Loading ...

Play interactive tourEdit tour

Windows Analysis Report Nouveau bon de commande. 3007021_pdf.exe

Overview

General Information

Sample Name:Nouveau bon de commande. 3007021_pdf.exe
Analysis ID:458861
MD5:e1d1316d5bc047ec817b950286734ed0
SHA1:ae3cb4a0103f8daa9ec8f6dc00b6bfeb3f1c52ca
SHA256:6fd8c63bf53f7364e54505eb98e1b6fc005fbb691a65680e400e7b9104ad1795
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Nouveau bon de commande. 3007021_pdf.exe (PID: 3704 cmdline: 'C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe' MD5: E1D1316D5BC047EC817B950286734ED0)
    • Nouveau bon de commande. 3007021_pdf.exe (PID: 5028 cmdline: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe MD5: E1D1316D5BC047EC817B950286734ED0)
      • explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • WWAHost.exe (PID: 1380 cmdline: C:\Windows\SysWOW64\WWAHost.exe MD5: 370C260333EB3149EF4E49C8F64652A0)
          • cmd.exe (PID: 4120 cmdline: /c del 'C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.trucktodock.com/ajs8/"], "decoy": ["lotfysupport.net", "tradingsentral.com", "mobiles240.com", "redecompre.com", "mulliganjames.com", "excursionlanzarote.com", "n1getaccess.com", "wirelessconsole.com", "thevez.net", "joygshpng.com", "arandawines.com", "eliassantis.net", "racevc.com", "mybluemonitor.com", "jual-penggugurkandungan.com", "connectgf.com", "nmpsolutions.com", "anipawesome.com", "vissito.com", "terracottagkp.com", "oemintra.com", "greensecuredeeparchive.com", "zhaoba17.com", "indiadesignstory.com", "handybusy.com", "fkldklfdklfddef.com", "winnadvisorsolutions.com", "signin-solution.com", "comericac.com", "tugqzcc.icu", "discountpty.com", "dhclanrs.com", "tetasdeoro.com", "qroyalrealestate.com", "beweirdbrand.com", "veganonthegreens.info", "paulsplumbingllc.com", "ontimedigitalagency.com", "meohaysucsong.club", "commandherofyou.com", "travelawardsguide.com", "shopvybz.com", "healthylivingawaits.com", "theassistedadrscheme.com", "iphonescreenprotect.com", "zhuqiuhui.space", "514rosemont.com", "labour-exchange.com", "sarahhubrealestate.com", "kcleases.com", "kupitoptom.com", "drayasvista.com", "esmo-2017.com", "jubmoprivacy.com", "heymayafilms.com", "beregnung-mv.com", "relishliferesearchcenter.com", "cchidwick.xyz", "thederbyshiresoapcompany.com", "poconohomeinspectors.com", "gregorymazzalaw.com", "ofaplatinumbonus.com", "laurenbarclay.com", "sickandwireless.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000002.472762051.0000000002A90000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000002.472762051.0000000002A90000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166b9:$sqlite3step: 68 34 1C 7B E1
        • 0x167cc:$sqlite3step: 68 34 1C 7B E1
        • 0x166e8:$sqlite3text: 68 38 2A 90 C5
        • 0x1680d:$sqlite3text: 68 38 2A 90 C5
        • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
        2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.trucktodock.com/ajs8/"], "decoy": ["lotfysupport.net", "tradingsentral.com", "mobiles240.com", "redecompre.com", "mulliganjames.com", "excursionlanzarote.com", "n1getaccess.com", "wirelessconsole.com", "thevez.net", "joygshpng.com", "arandawines.com", "eliassantis.net", "racevc.com", "mybluemonitor.com", "jual-penggugurkandungan.com", "connectgf.com", "nmpsolutions.com", "anipawesome.com", "vissito.com", "terracottagkp.com", "oemintra.com", "greensecuredeeparchive.com", "zhaoba17.com", "indiadesignstory.com", "handybusy.com", "fkldklfdklfddef.com", "winnadvisorsolutions.com", "signin-solution.com", "comericac.com", "tugqzcc.icu", "discountpty.com", "dhclanrs.com", "tetasdeoro.com", "qroyalrealestate.com", "beweirdbrand.com", "veganonthegreens.info", "paulsplumbingllc.com", "ontimedigitalagency.com", "meohaysucsong.club", "commandherofyou.com", "travelawardsguide.com", "shopvybz.com", "healthylivingawaits.com", "theassistedadrscheme.com", "iphonescreenprotect.com", "zhuqiuhui.space", "514rosemont.com", "labour-exchange.com", "sarahhubrealestate.com", "kcleases.com", "kupitoptom.com", "drayasvista.com", "esmo-2017.com", "jubmoprivacy.com", "heymayafilms.com", "beregnung-mv.com", "relishliferesearchcenter.com", "cchidwick.xyz", "thederbyshiresoapcompany.com", "poconohomeinspectors.com", "gregorymazzalaw.com", "ofaplatinumbonus.com", "laurenbarclay.com", "sickandwireless.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Nouveau bon de commande. 3007021_pdf.exeVirustotal: Detection: 60%Perma Link
          Source: Nouveau bon de commande. 3007021_pdf.exeMetadefender: Detection: 34%Perma Link
          Source: Nouveau bon de commande. 3007021_pdf.exeReversingLabs: Detection: 82%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.472762051.0000000002A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.472841788.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292188314.0000000001660000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: Nouveau bon de commande. 3007021_pdf.exeJoe Sandbox ML: detected
          Source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Nouveau bon de commande. 3007021_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Nouveau bon de commande. 3007021_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: WWAHost.pdb source: Nouveau bon de commande. 3007021_pdf.exe, 00000002.00000002.293934813.0000000001E20000.00000040.00000001.sdmp
          Source: Binary string: WWAHost.pdbUGP source: Nouveau bon de commande. 3007021_pdf.exe, 00000002.00000002.293934813.0000000001E20000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Nouveau bon de commande. 3007021_pdf.exe, 00000002.00000002.292665175.0000000001AC0000.00000040.00000001.sdmp, WWAHost.exe, 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Nouveau bon de commande. 3007021_pdf.exe, 00000002.00000002.292665175.0000000001AC0000.00000040.00000001.sdmp, WWAHost.exe
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 4x nop then pop edi2_2_004162C4
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop edi10_2_028962C4

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 23.227.38.74:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.trucktodock.com/ajs8/
          Source: global trafficHTTP traffic detected: GET /ajs8/?q48d=HFQLptYpKX&3fBlVXm=xNYePOcIRg8tONHl062QEzR3pjdpSOb6qFMYs+u8dcNvqsBFMqM/aahx6CIdT83MIu1q HTTP/1.1Host: www.discountpty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ajs8/?3fBlVXm=hqPLwoezIU4RJkzOayN9OUqrFULw7U9SfOZePsq8F9HyGJJZCf9ZB5ZbUnjAkpqHeNor&q48d=HFQLptYpKX HTTP/1.1Host: www.shopvybz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ajs8/?q48d=HFQLptYpKX&3fBlVXm=2BRIB0J+IU74eT9QrM34IgOLc6rvRxRggRQ5Dm44nGBTXrZyhrhiT7zmyDkAgt3Lv1f/ HTTP/1.1Host: www.handybusy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ajs8/?3fBlVXm=PXCQsRsj6f+UKLkz5iYmBV65DPKHBBScBAKRyWuZQRoQL6ffVXDgpay6Ct5U2sE+s5q9&q48d=HFQLptYpKX HTTP/1.1Host: www.theassistedadrscheme.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ajs8/?q48d=HFQLptYpKX&3fBlVXm=LEjUMU+rw+m1MGLci6xLa4kNPPdUPj6aoKRsjeM/sCEy0PaNWwzv7jP2E4a8Zzb0ARTh HTTP/1.1Host: www.indiadesignstory.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ajs8/?q48d=HFQLptYpKX&3fBlVXm=3clrjbd8Uk1yhLkd6I01KEeFnSa+FczhmxXwmvBnovucnEmM2e32CtS7ZjKvb0koSvtC HTTP/1.1Host: www.trucktodock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /ajs8/?q48d=HFQLptYpKX&3fBlVXm=xNYePOcIRg8tONHl062QEzR3pjdpSOb6qFMYs+u8dcNvqsBFMqM/aahx6CIdT83MIu1q HTTP/1.1Host: www.discountpty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ajs8/?3fBlVXm=hqPLwoezIU4RJkzOayN9OUqrFULw7U9SfOZePsq8F9HyGJJZCf9ZB5ZbUnjAkpqHeNor&q48d=HFQLptYpKX HTTP/1.1Host: www.shopvybz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ajs8/?q48d=HFQLptYpKX&3fBlVXm=2BRIB0J+IU74eT9QrM34IgOLc6rvRxRggRQ5Dm44nGBTXrZyhrhiT7zmyDkAgt3Lv1f/ HTTP/1.1Host: www.handybusy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ajs8/?3fBlVXm=PXCQsRsj6f+UKLkz5iYmBV65DPKHBBScBAKRyWuZQRoQL6ffVXDgpay6Ct5U2sE+s5q9&q48d=HFQLptYpKX HTTP/1.1Host: www.theassistedadrscheme.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ajs8/?q48d=HFQLptYpKX&3fBlVXm=LEjUMU+rw+m1MGLci6xLa4kNPPdUPj6aoKRsjeM/sCEy0PaNWwzv7jP2E4a8Zzb0ARTh HTTP/1.1Host: www.indiadesignstory.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ajs8/?q48d=HFQLptYpKX&3fBlVXm=3clrjbd8Uk1yhLkd6I01KEeFnSa+FczhmxXwmvBnovucnEmM2e32CtS7ZjKvb0koSvtC HTTP/1.1Host: www.trucktodock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.jual-penggugurkandungan.com
          Source: explorer.exe, 00000003.00000000.263962235.000000000F6C4000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: WWAHost.exe, 0000000A.00000002.477885883.0000000003D32000.00000004.00000001.sdmpString found in binary or memory: http://travelawardsguide.com/ajs8/?3fBlVXm=SVfnn/RS59BZjQOJq1nGaV1j1LxsdmH7K5f9UuJUxaq5YOiipJWffLZbL
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Nouveau bon de commande. 3007021_pdf.exe, 00000000.00000003.206509028.0000000000FAD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnN
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.261347674.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: WWAHost.exe, 0000000A.00000002.477885883.0000000003D32000.00000004.00000001.sdmpString found in binary or memory: https://www.indiadesignstory.com/ajs8/?q48d=HFQLptYpKX&3fBlVXm=LEjUMU

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.472762051.0000000002A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.472841788.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292188314.0000000001660000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.472762051.0000000002A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.472762051.0000000002A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.472841788.0000000002AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.472841788.0000000002AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.292188314.0000000001660000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.292188314.0000000001660000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Nouveau bon de commande. 3007021_pdf.exe
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_004181C0 NtCreateFile,2_2_004181C0
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_00418270 NtReadFile,2_2_00418270
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_004182F0 NtClose,2_2_004182F0
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_004183A0 NtAllocateVirtualMemory,2_2_004183A0
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_0041817B NtCreateFile,2_2_0041817B
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_004181BA NtCreateFile,2_2_004181BA
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_0041826B NtReadFile,2_2_0041826B
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_004182EA NtClose,2_2_004182EA
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_0041839C NtAllocateVirtualMemory,2_2_0041839C
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659710 NtQueryInformationToken,LdrInitializeThunk,10_2_03659710
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659FE0 NtCreateMutant,LdrInitializeThunk,10_2_03659FE0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659780 NtMapViewOfSection,LdrInitializeThunk,10_2_03659780
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_03659660
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659650 NtQueryValueKey,LdrInitializeThunk,10_2_03659650
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659A50 NtCreateFile,LdrInitializeThunk,10_2_03659A50
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_036596E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_036596E0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_036596D0 NtCreateKey,LdrInitializeThunk,10_2_036596D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659540 NtReadFile,LdrInitializeThunk,10_2_03659540
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_03659910
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_036595D0 NtClose,LdrInitializeThunk,10_2_036595D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_036599A0 NtCreateSection,LdrInitializeThunk,10_2_036599A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659860 NtQuerySystemInformation,LdrInitializeThunk,10_2_03659860
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659840 NtDelayExecution,LdrInitializeThunk,10_2_03659840
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659760 NtOpenProcess,10_2_03659760
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659770 NtSetInformationFile,10_2_03659770
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0365A770 NtOpenThread,10_2_0365A770
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659730 NtQueryVirtualMemory,10_2_03659730
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659B00 NtSetValueKey,10_2_03659B00
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0365A710 NtOpenProcessToken,10_2_0365A710
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_036597A0 NtUnmapViewOfSection,10_2_036597A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0365A3B0 NtGetContextThread,10_2_0365A3B0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659670 NtQueryInformationProcess,10_2_03659670
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659A20 NtResumeThread,10_2_03659A20
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659A00 NtProtectVirtualMemory,10_2_03659A00
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659610 NtEnumerateValueKey,10_2_03659610
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659A10 NtQuerySection,10_2_03659A10
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659A80 NtOpenDirectoryObject,10_2_03659A80
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659560 NtWriteFile,10_2_03659560
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659950 NtQueueApcThread,10_2_03659950
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659520 NtWaitForSingleObject,10_2_03659520
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0365AD30 NtSetContextThread,10_2_0365AD30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_036595F0 NtQueryInformationFile,10_2_036595F0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_036599D0 NtCreateProcessEx,10_2_036599D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0365B040 NtSuspendThread,10_2_0365B040
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03659820 NtEnumerateKey,10_2_03659820
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_036598F0 NtReadVirtualMemory,10_2_036598F0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_036598A0 NtWriteVirtualMemory,10_2_036598A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_028982F0 NtClose,10_2_028982F0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_02898270 NtReadFile,10_2_02898270
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_028983A0 NtAllocateVirtualMemory,10_2_028983A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_028981C0 NtCreateFile,10_2_028981C0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_028982EA NtClose,10_2_028982EA
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0289826B NtReadFile,10_2_0289826B
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0289839C NtAllocateVirtualMemory,10_2_0289839C
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_028981BA NtCreateFile,10_2_028981BA
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0289817B NtCreateFile,10_2_0289817B
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_004012FB2_2_004012FB
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_0041BB8C2_2_0041BB8C
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_0041CBB72_2_0041CBB7
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_00408C602_2_00408C60
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_00402D882_2_00402D88
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_0041B6EB2_2_0041B6EB
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_036E2B2810_2_036E2B28
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_036E1FF110_2_036E1FF1
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_036DDBD210_2_036DDBD2
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0364EBB010_2_0364EBB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03636E3010_2_03636E30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_036E2EF710_2_036E2EF7
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_036E22AE10_2_036E22AE
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_036E1D5510_2_036E1D55
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03610D2010_2_03610D20
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0363412010_2_03634120
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0361F90010_2_0361F900
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_036E2D0710_2_036E2D07
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0362D5E010_2_0362D5E0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_036E25DD10_2_036E25DD
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0364258110_2_03642581
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_036DD46610_2_036DD466
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_036D100210_2_036D1002
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0362841F10_2_0362841F
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_036E28EC10_2_036E28EC
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_036420A010_2_036420A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_036E20A810_2_036E20A8
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0362B09010_2_0362B090
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0289CBB710_2_0289CBB7
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0289B6EB10_2_0289B6EB
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_02882FB010_2_02882FB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_02888C6010_2_02888C60
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_02882D8810_2_02882D88
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_02882D9010_2_02882D90
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 0361B150 appears 35 times
          Source: Nouveau bon de commande. 3007021_pdf.exe, 00000000.00000000.201502923.00000000005E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTRACEENABLEIN.exe: vs Nouveau bon de commande. 3007021_pdf.exe
          Source: Nouveau bon de commande. 3007021_pdf.exeBinary or memory string: OriginalFilename vs Nouveau bon de commande. 3007021_pdf.exe
          Source: Nouveau bon de commande. 3007021_pdf.exe, 00000002.00000002.294055772.0000000001ED6000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWWAHost.exej% vs Nouveau bon de commande. 3007021_pdf.exe
          Source: Nouveau bon de commande. 3007021_pdf.exe, 00000002.00000002.291591359.0000000000F92000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTRACEENABLEIN.exe: vs Nouveau bon de commande. 3007021_pdf.exe
          Source: Nouveau bon de commande. 3007021_pdf.exe, 00000002.00000002.292904199.0000000001BDF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Nouveau bon de commande. 3007021_pdf.exe
          Source: Nouveau bon de commande. 3007021_pdf.exeBinary or memory string: OriginalFilenameTRACEENABLEIN.exe: vs Nouveau bon de commande. 3007021_pdf.exe
          Source: Nouveau bon de commande. 3007021_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.Nouveau bon de commande. 3007021_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.293883850.0000000001DF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.472762051.0000000002A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.472762051.0000000002A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.472401230.0000000002880000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.291525514.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.472841788.0000000002AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.472841788.0000000002AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.292188314.0000000001660000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.292188314.0000000001660000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Nouveau bon de commande. 3007021_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Nouveau bon de commande. 3007021_pdf.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@12/4
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Nouveau bon de commande. 3007021_pdf.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3468:120:WilError_01
          Source: Nouveau bon de commande. 3007021_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Nouveau bon de commande. 3007021_pdf.exeVirustotal: Detection: 60%
          Source: Nouveau bon de commande. 3007021_pdf.exeMetadefender: Detection: 34%
          Source: Nouveau bon de commande. 3007021_pdf.exeReversingLabs: Detection: 82%
          Source: unknownProcess created: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe 'C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe'
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess created: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess created: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe'Jump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Nouveau bon de commande. 3007021_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Nouveau bon de commande. 3007021_pdf.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: Nouveau bon de commande. 3007021_pdf.exeStatic file information: File size 1327104 > 1048576
          Source: Nouveau bon de commande. 3007021_pdf.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x143600
          Source: Nouveau bon de commande. 3007021_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: WWAHost.pdb source: Nouveau bon de commande. 3007021_pdf.exe, 00000002.00000002.293934813.0000000001E20000.00000040.00000001.sdmp
          Source: Binary string: WWAHost.pdbUGP source: Nouveau bon de commande. 3007021_pdf.exe, 00000002.00000002.293934813.0000000001E20000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Nouveau bon de commande. 3007021_pdf.exe, 00000002.00000002.292665175.0000000001AC0000.00000040.00000001.sdmp, WWAHost.exe, 0000000A.00000002.473940932.00000000035F0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Nouveau bon de commande. 3007021_pdf.exe, 00000002.00000002.292665175.0000000001AC0000.00000040.00000001.sdmp, WWAHost.exe
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_0041C9C6 push es; ret 2_2_0041C9C7
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_0041B3B5 push eax; ret 2_2_0041B408
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_0041B46C push eax; ret 2_2_0041B472
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_0041B402 push eax; ret 2_2_0041B408
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_0041B40B push eax; ret 2_2_0041B472
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeCode function: 2_2_0041CF8E pushfd ; iretd 2_2_0041CF8F
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0366D0D1 push ecx; ret 10_2_0366D0E4
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0289B3B5 push eax; ret 10_2_0289B408
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0289C9C6 push es; ret 10_2_0289C9C7
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0289CF8E pushfd ; iretd 10_2_0289CF8F
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0289BF5B push cs; ret 10_2_0289BF61
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0289B40B push eax; ret 10_2_0289B472
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0289B402 push eax; ret 10_2_0289B408
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0289B46C push eax; ret 10_2_0289B472
          Source: initial sampleStatic PE information: section name: .text entropy: 7.77818810762
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nouveau bon de commande. 3007021_pdf.exe