E1FF110_2_045E1FF1
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0454EBB010_2_0454EBB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0269C7E610_2_0269C7E6
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_02682FB010_2_02682FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_02688C4C10_2_02688C4C
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_02688C5010_2_02688C50
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0269CCF810_2_0269CCF8
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0269B49310_2_0269B493
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_02682D8D10_2_02682D8D
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_02682D9010_2_02682D90
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0451B150 appears 35 times
          Source: C:\Users\user\Desktop\ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeCode function: String function: 009CB150 appears 35 times
          Source: ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe, 00000000.00000003.654559036.00000000039B6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe
          Source: ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe, 00000001.00000002.744631191.0000000002A25000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe
          Source: ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe, 00000001.00000002.744182579.0000000000C4F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe
          Source: ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          </
          Source: 1.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.3860000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.3860000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.3860000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe.3860000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.924326052.00000000042E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.924326052.00000000042E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.662640189.0000000003860000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.662640189.0000000003860000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.743665193.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.743665193.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.743690882.0000000000900000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE