Loading ...

Play interactive tourEdit tour

Windows Analysis Report Shipping Doc.exe

Overview

General Information

Sample Name:Shipping Doc.exe
Analysis ID:458885
MD5:159d560ff64cdb2d130b1635f4123a49
SHA1:5762036dd01f8a63ce29557c5c0464360500c7e6
SHA256:065252f5ed5475c89d2bff7389554a4695a85900a7a75eb98170c6a372b33ea0
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Shipping Doc.exe (PID: 1932 cmdline: 'C:\Users\user\Desktop\Shipping Doc.exe' MD5: 159D560FF64CDB2D130B1635F4123A49)
    • Shipping Doc.exe (PID: 2148 cmdline: C:\Users\user\Desktop\Shipping Doc.exe MD5: 159D560FF64CDB2D130B1635F4123A49)
      • explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 2000 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 3984 cmdline: /c del 'C:\Users\user\Desktop\Shipping Doc.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.shopjempress.com/amb6/"], "decoy": ["segurocars.com", "rylautosales.com", "xinglinjiankang.com", "dantil-brand.com", "sofaloffa.club", "coinclub2.com", "ez-pens.com", "gqtlqsw.com", "robotnewswire.com", "ktproductreviews.com", "merchbrander.com", "yesonamendmentb.com", "losgatoslimos.com", "kristincole.art", "metalmaids.online", "leftcoastmodels.com", "athetheist.com", "jblbusrtingsale.com", "chungcugiarehcm.com", "renblockchain.com", "bigdaddy.fish", "comproliverton.pro", "gzmove.com", "honeythymeherbfarm.com", "davinescosmetics.com", "9355693.com", "movinmemphis901.com", "patriotsrs.net", "dagelijkseschoenen.com", "a-want-ad.site", "theodbox.com", "audioky.net", "hopematthewsrealtor.com", "theonlinemoneymachine.com", "misakiti.com", "ad-yalong.com", "mikealazo.com", "marianoterra.com", "shivorja.com", "goodvibrationswindchimes.com", "pecom-deliverry.online", "amlexcel.com", "emeralddrumcompany.com", "dalipaella.com", "shopcamacci.com", "xucaiwujin.com", "bxs5000.com", "2en1institut.com", "zxzm47-wj.com", "builttek.com", "66400yy.com", "beegraze.com", "thedottedcat.com", "komsah.com", "4202nsacramentoav.info", "88q27.com", "toriengenharia.com", "briscoewelding.com", "brookelenzi.com", "tribaltrash.com", "bidtas.com", "shokhorror.com", "bodurm.com", "333.wiki"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.Shipping Doc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.Shipping Doc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.Shipping Doc.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        4.2.Shipping Doc.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.Shipping Doc.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.shopjempress.com/amb6/"], "decoy": ["segurocars.com", "rylautosales.com", "xinglinjiankang.com", "dantil-brand.com", "sofaloffa.club", "coinclub2.com", "ez-pens.com", "gqtlqsw.com", "robotnewswire.com", "ktproductreviews.com", "merchbrander.com", "yesonamendmentb.com", "losgatoslimos.com", "kristincole.art", "metalmaids.online", "leftcoastmodels.com", "athetheist.com", "jblbusrtingsale.com", "chungcugiarehcm.com", "renblockchain.com", "bigdaddy.fish", "comproliverton.pro", "gzmove.com", "honeythymeherbfarm.com", "davinescosmetics.com", "9355693.com", "movinmemphis901.com", "patriotsrs.net", "dagelijkseschoenen.com", "a-want-ad.site", "theodbox.com", "audioky.net", "hopematthewsrealtor.com", "theonlinemoneymachine.com", "misakiti.com", "ad-yalong.com", "mikealazo.com", "marianoterra.com", "shivorja.com", "goodvibrationswindchimes.com", "pecom-deliverry.online", "amlexcel.com", "emeralddrumcompany.com", "dalipaella.com", "shopcamacci.com", "xucaiwujin.com", "bxs5000.com", "2en1institut.com", "zxzm47-wj.com", "builttek.com", "66400yy.com", "beegraze.com", "thedottedcat.com", "komsah.com", "4202nsacramentoav.info", "88q27.com", "toriengenharia.com", "briscoewelding.com", "brookelenzi.com", "tribaltrash.com", "bidtas.com", "shokhorror.com", "bodurm.com", "333.wiki"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Shipping Doc.exeVirustotal: Detection: 50%Perma Link
          Source: Shipping Doc.exeMetadefender: Detection: 31%Perma Link
          Source: Shipping Doc.exeReversingLabs: Detection: 26%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: Shipping Doc.exeJoe Sandbox ML: detected
          Source: 4.2.Shipping Doc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Shipping Doc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: Shipping Doc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cscript.pdbUGP source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.292742080.000000000EBC0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Shipping Doc.exe, 00000004.00000002.320512631.0000000001960000.00000040.00000001.sdmp, cscript.exe, 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Shipping Doc.exe, 00000004.00000002.320512631.0000000001960000.00000040.00000001.sdmp, cscript.exe
          Source: Binary string: cscript.pdb source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.292742080.000000000EBC0000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4x nop then pop esi4_2_00417164
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4x nop then pop ebx4_2_00407AFB
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4x nop then pop edi4_2_00416C9C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop ebx15_2_03207AFB
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop esi15_2_03217164
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi15_2_03216C9C

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.shopjempress.com/amb6/
          Source: global trafficHTTP traffic detected: GET /amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&l8B=RjAhR HTTP/1.1Host: www.bigdaddy.fishConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /amb6/?DPt4=ZduBhxyNf/T8KdukIHnfIOdlFHQuF1EsUtpfZKs5gLBpa2z0TfcmffP3A+e7CMLv2uy0&l8B=RjAhR HTTP/1.1Host: www.davinescosmetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: DREAMHOST-ASUS DREAMHOST-ASUS
          Source: global trafficHTTP traffic detected: GET /amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&l8B=RjAhR HTTP/1.1Host: www.bigdaddy.fishConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /amb6/?DPt4=ZduBhxyNf/T8KdukIHnfIOdlFHQuF1EsUtpfZKs5gLBpa2z0TfcmffP3A+e7CMLv2uy0&l8B=RjAhR HTTP/1.1Host: www.davinescosmetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.bigdaddy.fish
          Source: cscript.exe, 0000000F.00000002.483172630.0000000005E2F000.00000004.00000001.sdmpString found in binary or memory: http://BigDaddyUnlimited.com/amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC
          Source: explorer.exe, 00000006.00000000.282041503.00000000089C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Shipping Doc.exe, 00000002.00000003.218505402.00000000057C6000.00000004.00000001.sdmp, Shipping Doc.exe, 00000002.00000003.218511303.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Shipping Doc.exe, 00000002.00000003.219138017.00000000057BE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Shipping Doc.exe, 00000002.00000003.219469628.0000000005799000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsdn
          Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomFU
          Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
          Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlicd
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Shipping Doc.exe, 00000002.00000003.213525769.000000000579B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comicV
          Source: Shipping Doc.exe, 00000002.00000003.213474844.000000000579B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comny
          Source: Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Shipping Doc.exe, 00000002.00000003.216929499.0000000005786000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn&
          Source: Shipping Doc.exe, 00000002.00000003.216788502.0000000005786000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn4
          Source: Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn8
          Source: Shipping Doc.exe, 00000002.00000003.216929499.0000000005786000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnP
          Source: Shipping Doc.exe, 00000002.00000003.215912066.000000000578E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
          Source: Shipping Doc.exe, 00000002.00000003.215964486.0000000000E0D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cny
          Source: Shipping Doc.exe, 00000002.00000003.215964486.0000000000E0D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnz
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Shipping Doc.exe, 00000002.00000003.222324750.0000000005792000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/;
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/B
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/U
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0a
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/argeg
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d
          Source: Shipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/en-u
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/en-ut
          Source: Shipping Doc.exe, 00000002.00000003.218167835.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/fr-f
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/n
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/q
          Source: Shipping Doc.exe, 00000002.00000003.218167835.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/siv
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vam&
          Source: Shipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Shipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma7
          Source: Shipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comiv
          Source: Shipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmp, Shipping Doc.exe, 00000002.00000003.218511303.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Shipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comc
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Shipping Doc.exe, 00000002.00000003.214716683.000000000579B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comI
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00419D60 NtCreateFile,4_2_00419D60
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00419E10 NtReadFile,4_2_00419E10
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00419E90 NtClose,4_2_00419E90
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00419F40 NtAllocateVirtualMemory,4_2_00419F40
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00419D5B NtCreateFile,4_2_00419D5B
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00419E8B NtClose,4_2_00419E8B
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00419F3A NtAllocateVirtualMemory,4_2_00419F3A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_053D9910
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9540 NtReadFile,LdrInitializeThunk,15_2_053D9540
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D99A0 NtCreateSection,LdrInitializeThunk,15_2_053D99A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D95D0 NtClose,LdrInitializeThunk,15_2_053D95D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9860 NtQuerySystemInformation,LdrInitializeThunk,15_2_053D9860
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9840 NtDelayExecution,LdrInitializeThunk,15_2_053D9840
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9710 NtQueryInformationToken,LdrInitializeThunk,15_2_053D9710
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9780 NtMapViewOfSection,LdrInitializeThunk,15_2_053D9780
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9FE0 NtCreateMutant,LdrInitializeThunk,15_2_053D9FE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9660 NtAllocateVirtualMemory,LdrInitializeThunk,15_2_053D9660
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9650 NtQueryValueKey,LdrInitializeThunk,15_2_053D9650
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9A50 NtCreateFile,LdrInitializeThunk,15_2_053D9A50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D96E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_053D96E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D96D0 NtCreateKey,LdrInitializeThunk,15_2_053D96D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053DAD30 NtSetContextThread,15_2_053DAD30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9520 NtWaitForSingleObject,15_2_053D9520
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9560 NtWriteFile,15_2_053D9560
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9950 NtQueueApcThread,15_2_053D9950
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D95F0 NtQueryInformationFile,15_2_053D95F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D99D0 NtCreateProcessEx,15_2_053D99D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9820 NtEnumerateKey,15_2_053D9820
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053DB040 NtSuspendThread,15_2_053DB040
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D98A0 NtWriteVirtualMemory,15_2_053D98A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D98F0 NtReadVirtualMemory,15_2_053D98F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9730 NtQueryVirtualMemory,15_2_053D9730
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053DA710 NtOpenProcessToken,15_2_053DA710
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9B00 NtSetValueKey,15_2_053D9B00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9770 NtSetInformationFile,15_2_053D9770
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053DA770 NtOpenThread,15_2_053DA770
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9760 NtOpenProcess,15_2_053D9760
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053DA3B0 NtGetContextThread,15_2_053DA3B0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D97A0 NtUnmapViewOfSection,15_2_053D97A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9A20 NtResumeThread,15_2_053D9A20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9610 NtEnumerateValueKey,15_2_053D9610
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9A10 NtQuerySection,15_2_053D9A10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9A00 NtProtectVirtualMemory,15_2_053D9A00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9670 NtQueryInformationProcess,15_2_053D9670
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9A80 NtOpenDirectoryObject,15_2_053D9A80
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03219F40 NtAllocateVirtualMemory,15_2_03219F40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03219E10 NtReadFile,15_2_03219E10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03219E90 NtClose,15_2_03219E90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03219D60 NtCreateFile,15_2_03219D60
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03219F3A NtAllocateVirtualMemory,15_2_03219F3A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03219E8B NtClose,15_2_03219E8B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03219D5B NtCreateFile,15_2_03219D5B
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_004171644_2_00417164
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_0041E1B34_2_0041E1B3
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_0041DAB44_2_0041DAB4
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_0041D3604_2_0041D360
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00402D874_2_00402D87
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00409E404_2_00409E40
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05461D5515_2_05461D55
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05390D2015_2_05390D20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053B412015_2_053B4120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0539F90015_2_0539F900
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053AD5E015_2_053AD5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A841F15_2_053A841F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0545100215_2_05451002
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053AB09015_2_053AB090
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053CEBB015_2_053CEBB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053B6E3015_2_053B6E30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0321DAB415_2_0321DAB4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0321716415_2_03217164
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0321E1B315_2_0321E1B3
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03202FB015_2_03202FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03209E4015_2_03209E40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03202D8715_2_03202D87
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03202D9015_2_03202D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0539B150 appears 32 times
          Source: Shipping Doc.exe, 00000002.00000000.210709159.00000000004B0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRemotingSurroga.exe> vs Shipping Doc.exe
          Source: Shipping Doc.exe, 00000004.00000002.320202534.0000000000F90000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRemotingSurroga.exe> vs Shipping Doc.exe
          Source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs Shipping Doc.exe
          Source: Shipping Doc.exe, 00000004.00000002.320852896.0000000001C0F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Shipping Doc.exe
          Source: Shipping Doc.exeBinary or memory string: OriginalFilenameRemotingSurroga.exe> vs Shipping Doc.exe
          Source: Shipping Doc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@2/2
          Source: C:\Users\user\Desktop\Shipping Doc.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping Doc.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6040:120:WilError_01
          Source: Shipping Doc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Shipping Doc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Shipping Doc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Shipping Doc.exeVirustotal: Detection: 50%
          Source: Shipping Doc.exeMetadefender: Detection: 31%
          Source: Shipping Doc.exeReversingLabs: Detection: 26%
          Source: unknownProcess created: C:\Users\user\Desktop\Shipping Doc.exe 'C:\Users\user\Desktop\Shipping Doc.exe'
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess created: C:\Users\user\Desktop\Shipping Doc.exe C:\Users\user\Desktop\Shipping Doc.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Doc.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess created: C:\Users\user\Desktop\Shipping Doc.exe C:\Users\user\Desktop\Shipping Doc.exeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Doc.exe'Jump to behavior
          Source: C:\Users\user\Desktop\Shipping Doc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Shipping Doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Shipping Doc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cscript.pdbUGP source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.292742080.000000000EBC0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Shipping Doc.exe, 00000004.00000002.320512631.0000000001960000.00000040.00000001.sdmp, cscript.exe, 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Shipping Doc.exe, 00000004.00000002.320512631.0000000001960000.00000040.00000001.sdmp, cscript.exe
          Source: Binary string: cscript.pdb source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.292742080.000000000EBC0000.00000002.00000001.sdmp
          Source: Shipping Doc.exeStatic PE information: 0xAAC44811 [Thu Oct 14 14:37:05 2060 UTC]
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00414A19 push ebp; ret 4_2_00414A1C
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_004046A7 push edx; ret 4_2_004046AC
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_0041CEB5 push eax; ret 4_2_0041CF08
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_0041CF6C push eax; ret 4_2_0041CF72
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_0041CF02 push eax; ret 4_2_0041CF08
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_0041CF0B push eax; ret 4_2_0041CF72
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_004167BF push ecx; iretd 4_2_004167C4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053ED0D1 push ecx; ret 15_2_053ED0E4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03214A19 push ebp; ret 15_2_03214A1C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0321CF02 push eax; ret 15_2_0321CF08
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0321CF0B push eax; ret 15_2_0321CF72
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0321CF6C push eax; ret 15_2_0321CF72
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_032167BF push ecx; iretd 15_2_032167C4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03214F99 pushfd ; retf 15_2_03214F9A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_032046A7 push edx; ret 15_2_032046AC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0321CEB5 push eax; ret 15_2_0321CF08
          Source: initial sampleStatic PE information: section name: .text entropy: 7.2014231354
          Source: Shipping Doc.exe, jtOONAqGyrOQ0u8Ixk/bpT4mwco1CD693b7CN.csHigh entropy of concatenated method names: '.cctor', '.ctor', '.ctor', 'oPOobRO5Vf', 'xm0o4Sf5NR', 'iEhoUBHjQn', 'ijuoVsDDg2', 'MQ3opPNGI1', 'S3PoaRe2Zm', 'nWyo9cofXu'
          Source: Shipping Doc.exe, RuGDW7WIWRL3vuqXmw/WrIPZ8OGPrQJVhLUng.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'rgxUTfEcE8', 'q8OZlL4Rke', 'x5iZK8bkZ8', 'G2oZhTFUiy', 'L68ZzSd862', 'V2KO3o6ooX', 'cAnOXHn0FW', 'wSEOMWMK2K'
          Source: Shipping Doc.exe, hasvvCPjjpwAYaryty/EfFkrBZD9T3RSksP6r.csHigh entropy of concatenated method names: 'Rj7pMjk0RG', 'yxxppukx53', '.ctor', 'uJxMm4pXjR', 'k9lMjtoI45', 'wSjM2XIjCC', 'gO5MrDyTRD', 'KrXMRRV4g5', 'uydM6uLlM6', 'YGpMTXkEhk'
          Source: Shipping Doc.exe, QSqf1GDneX5foweMTs/gdXQIRHg06sMXH3Uxd.csHigh entropy of concatenated method names: '.ctor', 'OFPUt83v9K', 'Dispose', 'mCOUJCTXYL', 'upBUseu0pH', 'HIXUhn1Ejd', 'I30U81QHfg', 'StGUGWc16P', 'X1iUOqmHqd', 'Ka0ZQEPwNI'
          Source: Shipping Doc.exe, VfaCLA2tkrd397ihoB/buZV27SgYVJ8wKY7Z0.csHigh entropy of concatenated method names: 'CMppZjWBMw', 'WSepPM9SAb', 'BJApjvbu0I', 'ReYpSqXGYT', 'hp3prsATrN', 'N3op30XIBP', 'YUZpyoUrkn', 'EV6p6ZDRrC', 'S0OpzLwnNq', 'uvNabGVwIQ'
          Source: Shipping Doc.exe, UNAPpRk5a6XMif56PN/tbtYLjiE15X0m3NrV3.csHigh entropy of concatenated method names: 'DownJlYGxJ', 'xuxnPXJrTV', 'w3mnbXLFql', 'fTqnDGgSIY', 'eINnmEc12d', 'nKXnd3ROy7', 'awc4e3Q42f', 'BhB4klsGCM', 'g6x4c5BQkZ', '.ctor'
          Source: Shipping Doc.exe, UiJUy4BuRoHLOAKf06/xXY9csuTjhbcI1BP2L.csHigh entropy of concatenated method names: '.ctor', 'Save', 'HAK5f06my', 'Load', 'HD3dcOlu8', 'L3tKrC2Wr', 'IdyxYvcVc', 'UiJGtlVLwBaQxjgBF6', 'PIkx4Wf1QZgiV6aU4i', 'Dmh9sciVAETbBXxfFa'
          Source: Shipping Doc.exe, UOdyYvecVcmermsDhZ/RyGD3cgOlu803trC2W.csHigh entropy of concatenated method names: '.ctor', 'RHvjJZq4E', 'p2nSuK03D', 'vRg006sMX', 'za8rj6Xgs', 'lcY3ZFXvZ', 'SuJyVgV3w', 'K5l6Xpqre', 'aboznP1OR', 'wKa4b4MTS2'
          Source: Shipping Doc.exe, lfBAw24wG7RaGl4BUSW/LdIBF34ft0aEOrSOpS7.csHigh entropy of concatenated method names: 'Dispose', 'ab0nKv0rYl', 'QfAnxS7FmM', 'KPJntrwakq', 'hrtnJqte2T', 'get_MinimumSize', 'set_MinimumSize', 'zaruECCxke', 'AUkuQwTOtd', 'kmkuL8FL2C'
          Source: Shipping Doc.exe, xP7XZx4KUcy0rZpMq7p/C89e434dqTXWooX6OT2.csHigh entropy of concatenated method names: 'e0riOZyeQf', 'PdXiWMlD76', '.ctor', 'get_BackColor', 'set_BackColor', 'get_BackgroundImage', 'set_BackgroundImage', 'get_BackgroundImageLayout', 'set_BackgroundImageLayout', 'get_Font'
          Source: Shipping Doc.exe, wUV9j84txMqsOMB0RNC/O8br1u4x3ZTxpBM3GKp.csHigh entropy of concatenated method names: '.ctor', 'MStqzWqX98', 'Bbn63OwGFH', 'BinijXg983', 'zWEiSMBU7I', 'GetEditControl', 'GetEditedValue', 'LoadValues', 'SetEditStyle', 'GetEditStyle'
          Source: Shipping Doc.exe, m90oD71ZT6Wr9cSLC3/BCGZxMFmXU9h9JKBRA.csHigh entropy of concatenated method names: '.ctor', 'd4MMkZMC3a', 'jwDMcNsXnd', 'Gp5MqvWKfg', 'SyIMHvh4nd', 'hUNMDI3IfP', 'mDWuCAUyBYn6ulPCLkn', 'glMALsU9egpF9gq6VvY', 'BPhg4AU0cm0xPgAcOUP', 'A1LpkmUKxjoeRJhgj5v'
          Source: Shipping Doc.exe, sKgaUY4su4YTKa6GuYl/zgNK5N4JjGAZFgAu99M.csHigh entropy of concatenated method names: '.ctor', 'UbQkbXvRlm', 'IODk4e1Qh2', 'csBkUTL3tc', 'khokVDYHrG', 'Gl8i6EIG8s', 'qyCiTn1nPR', 'FE7iz1aZDQ', 'gcBwMrofCMqEqIdiR6L', 'i3QNTaoieNlxFPGbQ4d'
          Source: Shipping Doc.exe, I156H44Dv8rnIOySGfK/hltbY94HHwR3afLhEhf.csHigh entropy of concatenated method names: '.ctor', 'aLPlf5n4CH', 'tIqlwf7H6m', 'tZJlo0KBRb', 'cpflU40tFN', 'wk5lV1CuJF', 'kyhlMnlNeC', 'xLolpUglD3', 'N0WlaMcuXO', 'XbElCFHsrk'
          Source: Shipping Doc.exe, iTAtM84qSuFr2hs51c1/llm9gs4ch4IcMcmGnvJ.csHigh entropy of concatenated method names: 'FIv9ZZdDqG', 'gQI9PDLDlN', 'q2H9mKTBvh', 'uM89jAIc2y', 'zL49SlfPPi', 'get_Multiline', 'set_Multiline', 'get_Text', 'set_Text', '.ctor'
          Source: Shipping Doc.exe, aiLmWw4VnJDnSPTNJVN/XYryxx4U6BmknteXNOa.csHigh entropy of concatenated method names: '.ctor', 'ukj9woe4c6', 'Dfu9EiQsTa', 'NuW9A6sETI', 'InitializeEditingControl', 'get_EditType', 'get_ValueType', 'get_DefaultNewRowValue', 'MmH4btFKnt5dqxSDm2G', 'hZ9OUfFVGF3Eyyj8DxB'
          Source: Shipping Doc.exe, BLop0K4E7l9d1bylJUy/zJBh6F4IacA7iyEpXZO.csHigh entropy of concatenated method names: 'L5eBi4Qigv', 'ixEBkeoTbq', 'FFgBo4KGaE', 'BSVBUenW6x', 'agMBMj6JFC', 'G76Bp97jPo', 'NEABaXP8gi', 'mb7BCbn9q3', 'oorB9rEwKt', 'zx5BYqnub6'
          Source: Shipping Doc.exe, vNeJVt4AWwbHEvjgGer/LdlLQ14Qf610ZIAPrJw.csHigh entropy of concatenated method names: '.ctor', 'QppedwFCcs', 'qd6eKe7iLK', 'GI4etXfotQ', 'wxEeJ5n5Hk', 'get_Multiline', 'set_Multiline', 'fOLB0NPOGK', 'okIBFsEdfE', 'A7HB1qoYTX'
          Source: Shipping Doc.exe, nKYoUB4oxKLGj4jvd63/aLgWyc44ofXur00lLx1.csHigh entropy of concatenated method names: 'VsAaQxSlAF', 'D09aAvsZj4', 'LmhaLRSl8M', 'okva5IYOyq', 'HKUad6KvCc', 'CAuaKRAFBD', 'J6paxwfEfU', 'iLlatruy0f', 'YF3aJVd6Ly', 'dX9aspur2U'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xE3
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Deskto