Loading ...

Play interactive tourEdit tour

Windows Analysis Report Unpaid invoice.exe

Overview

General Information

Sample Name:Unpaid invoice.exe
Analysis ID:483566
MD5:3ade5b9b508051cc39c1c610f4af5a12
SHA1:662056878a2b1fb1e99d1f74bb0e8694904fdccd
SHA256:207dff33f6f91f114deae60a6cb3a404a5f40bc607fb6015f680c8980af7ac16
Tags:exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sigma detected: Suspect Svchost Activity
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Unpaid invoice.exe (PID: 2740 cmdline: 'C:\Users\user\Desktop\Unpaid invoice.exe' MD5: 3ADE5B9B508051CC39C1C610F4AF5A12)
    • schtasks.exe (PID: 2520 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NBYchW' /XML 'C:\Users\user\AppData\Local\Temp\tmpC99D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Unpaid invoice.exe (PID: 2152 cmdline: C:\Users\user\Desktop\Unpaid invoice.exe MD5: 3ADE5B9B508051CC39C1C610F4AF5A12)
      • explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • svchost.exe (PID: 2576 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
        • cmd.exe (PID: 5380 cmdline: /c del 'C:\Users\user\Desktop\Unpaid invoice.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.allfyllofficial.com/b6cu/"], "decoy": ["sxdiyan.com", "web0084.com", "cpafirmspokane.com", "la-bio-geo.com", "chacrit.com", "stuntfighting.com", "rjsworkshop.com", "themillennialsfinest.com", "thefrontrealestate.com", "chairmn.com", "best1korea.com", "gudssutu.icu", "backupchip.net", "shrikanthamimports.com", "sportrecoverysleeve.com", "healthy-shack.com", "investperwear.com", "intertradeperu.com", "resonantonshop.com", "greghugheslaw.com", "instrumentum.store", "creative-cloud.info", "sansfoundations.com", "pmca.asia", "night.doctor", "19v5.com", "cmas.life", "yhanlikho.com", "kartikpatelrealtor.com", "viralpagi.com", "samsonengineeringco.com", "mh666.cool", "laboratoriosjj.com", "produklokal.com", "tjhysb.com", "solutions-oigroup.com", "chictarh.com", "gotmail.info", "yourvalue.online", "mylinkreview.com", "champonpowerequipment.com", "starcoupeownersindonesia.com", "buzagialtligi.com", "botol2-lasdnk.com", "blunss.info", "l3-construction.com", "fmodesign.com", "silkraga.com", "editimpact.com", "unionairjordanla.com", "lacageavin.com", "gushixiu.com", "cleanlast.com", "awvpvkmzxa.com", "xiaosandao.com", "nldcostmetics.com", "prosperitywithsoul.com", "kheticulture.com", "booksbykimberlyeandco.com", "creativehughes.com", "mobilewz.com", "arerasols.com", "w-hanaemi-personal.com", "dynamonetwork.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.499873958.0000000002F90000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000012.00000002.499873958.0000000002F90000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000012.00000002.499873958.0000000002F90000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.245150214.0000000003DEB000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.245150214.0000000003DEB000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x130af8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x130e92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x13cba5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13c691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x13cca7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x13ce1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x1318aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x13b90c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x132622:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x141c97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x142d3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 27 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.Unpaid invoice.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.Unpaid invoice.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.Unpaid invoice.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158c9:$sqlite3step: 68 34 1C 7B E1
        • 0x159dc:$sqlite3step: 68 34 1C 7B E1
        • 0x158f8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a1d:$sqlite3text: 68 38 2A 90 C5
        • 0x1590b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
        5.2.Unpaid invoice.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.Unpaid invoice.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 4 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspect Svchost ActivityShow sources
          Source: Process startedAuthor: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Users\user\Desktop\Unpaid invoice.exe, ParentImage: C:\Users\user\Desktop\Unpaid invoice.exe, ParentProcessId: 2152, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2576
          Sigma detected: Suspicious Svchost ProcessShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Users\user\Desktop\Unpaid invoice.exe, ParentImage: C:\Users\user\Desktop\Unpaid invoice.exe, ParentProcessId: 2152, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2576
          Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Users\user\Desktop\Unpaid invoice.exe, ParentImage: C:\Users\user\Desktop\Unpaid invoice.exe, ParentProcessId: 2152, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2576

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000002.245150214.0000000003DEB000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.allfyllofficial.com/b6cu/"], "decoy": ["sxdiyan.com", "web0084.com", "cpafirmspokane.com", "la-bio-geo.com", "chacrit.com", "stuntfighting.com", "rjsworkshop.com", "themillennialsfinest.com", "thefrontrealestate.com", "chairmn.com", "best1korea.com", "gudssutu.icu", "backupchip.net", "shrikanthamimports.com", "sportrecoverysleeve.com", "healthy-shack.com", "investperwear.com", "intertradeperu.com", "resonantonshop.com", "greghugheslaw.com", "instrumentum.store", "creative-cloud.info", "sansfoundations.com", "pmca.asia", "night.doctor", "19v5.com", "cmas.life", "yhanlikho.com", "kartikpatelrealtor.com", "viralpagi.com", "samsonengineeringco.com", "mh666.cool", "laboratoriosjj.com", "produklokal.com", "tjhysb.com", "solutions-oigroup.com", "chictarh.com", "gotmail.info", "yourvalue.online", "mylinkreview.com", "champonpowerequipment.com", "starcoupeownersindonesia.com", "buzagialtligi.com", "botol2-lasdnk.com", "blunss.info", "l3-construction.com", "fmodesign.com", "silkraga.com", "editimpact.com", "unionairjordanla.com", "lacageavin.com", "gushixiu.com", "cleanlast.com", "awvpvkmzxa.com", "xiaosandao.com", "nldcostmetics.com", "prosperitywithsoul.com", "kheticulture.com", "booksbykimberlyeandco.com", "creativehughes.com", "mobilewz.com", "arerasols.com", "w-hanaemi-personal.com", "dynamonetwork.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Unpaid invoice.exeVirustotal: Detection: 26%Perma Link
          Source: Unpaid invoice.exeReversingLabs: Detection: 22%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.Unpaid invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Unpaid invoice.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Unpaid invoice.exe.3eb70e0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000012.00000002.499873958.0000000002F90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.245150214.0000000003DEB000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.294564046.00000000063D8000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.245025730.0000000003CF9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.275380459.00000000063D8000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.346119104.0000000000F50000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.342884658.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.499450563.0000000002E90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.344039613.0000000000B00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.498755726.0000000000BB0000.00000004.00000001.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: www.allfyllofficial.com/b6cu/Avira URL Cloud: Label: malware
          Source: http://www.allfyllofficial.com/b6cu/?lbEXvJ=BM8pWLo2liCp6ZW0oulSPGvnDMzVbQu2mhNtcpnMeN5lw4nyr3fndb0CaXopSlD2ZkNR&r0=EBw4_Avira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\NBYchW.exeReversingLabs: Detection: 22%
          Machine Learning detection for sampleShow sources
          Source: Unpaid invoice.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\NBYchW.exeJoe Sandbox ML: detected
          Source: 5.2.Unpaid invoice.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Unpaid invoice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Unpaid invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: Unpaid invoice.exe, 00000005.00000002.350097337.00000000010AF000.00000040.00000001.sdmp, svchost.exe, 00000012.00000003.346087323.0000000003800000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Unpaid invoice.exe, 00000005.00000002.350097337.00000000010AF000.00000040.00000001.sdmp, svchost.exe
          Source: Binary string: svchost.pdb source: Unpaid invoice.exe, 00000005.00000002.351579922.0000000002FA0000.00000040.00020000.sdmp
          Source: Binary string: svchost.pdbUGP source: Unpaid invoice.exe, 00000005.00000002.351579922.0000000002FA0000.00000040.00020000.sdmp

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49781 -> 50.87.144.47:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49781 -> 50.87.144.47:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49781 -> 50.87.144.47:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 156.252.96.170 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.awvpvkmzxa.com
          Source: C:\Windows\explorer.exeDomain query: www.w-hanaemi-personal.com
          Source: C:\Windows\explorer.exeNetwork Connect: 50.87.144.47 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.cleanlast.com
          Source: C:\Windows\explorer.exeNetwork Connect: 99.83.154.118 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.allfyllofficial.com
          Source: C:\Windows\explorer.exeDomain query: www.gushixiu.com
          Source: C:\Windows\explorer.exeDomain query: www.stuntfighting.com
          Source: C:\Windows\explorer.exeNetwork Connect: 154.207.58.141 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 163.44.185.222 80Jump to behavior
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.allfyllofficial.com/b6cu/
          Source: Joe Sandbox ViewASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: global trafficHTTP traffic detected: GET /b6cu/?lbEXvJ=BM8pWLo2liCp6ZW0oulSPGvnDMzVbQu2mhNtcpnMeN5lw4nyr3fndb0CaXopSlD2ZkNR&r0=EBw4_ HTTP/1.1Host: www.allfyllofficial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b6cu/?lbEXvJ=DGQOt/v6Doko/GTzSubfaMuBKTlE+dhd6ldDf6bXzV/MdA1CNIu3fXU8hVK9hGwuq2Mc&r0=EBw4_ HTTP/1.1Host: www.gushixiu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b6cu/?lbEXvJ=aL8GsdtRj731cmhv1dUVzhNUcGCzwOY8U67ftd+k/VcamZjvg+wNZXLAjQN4VnMEsIrX&r0=EBw4_ HTTP/1.1Host: www.awvpvkmzxa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b6cu/?lbEXvJ=/W5fPk/NpnLPoFsp6A4FmcLJD6bNeTnuhZMoGpKBjdAOAJE6XZncFA09XqCzfzF+ZU3u&r0=EBw4_ HTTP/1.1Host: www.w-hanaemi-personal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b6cu/?lbEXvJ=0cNTwCf3GfppWKB0T1XESIgtEFKjNX2tylJLJaVzm8N2XRqnUHRn8w7/tq9cN+gNtTm5&r0=EBw4_ HTTP/1.1Host: www.stuntfighting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 99.83.154.118 99.83.154.118
          Source: Unpaid invoice.exe, 00000001.00000002.244595600.0000000002CF1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: unknownDNS traffic detected: queries for: www.allfyllofficial.com
          Source: global trafficHTTP traffic detected: GET /b6cu/?lbEXvJ=BM8pWLo2liCp6ZW0oulSPGvnDMzVbQu2mhNtcpnMeN5lw4nyr3fndb0CaXopSlD2ZkNR&r0=EBw4_ HTTP/1.1Host: www.allfyllofficial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b6cu/?lbEXvJ=DGQOt/v6Doko/GTzSubfaMuBKTlE+dhd6ldDf6bXzV/MdA1CNIu3fXU8hVK9hGwuq2Mc&r0=EBw4_ HTTP/1.1Host: www.gushixiu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b6cu/?lbEXvJ=aL8GsdtRj731cmhv1dUVzhNUcGCzwOY8U67ftd+k/VcamZjvg+wNZXLAjQN4VnMEsIrX&r0=EBw4_ HTTP/1.1Host: www.awvpvkmzxa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b6cu/?lbEXvJ=/W5fPk/NpnLPoFsp6A4FmcLJD6bNeTnuhZMoGpKBjdAOAJE6XZncFA09XqCzfzF+ZU3u&r0=EBw4_ HTTP/1.1Host: www.w-hanaemi-personal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b6cu/?lbEXvJ=0cNTwCf3GfppWKB0T1XESIgtEFKjNX2tylJLJaVzm8N2XRqnUHRn8w7/tq9cN+gNtTm5&r0=EBw4_ HTTP/1.1Host: www.stuntfighting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.Unpaid invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Unpaid invoice.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Unpaid invoice.exe.3eb70e0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000012.00000002.499873958.0000000002F90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.245150214.0000000003DEB000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.294564046.00000000063D8000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.245025730.0000000003CF9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.275380459.00000000063D8000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.346119104.0000000000F50000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.342884658.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.499450563.0000000002E90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.344039613.0000000000B00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.498755726.0000000000BB0000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 5.2.Unpaid invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.Unpaid invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.Unpaid invoice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.Unpaid invoice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Unpaid invoice.exe.3eb70e0.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Unpaid invoice.exe.3eb70e0.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.499873958.0000000002F90000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.499873958.0000000002F90000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.245150214.0000000003DEB000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.245150214.0000000003DEB000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.294564046.00000000063D8000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.294564046.00000000063D8000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.245025730.0000000003CF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.245025730.0000000003CF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.275380459.00000000063D8000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.275380459.00000000063D8000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.346119104.0000000000F50000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.346119104.0000000000F50000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.342884658.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.342884658.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.499450563.0000000002E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.499450563.0000000002E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.344039613.0000000000B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.344039613.0000000000B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.498755726.0000000000BB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.498755726.0000000000BB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Unpaid invoice.exe
          .NET source code contains very large stringsShow sources
          Source: Unpaid invoice.exe, Forms/mainForm.csLong String: Length: 38272
          Source: NBYchW.exe.1.dr, Forms/mainForm.csLong String: Length: 38272
          Source: 1.0.Unpaid invoice.exe.910000.0.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: 1.2.Unpaid invoice.exe.910000.0.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: 5.2.Unpaid invoice.exe.510000.1.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: 5.0.Unpaid invoice.exe.510000.0.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: Unpaid invoice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 5.2.Unpaid invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.Unpaid invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.Unpaid invoice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.Unpaid invoice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Unpaid invoice.exe.3eb70e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Unpaid invoice.exe.3eb70e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.499873958.0000000002F90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.499873958.0000000002F90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.245150214.0000000003DEB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.245150214.0000000003DEB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.294564046.00000000063D8000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.294564046.00000000063D8000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.245025730.0000000003CF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.245025730.0000000003CF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.275380459.00000000063D8000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.275380459.00000000063D8000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.346119104.0000000000F50000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.346119104.0000000000F50000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.342884658.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.342884658.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.499450563.0000000002E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.499450563.0000000002E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.344039613.0000000000B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.344039613.0000000000B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.498755726.0000000000BB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.498755726.0000000000BB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 1_2_012BC1241_2_012BC124
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 1_2_012BE5631_2_012BE563
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 1_2_012BE5701_2_012BE570
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 5_2_0041C8245_2_0041C824
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 5_2_0041B9D35_2_0041B9D3
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 5_2_0041C2545_2_0041C254
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 5_2_0041CBD25_2_0041CBD2
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 5_2_00408C6B5_2_00408C6B
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 5_2_00408C705_2_00408C70
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 5_2_0041CEBE5_2_0041CEBE
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 5_2_0041BF725_2_0041BF72
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 5_2_0041B7315_2_0041B731
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A5EBB018_2_03A5EBB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03AF1FF118_2_03AF1FF1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03AF2B2818_2_03AF2B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03AF22AE18_2_03AF22AE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03AF2EF718_2_03AF2EF7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A46E3018_2_03A46E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A5258118_2_03A52581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A3D5E018_2_03A3D5E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A20D2018_2_03A20D20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A4412018_2_03A44120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A2F90018_2_03A2F900
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03AF2D0718_2_03AF2D07
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03AF1D5518_2_03AF1D55
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A520A018_2_03A520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03AF20A818_2_03AF20A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A3B09018_2_03A3B090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03AE100218_2_03AE1002
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A3841F18_2_03A3841F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_02FAC25418_2_02FAC254
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_02FAC82418_2_02FAC824
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_02FAB9D318_2_02FAB9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_02F92FB018_2_02F92FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_02FABF7218_2_02FABF72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_02FAB73118_2_02FAB731
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_02F98C7018_2_02F98C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_02F98C6B18_2_02F98C6B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_02F92D9018_2_02F92D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A2B150 appears 35 times
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 5_2_004181D0 NtCreateFile,5_2_004181D0
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 5_2_00418280 NtReadFile,5_2_00418280
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 5_2_00418300 NtClose,5_2_00418300
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 5_2_004183B0 NtAllocateVirtualMemory,5_2_004183B0
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 5_2_004181CA NtCreateFile,5_2_004181CA
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 5_2_0041827A NtReadFile,5_2_0041827A
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 5_2_004182CA NtReadFile,5_2_004182CA
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 5_2_004182FA NtClose,5_2_004182FA
          Source: C:\Users\user\Desktop\Unpaid invoice.exeCode function: 5_2_004183AB NtAllocateVirtualMemory,5_2_004183AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69780 NtMapViewOfSection,LdrInitializeThunk,18_2_03A69780
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69FE0 NtCreateMutant,LdrInitializeThunk,18_2_03A69FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69710 NtQueryInformationToken,LdrInitializeThunk,18_2_03A69710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A696E0 NtFreeVirtualMemory,LdrInitializeThunk,18_2_03A696E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A696D0 NtCreateKey,LdrInitializeThunk,18_2_03A696D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69660 NtAllocateVirtualMemory,LdrInitializeThunk,18_2_03A69660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69650 NtQueryValueKey,LdrInitializeThunk,18_2_03A69650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69A50 NtCreateFile,LdrInitializeThunk,18_2_03A69A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A699A0 NtCreateSection,LdrInitializeThunk,18_2_03A699A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A695D0 NtClose,LdrInitializeThunk,18_2_03A695D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69910 NtAdjustPrivilegesToken,LdrInitializeThunk,18_2_03A69910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69540 NtReadFile,LdrInitializeThunk,18_2_03A69540
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69860 NtQuerySystemInformation,LdrInitializeThunk,18_2_03A69860
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69840 NtDelayExecution,LdrInitializeThunk,18_2_03A69840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A697A0 NtUnmapViewOfSection,18_2_03A697A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A6A3B0 NtGetContextThread,18_2_03A6A3B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69730 NtQueryVirtualMemory,18_2_03A69730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69B00 NtSetValueKey,18_2_03A69B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A6A710 NtOpenProcessToken,18_2_03A6A710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69760 NtOpenProcess,18_2_03A69760
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69770 NtSetInformationFile,18_2_03A69770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A6A770 NtOpenThread,18_2_03A6A770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69A80 NtOpenDirectoryObject,18_2_03A69A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69A20 NtResumeThread,18_2_03A69A20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69A00 NtProtectVirtualMemory,18_2_03A69A00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69610 NtEnumerateValueKey,18_2_03A69610
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69A10 NtQuerySection,18_2_03A69A10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69670 NtQueryInformationProcess,18_2_03A69670
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A695F0 NtQueryInformationFile,18_2_03A695F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A699D0 NtCreateProcessEx,18_2_03A699D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69520 NtWaitForSingleObject,18_2_03A69520
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A6AD30 NtSetContextThread,18_2_03A6AD30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69560 NtWriteFile,18_2_03A69560
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69950 NtQueueApcThread,18_2_03A69950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A698A0 NtWriteVirtualMemory,18_2_03A698A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A698F0 NtReadVirtualMemory,18_2_03A698F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A69820 NtEnumerateKey,18_2_03A69820
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_03A6B040 NtSuspendThread,18_2_03A6B040
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_02FA8280 NtReadFile,18_2_02FA8280
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_02FA83B0 NtAllocateVirtualMemory,18_2_02FA83B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_02FA8300 NtClose,18_2_02FA8300
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_02FA81D0 NtCreateFile,18_2_02FA81D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_02FA82FA NtClose,18_2_02FA82FA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_02FA82CA NtReadFile,18_2_02FA82CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_02FA827A NtReadFile,18_2_02FA827A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_02FA83AB NtAllocateVirtualMemory,18_2_02FA83AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_02FA81CA NtCreateFile,18_2_02FA81CA
          Source: Unpaid invoice.exe, 00000001.00000002.245150214.0000000003DEB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs Unpaid invoice.exe
          Source: Unpaid invoice.exe, 00000001.00000002.243681974.000000000099C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameReco.exe4 vs Unpaid invoice.exe
          Source: Unpaid invoice.exe, 00000005.00000002.350097337.00000000010AF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Unpaid invoice.exe
          Source: Unpaid invoice.exe, 00000005.00000002.343735500.000000000059C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameReco.exe4 vs Unpaid invoice.exe
          Source: Unpaid invoice.exe, 00000005.00000002.351602901.0000000002FAB000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamesvchost.exej% vs Unpaid invoice.exe
          Source: Unpaid invoice.exeBinary or memory string: OriginalFilenameReco.exe4 vs Unpaid invoice.exe
          Source: Unpaid invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: NBYchW.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Unpaid invoice.exeVirustotal: Detection: 26%
          Source: Unpaid invoice.exeReversingLabs: Detection: 22%
          Source: C:\Users\user\Desktop\Unpaid invoice.exeFile read: C:\Users\user\Desktop\Unpaid invoice.exeJump to behavior
          Source: Unpaid invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Unpaid invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Unpaid invoice.exe 'C:\Users\user\Desktop\Unpaid invoice.exe'
          Source: C:\Users\user\Desktop\Unpaid invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NBYchW' /XML 'C:\Users\user\AppData\Local\Temp\tmpC99D.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Unpaid invoice.exeProcess created: C:\Users\user\Desktop\Unpaid invoice.exe C:\Users\user\Desktop\Unpaid invoice.exe
          Source: C:\Users\user\Desktop\Unpaid invoice.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Unpaid invoice.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Unpaid invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NBYchW' /XML 'C:\Users\user\AppData\Local\Temp\tmpC99D.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\Unpaid invoice.exeProcess created: C:\Users\user\Desktop\Unpaid invoice.exe C:\Users\user\Desktop\Unpaid invoice.exeJump to behavior
          Source: C:\Users\user\Desktop\Unpaid invoice.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Unpaid invoice.exe'Jump to behavior
          Source: C:\Users\user\Desktop\Unpaid invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\Unpaid invoice.exeFile created: C:\Users\user\AppData\Roaming\NBYchW.exeJump to behavior
          Source: C:\Users\user\Desktop\Unpaid invoice.exeFile created: C:\Users\user\AppData\Local\Temp\tmpC99D.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@11/4@8/5
          Source: C:\Users\user\Desktop\Unpaid invoice.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Unpaid invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5760:120:WilError_01
          Source: C:\Users\user\Desktop\Unpaid invoice.exeMutant created: \Sessions\1\BaseNamedObjects\DDjtSemfjAeeAmIBmeRdDUa
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_01
          Source: Unpaid invoice.exe, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: NBYchW.exe.1.dr, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 1.0.Unpaid invoice.exe.910000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 1.2.Unpaid invoice.exe.910000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 5.2.Unpaid invoice.exe.510000.1.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 5.0.Unpaid invoice.exe.510000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Unpaid invoice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Unpaid invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Unpaid invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Unpaid invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: Unpaid invoice.exe, 00000005.00000002.350097337.00000000010AF000.00000040.00000001.sdmp, svchost.exe, 00000012.00000003.346087323.0000000003800000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Unpaid invoice.exe, 00000005.00000002.350097337.00000000010AF000.00000040.00000001.sdmp, svchost.exe
          Source: Binary string: svchost.pdb source: Unpaid invoice.exe, 00000005.00000002.351579922.0000000002FA0000.00000040.00020000.sdmp
          Source: Binary string: svchost.pdbUGP source: Unpaid invoice.exe, 00000005.00000002.351579922.0000000002FA0000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Unpaid invoice.exe, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: NBYchW.exe.1.dr, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.Unpaid invoice.exe.910000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.Unpaid invoice.exe.910000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.2.Unpaid invoice.exe.