Windows Analysis Report New_1007572_021.exe

Overview

General Information

Sample Name:	New_1007572_021.exe
Analysis ID:	458848
MD5:	41137fd61b9cc0d92225c91660a5902c
SHA1:	15d023fd6d344cb18243469a3ee01fea6bb189af
SHA256:	b04306fa8223c20a1abaaa6aeb5cabb2a83dc04337beb2acfd47784b34b682bc
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe

Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Found malware configuration

Source: 00000013.00000002.926228324.0000000004F0F000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.domoexpra.club/cg53/"], "decoy": ["sugarlushcosmetic.com", "a2net.info", "ximakaya.com", "thevochick.com", "khafto.com", "zsgpbgsbh.icu", "psm-gen.com", "jhxhotei.com", "7991899.com", "nda.today", "fourseasonsvanlines.com", "splediferous.info", "thesqlgoth.com", "newpathequine.com", "advan.digital", "skamanderboats.com", "thejnit.com", "pardusarms.net", "mevasoluciones.com", "biggdogg5n2.com", "anogirl.com", "xinyisanreqi.com", "2mothertruckers.net", "phongvevic.com", "atmosphere.rent", "amabie-net.com", "stocksp24.com", "starseedbeing.com", "icreditmalaysia.com", "inochinokagayaki.net", "christianbooktrailer.com", "gidrot.com", "junglecli.com", "greenportcivic.com", "beyondparenting101.com", "tracisolomon.xyz", "healinghandssalem.com", "hackersincgolf.com", "goselling.solutions", "cumuluspharma.com", "ramblecollections.com", "mac-marine.com", "likeit21.com", "gdlejing.com", "si600.net", "greenhearthome.com", "tourps.com", "lvyi19.com", "frequent420.com", "goodteattirerebates.com", "melanie-gore.com", "comfsresidential.com", "vrgkk.com", "losmaestrosencarpinteria.com", "nikhitaindustries.com", "fresgolens.online", "xpj777.life", "zerkalo-mr-bit-casino.com", "thorsensgrinding.com", "ronniethemole.com", "poundlove.com", "joansv.com", "finneyplace.com", "dakotacntr.com"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Metadefender: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	ReversingLabs: Detection: 85%
Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe	ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: New_1007572_021.exe

ReversingLabs: Detection: 28%

Yara detected FormBook

Source: Yara match	File source: 0.2.New_1007572_021.exe.3eb8b30.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.New_1007572_021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_1007572_021.exe.3bc9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_1007572_021.exe.3d7bea0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_1007572_021.exe.3d06480.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.926228324.0000000004F0F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.925005416.0000000000278000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.821727953.0000000001081000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.821846658.00000000012B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.740535210.0000000000404000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.925127682.0000000000490000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.926114786.0000000004BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.821488799.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.925530735.00000000031B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.739038576.0000000003BCD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.740219963.0000000001081000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.739831969.0000000003EBC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.739343756.0000000003D06000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe, type: DROPPED

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: New_1007572_021.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.New_1007572_021.exe.2d49d5c.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.New_1007572_021.exe.3eb8b30.6.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 10.2.FB_5E87.tmp.exe.1080000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.0.FB_5E87.tmp.exe.1080000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.2.New_1007572_021.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.New_1007572_021.exe.3bc9930.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: New_1007572_021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: New_1007572_021.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cscript.pdbUGP source: FB_5E87.tmp.exe, 0000000A.00000002.823189585.00000000032C0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000B.00000000.765998733.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: FB_5E87.tmp.exe, 0000000A.00000002.822175695.00000000013F0000.00000040.00000001.sdmp, cscript.exe, 00000013.00000002.925842696.000000000498F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: FB_5E87.tmp.exe, 0000000A.00000002.822175695.00000000013F0000.00000040.00000001.sdmp, cscript.exe
Source:	Binary string: cscript.pdb source: FB_5E87.tmp.exe, 0000000A.00000002.823189585.00000000032C0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000B.00000000.765998733.0000000005A00000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 4x nop then pop esi	10_2_0109727D
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 4x nop then pop edi	10_2_01097D7B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4x nop then pop esi	19_2_031C727D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4x nop then pop edi	19_2_031C7D7B

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.domoexpra.club/cg53/

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /cg53/?y48=RnXd-dV8&04VdoL_=jL4gYOGdbdGLgCuh81HWgUyhq6g08d9KQ1n+auYX12/KRBTZXwpphFOeP1KBAJVgFN6h HTTP/1.1Host: www.comfsresidential.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE

Source: global traffic

Source: unknown

DNS traffic detected: queries for: www.comfsresidential.com

Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000000B.00000000.785548112.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: New_1007572_021.exe, 00000000.00000002.738485693.00000000012F7000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: New_1007572_021.exe, 00000000.00000002.738485693.00000000012F7000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.come.comE
Source: New_1007572_021.exe, 00000000.00000002.738485693.00000000012F7000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comiona
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: New_1007572_021.exe, 00000000.00000002.742817796.0000000005BA0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000000.774582280.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: New_1007572_021.exe, 00000000.00000002.737740321.00000000010B0000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 0.2.New_1007572_021.exe.3eb8b30.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.New_1007572_021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_1007572_021.exe.3bc9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_1007572_021.exe.3d7bea0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_1007572_021.exe.3d06480.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.926228324.0000000004F0F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.925005416.0000000000278000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.821727953.0000000001081000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.821846658.00000000012B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.740535210.0000000000404000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.925127682.0000000000490000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.926114786.0000000004BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.821488799.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.925530735.00000000031B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.739038576.0000000003BCD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.740219963.0000000001081000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.739831969.0000000003EBC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.739343756.0000000003D06000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe, type: DROPPED

System Summary:

Malicious sample detected (through community Yara rule)

Source: 0.2.New_1007572_021.exe.3eb8b30.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.New_1007572_021.exe.3eb8b30.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.0.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.0.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.New_1007572_021.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.2.New_1007572_021.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.New_1007572_021.exe.3bc9930.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.New_1007572_021.exe.3bc9930.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.New_1007572_021.exe.3d7bea0.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.New_1007572_021.exe.3d7bea0.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.New_1007572_021.exe.3d06480.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.New_1007572_021.exe.3d06480.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.926228324.0000000004F0F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.926228324.0000000004F0F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.925005416.0000000000278000.00000004.00000020.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.925005416.0000000000278000.00000004.00000020.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.821727953.0000000001081000.00000020.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.821727953.0000000001081000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.821846658.00000000012B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.821846658.00000000012B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.740535210.0000000000404000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.740535210.0000000000404000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.925127682.0000000000490000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.925127682.0000000000490000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.926114786.0000000004BA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.926114786.0000000004BA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.821488799.0000000000E10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.821488799.0000000000E10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.925530735.00000000031B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.925530735.00000000031B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.739038576.0000000003BCD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.739038576.0000000003BCD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.740219963.0000000001081000.00000020.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.740219963.0000000001081000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.739831969.0000000003EBC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.739831969.0000000003EBC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.739343756.0000000003D06000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.739343756.0000000003D06000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe, type: DROPPED	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe, type: DROPPED	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_0109A100 NtAllocateVirtualMemory,	10_2_0109A100
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_0109A050 NtClose,	10_2_0109A050
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_01099F20 NtCreateFile,	10_2_01099F20
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_01099FD0 NtReadFile,	10_2_01099FD0
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_0109A04C NtClose,	10_2_0109A04C
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_0109A0FA NtAllocateVirtualMemory,	10_2_0109A0FA
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_01099F1A NtCreateFile,	10_2_01099F1A
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_01099FCA NtReadFile,	10_2_01099FCA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D95D0 NtClose,LdrInitializeThunk,	19_2_048D95D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9540 NtReadFile,LdrInitializeThunk,	19_2_048D9540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D96D0 NtCreateKey,LdrInitializeThunk,	19_2_048D96D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D96E0 NtFreeVirtualMemory,LdrInitializeThunk,	19_2_048D96E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9650 NtQueryValueKey,LdrInitializeThunk,	19_2_048D9650
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9660 NtAllocateVirtualMemory,LdrInitializeThunk,	19_2_048D9660
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9780 NtMapViewOfSection,LdrInitializeThunk,	19_2_048D9780
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9FE0 NtCreateMutant,LdrInitializeThunk,	19_2_048D9FE0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9710 NtQueryInformationToken,LdrInitializeThunk,	19_2_048D9710
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9840 NtDelayExecution,LdrInitializeThunk,	19_2_048D9840
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9860 NtQuerySystemInformation,LdrInitializeThunk,	19_2_048D9860
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D99A0 NtCreateSection,LdrInitializeThunk,	19_2_048D99A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	19_2_048D9910
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9A50 NtCreateFile,LdrInitializeThunk,	19_2_048D9A50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D95F0 NtQueryInformationFile,	19_2_048D95F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9520 NtWaitForSingleObject,	19_2_048D9520
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048DAD30 NtSetContextThread,	19_2_048DAD30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9560 NtWriteFile,	19_2_048D9560
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9610 NtEnumerateValueKey,	19_2_048D9610
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9670 NtQueryInformationProcess,	19_2_048D9670
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D97A0 NtUnmapViewOfSection,	19_2_048D97A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048DA710 NtOpenProcessToken,	19_2_048DA710
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9730 NtQueryVirtualMemory,	19_2_048D9730
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9760 NtOpenProcess,	19_2_048D9760
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048DA770 NtOpenThread,	19_2_048DA770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9770 NtSetInformationFile,	19_2_048D9770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D98A0 NtWriteVirtualMemory,	19_2_048D98A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D98F0 NtReadVirtualMemory,	19_2_048D98F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9820 NtEnumerateKey,	19_2_048D9820
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048DB040 NtSuspendThread,	19_2_048DB040
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D99D0 NtCreateProcessEx,	19_2_048D99D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9950 NtQueueApcThread,	19_2_048D9950
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9A80 NtOpenDirectoryObject,	19_2_048D9A80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9A00 NtProtectVirtualMemory,	19_2_048D9A00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9A10 NtQuerySection,	19_2_048D9A10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9A20 NtResumeThread,	19_2_048D9A20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048DA3B0 NtGetContextThread,	19_2_048DA3B0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048D9B00 NtSetValueKey,	19_2_048D9B00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031CA100 NtAllocateVirtualMemory,	19_2_031CA100
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031CA050 NtClose,	19_2_031CA050
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031C9F20 NtCreateFile,	19_2_031C9F20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031C9FD0 NtReadFile,	19_2_031C9FD0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031CA04C NtClose,	19_2_031CA04C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031CA0FA NtAllocateVirtualMemory,	19_2_031CA0FA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031C9F1A NtCreateFile,	19_2_031C9F1A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031C9FCA NtReadFile,	19_2_031C9FCA

Detected potential crypto function

Source: C:\Users\user\Desktop\New_1007572_021.exe	Code function: 0_2_0109E494	0_2_0109E494
Source: C:\Users\user\Desktop\New_1007572_021.exe	Code function: 0_2_0109F580	0_2_0109F580
Source: C:\Users\user\Desktop\New_1007572_021.exe	Code function: 0_2_0109F590	0_2_0109F590
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_0109D166	10_2_0109D166
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_01081030	10_2_01081030
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_0109E376	10_2_0109E376
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_01082D90	10_2_01082D90
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_0109D773	10_2_0109D773
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_0109BFA6	10_2_0109BFA6
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_01082FB0	10_2_01082FB0
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_01089E30	10_2_01089E30
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_0109E6D5	10_2_0109E6D5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048A841F	19_2_048A841F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0495D466	19_2_0495D466
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048C2581	19_2_048C2581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_049625DD	19_2_049625DD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048AD5E0	19_2_048AD5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04962D07	19_2_04962D07
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04890D20	19_2_04890D20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04961D55	19_2_04961D55
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04962EF7	19_2_04962EF7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0495D616	19_2_0495D616
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048B6E30	19_2_048B6E30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04961FF1	19_2_04961FF1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048AB090	19_2_048AB090
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048C20A0	19_2_048C20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_049620A8	19_2_049620A8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_049628EC	19_2_049628EC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04951002	19_2_04951002
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0489F900	19_2_0489F900
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048B4120	19_2_048B4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_049622AE	19_2_049622AE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048CEBB0	19_2_048CEBB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_0495DBD2	19_2_0495DBD2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_04962B28	19_2_04962B28
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031CE376	19_2_031CE376
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031CD166	19_2_031CD166
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031CD773	19_2_031CD773
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031B2FB0	19_2_031B2FB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031CBFA6	19_2_031CBFA6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031B9E30	19_2_031B9E30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031CE6D5	19_2_031CE6D5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031B2D90	19_2_031B2D90

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\cscript.exe

Code function: String function: 0489B150 appears 35 times

PE file contains strange resources

Source: FB_5908.tmp.exe.8.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE file does not import any functions

Source: FB_5908.tmp.exe.8.dr	Static PE information: No import functions for PE file found
Source: FB_5E87.tmp.exe.8.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: New_1007572_021.exe, 00000000.00000002.747317256.0000000007940000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYyezikludvdagjmvrozekhz.dll" vs New_1007572_021.exe
Source: New_1007572_021.exe, 00000000.00000002.746272769.0000000007420000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs New_1007572_021.exe
Source: New_1007572_021.exe, 00000000.00000002.738790533.0000000002C7C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameclrjit.dllT vs New_1007572_021.exe
Source: New_1007572_021.exe, 00000000.00000002.738790533.0000000002C7C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs New_1007572_021.exe
Source: New_1007572_021.exe, 00000000.00000002.737740321.00000000010B0000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs New_1007572_021.exe
Source: New_1007572_021.exe, 00000000.00000002.739038576.0000000003BCD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBindStub.exe vs New_1007572_021.exe
Source: New_1007572_021.exe, 00000008.00000002.740535210.0000000000404000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameBindStub.exe vs New_1007572_021.exe
Source: New_1007572_021.exe, 00000008.00000002.743239571.0000000002FD0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs New_1007572_021.exe

Uses 32bit PE files

Source: New_1007572_021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Yara signature match

Source: 0.2.New_1007572_021.exe.3eb8b30.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.New_1007572_021.exe.3eb8b30.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.0.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.0.FB_5E87.tmp.exe.1080000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.New_1007572_021.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.2.New_1007572_021.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.New_1007572_021.exe.3bc9930.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.New_1007572_021.exe.3bc9930.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.New_1007572_021.exe.3d7bea0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.New_1007572_021.exe.3d7bea0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.New_1007572_021.exe.3d06480.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.New_1007572_021.exe.3d06480.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.926228324.0000000004F0F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.926228324.0000000004F0F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.925005416.0000000000278000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.925005416.0000000000278000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.821727953.0000000001081000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.821727953.0000000001081000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.821846658.00000000012B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.821846658.00000000012B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.740535210.0000000000404000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.740535210.0000000000404000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.925127682.0000000000490000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.925127682.0000000000490000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.926114786.0000000004BA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.926114786.0000000004BA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.821488799.0000000000E10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.821488799.0000000000E10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.925530735.00000000031B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.925530735.00000000031B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.739038576.0000000003BCD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.739038576.0000000003BCD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.740219963.0000000001081000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.740219963.0000000001081000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.739831969.0000000003EBC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.739831969.0000000003EBC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.739343756.0000000003D06000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.739343756.0000000003D06000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe, type: DROPPED	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe, type: DROPPED	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: New_1007572_021.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: New_1007572_021.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: FB_5E87.tmp.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: FB_5E87.tmp.exe.8.dr

Static PE information: Section .text

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/5@1/2

Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe

Code function: 8_2_00401000 FindResourceA,SizeofResource,LoadResource,LockResource,GetTempPathA,GetTempFileNameA,MoveFileExA,MoveFileExA,sprintf,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,FreeResource,MoveFileExA,ExitProcess,

8_2_00401000

Source: C:\Users\user\Desktop\New_1007572_021.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New_1007572_021.exe.log

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\New_1007572_021.exe 'C:\Users\user\Desktop\New_1007572_021.exe'
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process created: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe C:\Users\user\AppData\Local\Temp\New_1007572_021.exe
Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe	Process created: C:\Users\user\AppData\Local\Temp\FB_5908.tmp.exe 'C:\Users\user\AppData\Local\Temp\FB_5908.tmp.exe'
Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe	Process created: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe 'C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process created: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe C:\Users\user\AppData\Local\Temp\New_1007572_021.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe	Process created: C:\Users\user\AppData\Local\Temp\FB_5908.tmp.exe 'C:\Users\user\AppData\Local\Temp\FB_5908.tmp.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe	Process created: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe 'C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe'	Jump to behavior

Source: New_1007572_021.exe, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs	.Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: New_1007572_021.exe.0.dr, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs	.Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.New_1007572_021.exe.800000.0.unpack, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs	.Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.New_1007572_021.exe.800000.0.unpack, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs	.Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 8.0.New_1007572_021.exe.b50000.0.unpack, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs	.Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 8.2.New_1007572_021.exe.b50000.1.unpack, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs	.Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_0109D12C push eax; ret	10_2_0109D132
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_01097140 push edi; retf	10_2_01097160
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_0109D166 push dword ptr [CCC28DB9h]; ret	10_2_0109D772
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_01097814 push eax; retf	10_2_0109781A
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_0109784D push eax; retf	10_2_0109781A
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_0109D075 push eax; ret	10_2_0109D0C8
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_0109D0CB push eax; ret	10_2_0109D132
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_0109D0C2 push eax; ret	10_2_0109D0C8
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_0108EDBC push edx; retf	10_2_0108EDBF
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_0109C443 push eax; iretd	10_2_0109C44B
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_0109E4EE push ds; iretd	10_2_0109E4EF
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Code function: 10_2_0109D773 push dword ptr [CCC28DB9h]; ret	10_2_0109D772
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_048ED0D1 push ecx; ret	19_2_048ED0E4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031CD12C push eax; ret	19_2_031CD132
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031C7140 push edi; retf	19_2_031C7160
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031CD166 push dword ptr [CCC28DB9h]; ret	19_2_031CD772
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031C7814 push eax; retf	19_2_031C781A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031C784D push eax; retf	19_2_031C781A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031CD075 push eax; ret	19_2_031CD0C8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031CD0CB push eax; ret	19_2_031CD132
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031CD0C2 push eax; ret	19_2_031CD0C8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031CD773 push dword ptr [CCC28DB9h]; ret	19_2_031CD772
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031BEDBC push edx; retf	19_2_031BEDBF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031CC443 push eax; iretd	19_2_031CC44B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 19_2_031CE4EE push ds; iretd	19_2_031CE4EF

Source: initial sample	Static PE information: section name: .text entropy: 7.98710710749
Source: initial sample	Static PE information: section name: .text entropy: 7.98710710749
Source: initial sample	Static PE information: section name: .text entropy: 7.40373413401

Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe	File created: C:\Users\user\AppData\Local\Temp\FB_5908.tmp.exe	Jump to dropped file
Source: C:\Users\user\Desktop\New_1007572_021.exe	File created: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe	File created: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Jump to dropped file

Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	RDTSC instruction interceptor: First address: 00000000010898E4 second address: 00000000010898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	RDTSC instruction interceptor: First address: 0000000001089B4E second address: 0000000001089B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 00000000031B98E4 second address: 00000000031B98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 00000000031B9B4E second address: 00000000031B9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe	Last function: Thread delayed

Source: explorer.exe, 0000000B.00000000.798630799.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000B.00000000.771534648.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000000.767000909.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000000.771534648.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000000.771670358.000000000A716000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATAa
Source: explorer.exe, 0000000B.00000000.760088803.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 0000000B.00000000.798630799.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000B.00000000.771670358.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 0000000B.00000000.798630799.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000000B.00000000.771670358.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 0000000B.00000000.798630799.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\New_1007572_021.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\explorer.exe	Domain query: www.comfsresidential.com
Source: C:\Windows\explorer.exe	Network Connect: 185.53.178.50 80			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Thread register set: target process: 3424	Jump to behavior

Source: C:\Users\user\Desktop\New_1007572_021.exe	Memory written: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Memory written: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Memory written: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Memory written: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe base: 403000	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Memory written: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe base: 404000	Jump to behavior
Source: C:\Users\user\Desktop\New_1007572_021.exe	Memory written: C:\Users\user\AppData\Local\Temp\New_1007572_021.exe base: CAD008	Jump to behavior

Source: explorer.exe, 0000000B.00000000.745550579.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 0000000B.00000000.784022003.0000000001080000.00000002.00000001.sdmp, cscript.exe, 00000013.00000002.925610456.0000000003460000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000B.00000000.784022003.0000000001080000.00000002.00000001.sdmp, cscript.exe, 00000013.00000002.925610456.0000000003460000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000B.00000000.784022003.0000000001080000.00000002.00000001.sdmp, cscript.exe, 00000013.00000002.925610456.0000000003460000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000B.00000000.784022003.0000000001080000.00000002.00000001.sdmp, cscript.exe, 00000013.00000002.925610456.0000000003460000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000B.00000000.771670358.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

ID:	458848
Product:	CloudBasic
Start time:	19:47:24
Start date:	03.08.2021
Sample:	New_1007572_021.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	41137fd61b9cc0d92225c91660a5902c
SHA1:	15d023fd6d344cb18243469a3ee01fea6bb189af
SHA256:	b04306fa8223c20a1abaaa6aeb5cabb2a83dc04337beb2acfd47784b34b682bc
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New_1007572_021.exe.log	ASCII text, with CRLF line terminators	3197B1D4714B56F2A6AC9E83761739AE	3B38010F0DF51C1D4D2C020138202DABB686741D	40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
C:\Users\user\AppData\Local\Temp\FB_5908.tmp.exe	PE32 executable (GUI) Intel 80386, for MS Windows	74BAFB3E707C7B0C63938AC200F99C7F	10C5506337845ED9BF25C73D2506F9C15AB8E608	129450BA06AD589CF6846A455A5B6B5F55E164EE4906E409EB692AB465269689
C:\Users\user\AppData\Local\Temp\FB_5E87.tmp.exe	PE32 executable (GUI) Intel 80386, for MS Windows	48ECE2CA39A9EAE7FCED7418CF071D46	7570995CBF699088A8F208015CB2C92BE5BC837A	4119B29BC938578D5D243DB714D0619228D37C10CCAA52925F9E81A410720D59
C:\Users\user\AppData\Local\Temp\New_1007572_021.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	41137FD61B9CC0D92225C91660A5902C	15D023FD6D344CB18243469A3EE01FEA6BB189AF	B04306FA8223C20A1ABAAA6AEB5CABB2A83DC04337BEB2ACFD47784B34B682BC
C:\Users\user\AppData\Local\Temp\New_1007572_021.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report New_1007572_021.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs