Loading ...

Play interactive tourEdit tour

Windows Analysis Report Payment.exe

Overview

General Information

Sample Name:Payment.exe
Analysis ID:483531
MD5:933cedbe56bd04acdbbb183a0004162b
SHA1:9a255a7eaa2dd334dcde3f9c8f73e8c25e3a8a65
SHA256:a57534ac7570e5be7e25f1c0d9745dc549d56b193ed7b1547e61ae79485edc1c
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains functionality to detect virtual machines (SLDT)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Payment.exe (PID: 5232 cmdline: 'C:\Users\user\Desktop\Payment.exe' MD5: 933CEDBE56BD04ACDBBB183A0004162B)
    • Payment.exe (PID: 1848 cmdline: C:\Users\user\Desktop\Payment.exe MD5: 933CEDBE56BD04ACDBBB183A0004162B)
    • Payment.exe (PID: 5352 cmdline: C:\Users\user\Desktop\Payment.exe MD5: 933CEDBE56BD04ACDBBB183A0004162B)
      • explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 6280 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 6500 cmdline: /c del 'C:\Users\user\Desktop\Payment.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rafaelcristino.com/pm7s/"], "decoy": ["angrypeacocks.site", "theindependentartlable.com", "coachingforthewin.com", "localbizsc.com", "drive-a-supercar.com", "mewsette.com", "scinuh.com", "gurugramaffordablehomes.com", "riamedefarm.com", "richfitzfashions.com", "u9j1o.info", "dife-rent.com", "talesfromthequadrat.com", "dandfmotors.com", "springtexasdentist.com", "gobakala.store", "earlyeducationglobal.com", "sdrxsb.site", "dreamlifebiz.com", "theurbancaveshop.com", "rojkikhabar.com", "honeycreek-vision.com", "robinnicholsrealty.com", "orilliatownhouseteam.com", "ipedal.xyz", "ropemillcreekpaddleboarding.com", "monbeauchien.com", "achtsamkeit-in-der-schule.com", "towtruckperth.com", "shijijiaoyou.com", "belangespiritualstore.com", "gmignitionswitcheconomicset.com", "tracelanelog.com", "infiniteavionics.com", "kornfelder.com", "unnsa.xyz", "billonblocjs.com", "savingcambodia.com", "darienkitchens.com", "ecetonline.com", "softcenchina.com", "eu-global.space", "americajustsayit.com", "getverthanger.com", "arrowlankaexports.com", "xn--uds17hya4f549f40d.com", "btlbusinesscoaching.com", "aktive.net", "awkamga.com", "borostamas.com", "tuolum.net", "tnshomebuyers.com", "signatureperformace.com", "s16.solutions", "thethoughtrecord.com", "onexotyland.com", "deintuning.com", "wellrecognizewell.com", "rugpat.com", "shellieclarksonsbeautique.com", "cevicheatl.com", "usasbe.com", "listenonrepear.com", "qanoonpharmacy.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x2685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x2171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x2787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x28ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x13ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x8327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x932a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x5409:$sqlite3step: 68 34 1C 7B E1
    • 0x551c:$sqlite3step: 68 34 1C 7B E1
    • 0x5438:$sqlite3text: 68 38 2A 90 C5
    • 0x555d:$sqlite3text: 68 38 2A 90 C5
    • 0x544b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x5573:$sqlite3blob: 68 53 D8 7F 8C
    00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.Payment.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.Payment.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.Payment.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        6.2.Payment.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.2.Payment.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.rafaelcristino.com/pm7s/"], "decoy": ["angrypeacocks.site", "theindependentartlable.com", "coachingforthewin.com", "localbizsc.com", "drive-a-supercar.com", "mewsette.com", "scinuh.com", "gurugramaffordablehomes.com", "riamedefarm.com", "richfitzfashions.com", "u9j1o.info", "dife-rent.com", "talesfromthequadrat.com", "dandfmotors.com", "springtexasdentist.com", "gobakala.store", "earlyeducationglobal.com", "sdrxsb.site", "dreamlifebiz.com", "theurbancaveshop.com", "rojkikhabar.com", "honeycreek-vision.com", "robinnicholsrealty.com", "orilliatownhouseteam.com", "ipedal.xyz", "ropemillcreekpaddleboarding.com", "monbeauchien.com", "achtsamkeit-in-der-schule.com", "towtruckperth.com", "shijijiaoyou.com", "belangespiritualstore.com", "gmignitionswitcheconomicset.com", "tracelanelog.com", "infiniteavionics.com", "kornfelder.com", "unnsa.xyz", "billonblocjs.com", "savingcambodia.com", "darienkitchens.com", "ecetonline.com", "softcenchina.com", "eu-global.space", "americajustsayit.com", "getverthanger.com", "arrowlankaexports.com", "xn--uds17hya4f549f40d.com", "btlbusinesscoaching.com", "aktive.net", "awkamga.com", "borostamas.com", "tuolum.net", "tnshomebuyers.com", "signatureperformace.com", "s16.solutions", "thethoughtrecord.com", "onexotyland.com", "deintuning.com", "wellrecognizewell.com", "rugpat.com", "shellieclarksonsbeautique.com", "cevicheatl.com", "usasbe.com", "listenonrepear.com", "qanoonpharmacy.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Payment.exeVirustotal: Detection: 52%Perma Link
          Source: Payment.exeMetadefender: Detection: 31%Perma Link
          Source: Payment.exeReversingLabs: Detection: 67%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.Payment.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.320708388.0000000000F60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.482181814.0000000004690000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.477004988.0000000000910000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.322423525.00000000012D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.268479166.000000000643E000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.243854024.0000000003619000.00000004.00000001.sdmp, type: MEMORY
          Source: 6.2.Payment.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Payment.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: Payment.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cscript.pdbUGP source: Payment.exe, 00000006.00000002.324070691.0000000002E40000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Payment.exe, 00000006.00000002.321552044.00000000010BF000.00000040.00000001.sdmp, cscript.exe, 00000013.00000002.483873572.000000000494F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Payment.exe, cscript.exe
          Source: Binary string: cscript.pdb source: Payment.exe, 00000006.00000002.324070691.0000000002E40000.00000040.00020000.sdmp

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49807 -> 91.195.240.94:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49807 -> 91.195.240.94:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49807 -> 91.195.240.94:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49812 -> 34.98.99.30:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49812 -> 34.98.99.30:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49812 -> 34.98.99.30:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.earlyeducationglobal.com
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.94 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 34.98.99.30 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.cevicheatl.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.rafaelcristino.com/pm7s/
          Source: Joe Sandbox ViewASN Name: SEDO-ASDE SEDO-ASDE
          Source: global trafficHTTP traffic detected: GET /pm7s/?v2J83=dDHD9XVxev94&-Zi=VaPpcx8n3Tp8D9xgbNtl8vulXgBvw8jFIvpULVCQhIlh0W4Hjuc6qrQSfYpFlZollCUL HTTP/1.1Host: www.cevicheatl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pm7s/?-Zi=lvCYA3THHwf3zrDy6Hq/UQWt6LGRVtHVYfKCQGlaiZ/7JUYV8wEH0lTBDrKh23L7whpy&v2J83=dDHD9XVxev94 HTTP/1.1Host: www.earlyeducationglobal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Payment.exe, 00000001.00000002.246563307.00000000066C2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownDNS traffic detected: queries for: www.cevicheatl.com
          Source: global trafficHTTP traffic detected: GET /pm7s/?v2J83=dDHD9XVxev94&-Zi=VaPpcx8n3Tp8D9xgbNtl8vulXgBvw8jFIvpULVCQhIlh0W4Hjuc6qrQSfYpFlZollCUL HTTP/1.1Host: www.cevicheatl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pm7s/?-Zi=lvCYA3THHwf3zrDy6Hq/UQWt6LGRVtHVYfKCQGlaiZ/7JUYV8wEH0lTBDrKh23L7whpy&v2J83=dDHD9XVxev94 HTTP/1.1Host: www.earlyeducationglobal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.Payment.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.320708388.0000000000F60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.482181814.0000000004690000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.477004988.0000000000910000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.322423525.00000000012D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.268479166.000000000643E000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.243854024.0000000003619000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 6.2.Payment.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.Payment.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.Payment.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.Payment.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.320708388.0000000000F60000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.320708388.0000000000F60000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.482181814.0000000004690000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.482181814.0000000004690000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.477004988.0000000000910000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.477004988.0000000000910000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.322423525.00000000012D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.322423525.00000000012D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.268479166.000000000643E000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.268479166.000000000643E000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.243854024.0000000003619000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.243854024.0000000003619000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Payment.exe
          Source: Payment.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 6.2.Payment.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.Payment.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.Payment.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.Payment.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.289360000.000000000643E000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.476066446.0000000000800000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.312038507.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.320708388.0000000000F60000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.320708388.0000000000F60000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.482181814.0000000004690000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.482181814.0000000004690000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.477004988.0000000000910000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.477004988.0000000000910000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.322423525.00000000012D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.322423525.00000000012D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.268479166.000000000643E000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.268479166.000000000643E000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.243854024.0000000003619000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.243854024.0000000003619000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\Payment.exeCode function: 1_2_001F22111_2_001F2211
          Source: C:\Users\user\Desktop\Payment.exeCode function: 1_2_00DBC1041_2_00DBC104
          Source: C:\Users\user\Desktop\Payment.exeCode function: 1_2_00DBE5501_2_00DBE550
          Source: C:\Users\user\Desktop\Payment.exeCode function: 1_2_00DBE5401_2_00DBE540
          Source: C:\Users\user\Desktop\Payment.exeCode function: 1_2_06BEB00C1_2_06BEB00C
          Source: C:\Users\user\Desktop\Payment.exeCode function: 1_2_06BE7A181_2_06BE7A18
          Source: C:\Users\user\Desktop\Payment.exeCode function: 1_2_06BED2A11_2_06BED2A1
          Source: C:\Users\user\Desktop\Payment.exeCode function: 1_2_06BEB1C01_2_06BEB1C0
          Source: C:\Users\user\Desktop\Payment.exeCode function: 5_2_003622115_2_00362211
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_0041D84D6_2_0041D84D
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_004010306_2_00401030
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_0041D2156_2_0041D215
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_0041DB066_2_0041DB06
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_0041DC386_2_0041DC38
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00402D876_2_00402D87
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00402D906_2_00402D90
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00409E406_2_00409E40
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00409E3F6_2_00409E3F
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00402FB06_2_00402FB0
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_005422116_2_00542211
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00FF20A06_2_00FF20A0
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00FDB0906_2_00FDB090
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_010810026_2_01081002
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_0109E8246_2_0109E824
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_010920A86_2_010920A8
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00FE41206_2_00FE4120
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_010928EC6_2_010928EC
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00FCF9006_2_00FCF900
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01092B286_2_01092B28
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_010803DA6_2_010803DA
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_0108DBD26_2_0108DBD2
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_0107FA2B6_2_0107FA2B
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00FFEBB06_2_00FFEBB0
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_010922AE6_2_010922AE
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00FEAB406_2_00FEAB40
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01092D076_2_01092D07
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01091D556_2_01091D55
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_010925DD6_2_010925DD
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00FD841F6_2_00FD841F
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00FDD5E06_2_00FDD5E0
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_0108D4666_2_0108D466
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00FF25816_2_00FF2581
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00FC0D206_2_00FC0D20
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_0109DFCE6_2_0109DFCE
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00FE6E306_2_00FE6E30
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01091FF16_2_01091FF1
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_0108D6166_2_0108D616
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01092EF76_2_01092EF7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0486B09019_2_0486B090
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048820A019_2_048820A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_049220A819_2_049220A8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0491100219_2_04911002
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0486841F19_2_0486841F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0488258119_2_04882581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0486D5E019_2_0486D5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0485F90019_2_0485F900
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04922D0719_2_04922D07
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04850D2019_2_04850D20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0487412019_2_04874120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04921D5519_2_04921D55
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_049222AE19_2_049222AE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04922EF719_2_04922EF7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04876E3019_2_04876E30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0488EBB019_2_0488EBB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04921FF119_2_04921FF1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04922B2819_2_04922B28
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0081D84D19_2_0081D84D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0081DB0619_2_0081DB06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0081DC3819_2_0081DC38
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00802D8719_2_00802D87
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00802D9019_2_00802D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00809E3F19_2_00809E3F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00809E4019_2_00809E40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00802FB019_2_00802FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0485B150 appears 35 times
          Source: C:\Users\user\Desktop\Payment.exeCode function: String function: 00FCB150 appears 48 times
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00419D60 NtCreateFile,6_2_00419D60
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00419E10 NtReadFile,6_2_00419E10
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00419E90 NtClose,6_2_00419E90
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00419F40 NtAllocateVirtualMemory,6_2_00419F40
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00419D5A NtCreateFile,6_2_00419D5A
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00419DB2 NtReadFile,6_2_00419DB2
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00419E8B NtClose,6_2_00419E8B
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_00419F3A NtAllocateVirtualMemory,6_2_00419F3A
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_01009910
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_010099A0 NtCreateSection,LdrInitializeThunk,6_2_010099A0
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009840 NtDelayExecution,LdrInitializeThunk,6_2_01009840
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009860 NtQuerySystemInformation,LdrInitializeThunk,6_2_01009860
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_010098F0 NtReadVirtualMemory,LdrInitializeThunk,6_2_010098F0
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009A00 NtProtectVirtualMemory,LdrInitializeThunk,6_2_01009A00
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009A20 NtResumeThread,LdrInitializeThunk,6_2_01009A20
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009A50 NtCreateFile,LdrInitializeThunk,6_2_01009A50
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009540 NtReadFile,LdrInitializeThunk,6_2_01009540
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_010095D0 NtClose,LdrInitializeThunk,6_2_010095D0
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009710 NtQueryInformationToken,LdrInitializeThunk,6_2_01009710
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009780 NtMapViewOfSection,LdrInitializeThunk,6_2_01009780
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_010097A0 NtUnmapViewOfSection,LdrInitializeThunk,6_2_010097A0
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_01009660
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_010096E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_010096E0
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009950 NtQueueApcThread,6_2_01009950
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_010099D0 NtCreateProcessEx,6_2_010099D0
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009820 NtEnumerateKey,6_2_01009820
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_0100B040 NtSuspendThread,6_2_0100B040
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_010098A0 NtWriteVirtualMemory,6_2_010098A0
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009B00 NtSetValueKey,6_2_01009B00
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_0100A3B0 NtGetContextThread,6_2_0100A3B0
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009A10 NtQuerySection,6_2_01009A10
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009A80 NtOpenDirectoryObject,6_2_01009A80
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009520 NtWaitForSingleObject,6_2_01009520
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_0100AD30 NtSetContextThread,6_2_0100AD30
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009560 NtWriteFile,6_2_01009560
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_010095F0 NtQueryInformationFile,6_2_010095F0
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_0100A710 NtOpenProcessToken,6_2_0100A710
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009730 NtQueryVirtualMemory,6_2_01009730
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009760 NtOpenProcess,6_2_01009760
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_0100A770 NtOpenThread,6_2_0100A770
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009770 NtSetInformationFile,6_2_01009770
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009FE0 NtCreateMutant,6_2_01009FE0
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009610 NtEnumerateValueKey,6_2_01009610
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009650 NtQueryValueKey,6_2_01009650
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_01009670 NtQueryInformationProcess,6_2_01009670
          Source: C:\Users\user\Desktop\Payment.exeCode function: 6_2_010096D0 NtCreateKey,6_2_010096D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899840 NtDelayExecution,LdrInitializeThunk,19_2_04899840
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899860 NtQuerySystemInformation,LdrInitializeThunk,19_2_04899860
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048999A0 NtCreateSection,LdrInitializeThunk,19_2_048999A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048995D0 NtClose,LdrInitializeThunk,19_2_048995D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899910 NtAdjustPrivilegesToken,LdrInitializeThunk,19_2_04899910
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899540 NtReadFile,LdrInitializeThunk,19_2_04899540
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048996D0 NtCreateKey,LdrInitializeThunk,19_2_048996D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048996E0 NtFreeVirtualMemory,LdrInitializeThunk,19_2_048996E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899A50 NtCreateFile,LdrInitializeThunk,19_2_04899A50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899650 NtQueryValueKey,LdrInitializeThunk,19_2_04899650
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899660 NtAllocateVirtualMemory,LdrInitializeThunk,19_2_04899660
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899780 NtMapViewOfSection,LdrInitializeThunk,19_2_04899780
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899FE0 NtCreateMutant,LdrInitializeThunk,19_2_04899FE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899710 NtQueryInformationToken,LdrInitializeThunk,19_2_04899710
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048998A0 NtWriteVirtualMemory,19_2_048998A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048998F0 NtReadVirtualMemory,19_2_048998F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899820 NtEnumerateKey,19_2_04899820
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0489B040 NtSuspendThread,19_2_0489B040
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048999D0 NtCreateProcessEx,19_2_048999D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048995F0 NtQueryInformationFile,19_2_048995F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899520 NtWaitForSingleObject,19_2_04899520
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0489AD30 NtSetContextThread,19_2_0489AD30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899950 NtQueueApcThread,19_2_04899950
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899560 NtWriteFile,19_2_04899560
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899A80 NtOpenDirectoryObject,19_2_04899A80
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899A00 NtProtectVirtualMemory,19_2_04899A00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899610 NtEnumerateValueKey,19_2_04899610
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899A10 NtQuerySection,19_2_04899A10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899A20 NtResumeThread,19_2_04899A20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899670 NtQueryInformationProcess,19_2_04899670
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_048997A0 NtUnmapViewOfSection,19_2_048997A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0489A3B0 NtGetContextThread,19_2_0489A3B0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899B00 NtSetValueKey,19_2_04899B00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0489A710 NtOpenProcessToken,19_2_0489A710
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899730 NtQueryVirtualMemory,19_2_04899730
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899760 NtOpenProcess,19_2_04899760
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04899770 NtSetInformationFile,19_2_04899770
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_0489A770 NtOpenThread,19_2_0489A770
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00819D60 NtCreateFile,19_2_00819D60
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00819E90 NtClose,19_2_00819E90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00819E10 NtReadFile,19_2_00819E10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00819F40 NtAllocateVirtualMemory,19_2_00819F40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00819DB2 NtReadFile,19_2_00819DB2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00819D5A NtCreateFile,19_2_00819D5A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00819E8B NtClose,19_2_00819E8B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00819F3A NtAllocateVirtualMemory,19_2_00819F3A
          Source: Payment.exe, 00000001.00000002.247268783.00000000072F0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs Payment.exe
          Source: Payment.exe, 00000001.00000002.243123804.0000000002627000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs Payment.exe
          Source: Payment.exe, 00000001.00000002.243123804.0000000002627000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs Payment.exe
          Source: Payment.exe, 00000001.00000002.243123804.0000000002627000.00000004.00000001.sdmpBinary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs Payment.exe
          Source: Payment.exe, 00000001.00000002.243123804.0000000002627000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEnvoySinks.dll6 vs Payment.exe
          Source: Payment.exe, 00000001.00000002.241622342.0000000000270000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIObjectHand.exe> vs Payment.exe
          Source: Payment.exe, 00000005.00000000.239308017.00000000003E0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIObjectHand.exe> vs Payment.exe
          Source: Payment.exe, 00000006.00000000.240548929.00000000005C0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIObjectHand.exe> vs Payment.exe
          Source: Payment.exe, 00000006.00000002.321552044.00000000010BF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Payment.exe
          Source: Payment.exe, 00000006.00000002.324070691.0000000002E40000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs Payment.exe
          Source: Payment.exeBinary or memory string: OriginalFilenameIObjectHand.exe> vs Payment.exe
          Source: Payment.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Payment.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Payment.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Payment.exeVirustotal: Detection: 52%
          Source: Payment.exeMetadefender: Detection: 31%
          Source: Payment.exeReversingLabs: Detection: 67%
          Source: Payment.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Payment.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Payment.exe 'C:\Users\user\Desktop\Payment.exe'
          Source: C:\Users\user\Desktop\Payment.exeProcess created: C:\Users\user\Desktop\Payment.exe C:\Users\user\Desktop\Payment.exe
          Source: C:\Users\user\Desktop\Payment.exeProcess created: C:\Users\user\Desktop\Payment.exe C:\Users\user\Desktop\Payment.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Payment.exeProcess created: C:\Users\user\Desktop\Payment.exe C:\Users\user\Desktop\Payment.exeJump to behavior
          Source: C:\Users\user\Desktop\Payment.exeProcess created: C:\Users\user\Desktop\Payment.exe C:\Users\user\Desktop\Payment.exeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\Payment.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/1@2/2
          Source: C:\Users\user\Desktop\Payment.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_01
          Source: Payment.exe, u0006u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 1.0.Payment.exe.1f0000.0.unpack, u0006u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 1.2.Payment.exe.1f0000.0.unpack, u0006u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 5.2.Payment.exe.360000.0.unpack, u0006u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 5.0.Payment.exe.360000.0.unpack, u0006u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 6.2.Payment.exe.540000.1.unpack, u0006u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Payment.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Payment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Payment.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_B