Loading ...

Play interactive tourEdit tour

Windows Analysis Report Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe

Overview

General Information

Sample Name:Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
Analysis ID:483527
MD5:e29285288905ebb27d9e4443bcaa6638
SHA1:3c656f9257b7630e47f57d1326bceafb7481ab29
SHA256:7027a232f8327a532a1b37586cd42ea73ea0b9c37b1b22334484888f0b13b6b6
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Creates processes with suspicious names
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe (PID: 3176 cmdline: 'C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe' MD5: E29285288905EBB27D9E4443BCAA6638)
    • Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe (PID: 4180 cmdline: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe MD5: E29285288905EBB27D9E4443BCAA6638)
      • explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autoconv.exe (PID: 1392 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • raserver.exe (PID: 3652 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 912 cmdline: /c del 'C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.fasilitatortoefl.com/uytf/"], "decoy": ["estherestates.online", "babyballetwigan.com", "ignorantrough.xyz", "moominmamalog.com", "pasticcerialemmi.com", "orangstyle.com", "oldwaterfordfarm.com", "aiiqiuwnsas.com", "youindependents.com", "runbank.net", "phytolipshine.com", "almedmedicalcenter.com", "czxzsa.com", "yummyblockparty.com", "gadgetinfo.info", "cloudfolderplayer.com", "chowding.com", "xn--tarzmbu-ufb.com", "danielaasab.com", "dreampropertiesluxury.com", "itsready.support", "freepoeople.com", "richesosity.online", "covidbrainfogsyndrome.com", "hide.osaka", "fitotec.net", "cdfdwj.com", "vjr.realestate", "knowit.today", "sellhomefastinorlando.com", "permacademy.net", "andhraadvocates.com", "rochainrevsry.xyz", "casino-virtuali.net", "liptondesignstudio.xyz", "keyinternationals.com", "gamifibase.com", "atjehtimur.com", "hobonickelsvillarrubia.com", "johnharrisagent.com", "preabsorb.xyz", "likevietsub38.com", "getrichandsavetheworld.com", "livelife2dance.com", "juesparza.com", "buffalocreekdesign.com", "diegos.xyz", "covidforensicaudit.com", "popitperu.com", "gczvahqeg.site", "aspireship.tech", "freedomforfarmedrabbits.online", "pasalsacongress.com", "custommetalimagery.photography", "managementcoachinginc.com", "hxysjkj.com", "trusticoin.biz", "wireconnectaz.tech", "yoiseikatsu.net", "slggroups.com", "curiousmug.com", "svetarielt.site", "nongormart.com", "btt5204.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000013.00000002.474783464.0000000000AF0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000013.00000002.474783464.0000000000AF0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bec:$sqlite3step: 68 34 1C 7B E1
        • 0x16b08:$sqlite3text: 68 38 2A 90 C5
        • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
        5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.fasilitatortoefl.com/uytf/"], "decoy": ["estherestates.online", "babyballetwigan.com", "ignorantrough.xyz", "moominmamalog.com", "pasticcerialemmi.com", "orangstyle.com", "oldwaterfordfarm.com", "aiiqiuwnsas.com", "youindependents.com", "runbank.net", "phytolipshine.com", "almedmedicalcenter.com", "czxzsa.com", "yummyblockparty.com", "gadgetinfo.info", "cloudfolderplayer.com", "chowding.com", "xn--tarzmbu-ufb.com", "danielaasab.com", "dreampropertiesluxury.com", "itsready.support", "freepoeople.com", "richesosity.online", "covidbrainfogsyndrome.com", "hide.osaka", "fitotec.net", "cdfdwj.com", "vjr.realestate", "knowit.today", "sellhomefastinorlando.com", "permacademy.net", "andhraadvocates.com", "rochainrevsry.xyz", "casino-virtuali.net", "liptondesignstudio.xyz", "keyinternationals.com", "gamifibase.com", "atjehtimur.com", "hobonickelsvillarrubia.com", "johnharrisagent.com", "preabsorb.xyz", "likevietsub38.com", "getrichandsavetheworld.com", "livelife2dance.com", "juesparza.com", "buffalocreekdesign.com", "diegos.xyz", "covidforensicaudit.com", "popitperu.com", "gczvahqeg.site", "aspireship.tech", "freedomforfarmedrabbits.online", "pasalsacongress.com", "custommetalimagery.photography", "managementcoachinginc.com", "hxysjkj.com", "trusticoin.biz", "wireconnectaz.tech", "yoiseikatsu.net", "slggroups.com", "curiousmug.com", "svetarielt.site", "nongormart.com", "btt5204.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeVirustotal: Detection: 28%Perma Link
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeReversingLabs: Detection: 57%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.474783464.0000000000AF0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.302217110.0000000001300000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.477256169.00000000043F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.226787168.0000000003841000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.473607935.0000000000700000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.255057512.000000000E28B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.271535377.000000000E28B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.301308375.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeJoe Sandbox ML: detected
          Source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000005.00000002.302407881.0000000001390000.00000040.00000001.sdmp, raserver.exe, 00000013.00000002.477861762.000000000484F000.00000040.00000001.sdmp
          Source: Binary string: RAServer.pdb source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000005.00000002.301852623.0000000000F59000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdb source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000005.00000002.302407881.0000000001390000.00000040.00000001.sdmp, raserver.exe
          Source: Binary string: RAServer.pdbGCTL source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000005.00000002.301852623.0000000000F59000.00000004.00000020.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\HJmNUXoTNN\src\obj\Debug\SerializationHeaderReco.pdb source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 4x nop then pop ebx5_2_00406AAD
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop ebx19_2_00706AAD

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49784 -> 198.54.117.211:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49784 -> 198.54.117.211:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49784 -> 198.54.117.211:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.yummyblockparty.com
          Source: C:\Windows\explorer.exeDomain query: www.fitotec.net
          Source: C:\Windows\explorer.exeDomain query: www.johnharrisagent.com
          Source: C:\Windows\explorer.exeDomain query: www.btt5204.com
          Source: C:\Windows\explorer.exeNetwork Connect: 52.71.133.130 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.hide.osaka
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.211 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 103.15.104.66 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.215 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.itsready.support
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.fasilitatortoefl.com/uytf/
          Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
          Source: Joe Sandbox ViewASN Name: GIGABIT-MYGigabitHostingSdnBhdMY GIGABIT-MYGigabitHostingSdnBhdMY
          Source: global trafficHTTP traffic detected: GET /uytf/?4hax=Z6tv0ZGri8uWurB8AUDeWgq8Hn78EURDlDEEMIHUNMQGUG9NVGnXX5+ZYyjQXpOA0JMU&6lE=xT6Pc HTTP/1.1Host: www.yummyblockparty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uytf/?4hax=1GgOydTR9rFB1tFiaPZsKtEWQf/ik/nrf61jzTsng/4mIf33LxMFmIGp7DtpN0+eCTBT&6lE=xT6Pc HTTP/1.1Host: www.johnharrisagent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uytf/?4hax=Lw8pQUl/qe2gQHW8JEklnfX9vlL4ErZAhlphDfsrttl8uYXfrtRE5waSCzthMEOsFHNR&6lE=xT6Pc HTTP/1.1Host: www.itsready.supportConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uytf/?4hax=0R01lDMz+xXIWoinSyO5qQyNMJHeVacFioz47MHPNe7DMd9wx+TtySfTu0uIVXra7tyR&6lE=xT6Pc HTTP/1.1Host: www.btt5204.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.71.133.130 52.71.133.130
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.226460143.0000000002841000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213161728.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213161728.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com%$I/d
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com9
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comYou
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213196484.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comm
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como..
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comueh
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comva
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213244678.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comy
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213196484.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comypo
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213423791.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comz
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217155173.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216127582.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com-O6d
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217155173.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTFsO
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216064181.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216985898.0000000005F2F000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217155173.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216099763.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comS
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217155173.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216461639.0000000005F35000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comasF
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.219234603.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comceva
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216127582.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomS
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217155173.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216654283.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdAO
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216627255.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgritaHO
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.219234603.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgritolOyd
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217155173.0000000005F2F000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216654283.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216064181.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comrsiv
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.216654283.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comttF
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217155173.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comttod
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213011209.0000000005F2D000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.212822532.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213011209.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cncz
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213011209.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnly
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217666193.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217951742.0000000005F2F000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.217690168.0000000005F2F000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.212488825.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.212488825.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krKKd
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213811208.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-O6d
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0O
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/;O$dh
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/HO
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213811208.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/It
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/VO
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214195042.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0nl
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/eOndo
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213925578.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/0O
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214635046.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/lOyd
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213925578.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/lOyd
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.214195042.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213811208.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ty
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213284821.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.micro(D.df
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.212488825.0000000005F2D000.00000004.00000001.sdmp, Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.212488825.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr2K
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.212488825.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr8
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.212459989.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krQK
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.229094156.0000000007192000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213130693.0000000005F2D000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000003.213161728.0000000005F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnrsCI
          Source: raserver.exe, 00000013.00000002.479062532.0000000004DE2000.00000004.00020000.sdmpString found in binary or memory: https://www.johnharrisagent.com/uytf/?4hax=1GgOydTR9rFB1tFiaPZsKtEWQf/ik/nrf61jzTsng/4mIf33LxMFmIGp7
          Source: unknownDNS traffic detected: queries for: www.yummyblockparty.com
          Source: global trafficHTTP traffic detected: GET /uytf/?4hax=Z6tv0ZGri8uWurB8AUDeWgq8Hn78EURDlDEEMIHUNMQGUG9NVGnXX5+ZYyjQXpOA0JMU&6lE=xT6Pc HTTP/1.1Host: www.yummyblockparty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uytf/?4hax=1GgOydTR9rFB1tFiaPZsKtEWQf/ik/nrf61jzTsng/4mIf33LxMFmIGp7DtpN0+eCTBT&6lE=xT6Pc HTTP/1.1Host: www.johnharrisagent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uytf/?4hax=Lw8pQUl/qe2gQHW8JEklnfX9vlL4ErZAhlphDfsrttl8uYXfrtRE5waSCzthMEOsFHNR&6lE=xT6Pc HTTP/1.1Host: www.itsready.supportConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uytf/?4hax=0R01lDMz+xXIWoinSyO5qQyNMJHeVacFioz47MHPNe7DMd9wx+TtySfTu0uIVXra7tyR&6lE=xT6Pc HTTP/1.1Host: www.btt5204.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, 00000001.00000002.225993143.0000000000BBB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.474783464.0000000000AF0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.302217110.0000000001300000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.477256169.00000000043F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.226787168.0000000003841000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.473607935.0000000000700000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.255057512.000000000E28B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.271535377.000000000E28B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.301308375.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.474783464.0000000000AF0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.474783464.0000000000AF0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.302217110.0000000001300000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.302217110.0000000001300000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.477256169.00000000043F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.477256169.00000000043F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.226787168.0000000003841000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.226787168.0000000003841000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.473607935.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.473607935.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.255057512.000000000E28B000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.255057512.000000000E28B000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.271535377.000000000E28B000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.271535377.000000000E28B000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.301308375.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.301308375.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
          Source: initial sampleStatic PE information: Filename: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe
          .NET source code contains very large stringsShow sources
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe, ConsoleGame/Form1.csLong String: Length: 50988
          Source: 1.0.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.3c0000.0.unpack, ConsoleGame/Form1.csLong String: Length: 50988
          Source: 1.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.3c0000.0.unpack, ConsoleGame/Form1.csLong String: Length: 50988
          Source: 5.0.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.8a0000.0.unpack, ConsoleGame/Form1.csLong String: Length: 50988
          Source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.8a0000.1.unpack, ConsoleGame/Form1.csLong String: Length: 50988
          Source: Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.302114370.00000000012D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.474783464.0000000000AF0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.474783464.0000000000AF0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.302217110.0000000001300000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.302217110.0000000001300000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.477256169.00000000043F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.477256169.00000000043F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.226787168.0000000003841000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.226787168.0000000003841000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.473607935.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.473607935.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.255057512.000000000E28B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.255057512.000000000E28B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.271535377.000000000E28B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.271535377.000000000E28B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.301308375.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.301308375.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 1_2_048900401_2_04890040
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 1_2_0489003F1_2_0489003F
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_0041D1795_2_0041D179
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_0041C1D05_2_0041C1D0
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_0041C9FF5_2_0041C9FF
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_0041CA0B5_2_0041CA0B
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_00408C7B5_2_00408C7B
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_0041C4CC5_2_0041C4CC
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_00408C805_2_00408C80
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_0041BDE35_2_0041BDE3
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_00402D875_2_00402D87
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_0041C5B75_2_0041C5B7
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0476841F19_2_0476841F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0481D46619_2_0481D466
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04750D2019_2_04750D20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_048225DD19_2_048225DD
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04822D0719_2_04822D07
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0476D5E019_2_0476D5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04821D5519_2_04821D55
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478258119_2_04782581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04776E3019_2_04776E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04822EF719_2_04822EF7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0481D61619_2_0481D616
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0482DFCE19_2_0482DFCE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04821FF119_2_04821FF1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_048220A819_2_048220A8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477A83019_2_0477A830
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_048228EC19_2_048228EC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0481100219_2_04811002
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0482E82419_2_0482E824
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047820A019_2_047820A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0476B09019_2_0476B090
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477412019_2_04774120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0475F90019_2_0475F900
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047799BF19_2_047799BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_048222AE19_2_048222AE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0480FA2B19_2_0480FA2B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0477AB4019_2_0477AB40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0481DBD219_2_0481DBD2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_048103DA19_2_048103DA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04822B2819_2_04822B28
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0478EBB019_2_0478EBB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0071D17919_2_0071D179
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0071C9FF19_2_0071C9FF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0071C1D019_2_0071C1D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0071CA0B19_2_0071CA0B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_00708C7B19_2_00708C7B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0071C4CC19_2_0071C4CC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_00708C8019_2_00708C80
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_0071BDE319_2_0071BDE3
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_00702D9019_2_00702D90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_00702D8719_2_00702D87
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_00702FB019_2_00702FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 0475B150 appears 72 times
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_004185E0 NtCreateFile,5_2_004185E0
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_00418690 NtReadFile,5_2_00418690
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_00418710 NtClose,5_2_00418710
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_004187C0 NtAllocateVirtualMemory,5_2_004187C0
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_0041868A NtReadFile,5_2_0041868A
          Source: C:\Users\user\Desktop\Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeCode function: 5_2_0041870A NtClose,5_2_0041870A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799540 NtReadFile,LdrInitializeThunk,19_2_04799540
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047995D0 NtClose,LdrInitializeThunk,19_2_047995D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799660 NtAllocateVirtualMemory,LdrInitializeThunk,19_2_04799660
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799650 NtQueryValueKey,LdrInitializeThunk,19_2_04799650
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047996E0 NtFreeVirtualMemory,LdrInitializeThunk,19_2_047996E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_047996D0 NtCreateKey,LdrInitializeThunk,19_2_047996D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799710 NtQueryInformationToken,LdrInitializeThunk,19_2_04799710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 19_2_04799FE0 NtCreateMutant,L