Loading ...

Play interactive tourEdit tour

Windows Analysis Report scan files 15-9-21.exe

Overview

General Information

Sample Name:scan files 15-9-21.exe
Analysis ID:483582
MD5:00e32d8a2cbd54e967bfc8f512086ecf
SHA1:f51b70a2117089a87b0daf6f179a3b492acf58f2
SHA256:36d409b61a0f456cb3e593338ebf2db1fae38ea645392d98030bc7e7a0eb9a3c
Tags:exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • scan files 15-9-21.exe (PID: 6752 cmdline: 'C:\Users\user\Desktop\scan files 15-9-21.exe' MD5: 00E32D8A2CBD54E967BFC8F512086ECF)
    • scan files 15-9-21.exe (PID: 6920 cmdline: C:\Users\user\Desktop\scan files 15-9-21.exe MD5: 00E32D8A2CBD54E967BFC8F512086ECF)
      • explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • WWAHost.exe (PID: 4068 cmdline: C:\Windows\SysWOW64\WWAHost.exe MD5: 370C260333EB3149EF4E49C8F64652A0)
          • cmd.exe (PID: 5336 cmdline: /c del 'C:\Users\user\Desktop\scan files 15-9-21.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.lifewithbriana.com/mej0/"], "decoy": ["mtxs8.com", "quickskiplondon.com", "sltplanner.com", "generatedate.com", "amsinspections.com", "tomrings.com", "109friends.com", "freelovereading.com", "avalapartners.com", "nordiqueluxury.com", "inmbex.com", "everybankatm.com", "bo1899.com", "ashymeadow.com", "pubgm-chickendinner.com", "takudolunch.com", "carlagremiao.com", "actonetheatre.com", "wemhealth.com", "khasomat.net", "lartiqueusa.com", "singularity.institute", "ashsgx567d.com", "sequoiaparts.net", "ujriksalead.com", "ag99.xyz", "isabeltimon.com", "bijyo-topic.site", "homefuels.energy", "2ofakinddesigns.com", "iggglobal.com", "ravenlightproductions.com", "magicaltransform.com", "2936vaquero.com", "essentialme.network", "thebrathouse.info", "tecstrong.net", "ayulaksmi.com", "maximebazerque.com", "bankdj.com", "pizzaoff.com", "eastcohemp.com", "acordolimpo.com", "mediacpstreamchile.com", "wholesalefleuerdelis.com", "chuangyuanfz.com", "getcenteredwithclay.com", "retaboo.com", "ikonicboatcharters.com", "parakhonskiy.com", "tropical-therapy.com", "metropitstop.com", "municipiodeanton.net", "valorplanodesaudemaranhao.info", "alibabakanaat.com", "creditsoptionsnow.com", "arabgerman.digital", "webspazio.com", "sunsyncindia.com", "jlsolutionspty.com", "almightyamerican.com", "nadirshirts.com", "gdxinmu.com", "postcaremedical.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.342717924.00000000015D0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.342717924.00000000015D0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.342717924.00000000015D0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.340222255.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.340222255.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.scan files 15-9-21.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.scan files 15-9-21.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.scan files 15-9-21.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        2.2.scan files 15-9-21.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.scan files 15-9-21.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000002.342717924.00000000015D0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.lifewithbriana.com/mej0/"], "decoy": ["mtxs8.com", "quickskiplondon.com", "sltplanner.com", "generatedate.com", "amsinspections.com", "tomrings.com", "109friends.com", "freelovereading.com", "avalapartners.com", "nordiqueluxury.com", "inmbex.com", "everybankatm.com", "bo1899.com", "ashymeadow.com", "pubgm-chickendinner.com", "takudolunch.com", "carlagremiao.com", "actonetheatre.com", "wemhealth.com", "khasomat.net", "lartiqueusa.com", "singularity.institute", "ashsgx567d.com", "sequoiaparts.net", "ujriksalead.com", "ag99.xyz", "isabeltimon.com", "bijyo-topic.site", "homefuels.energy", "2ofakinddesigns.com", "iggglobal.com", "ravenlightproductions.com", "magicaltransform.com", "2936vaquero.com", "essentialme.network", "thebrathouse.info", "tecstrong.net", "ayulaksmi.com", "maximebazerque.com", "bankdj.com", "pizzaoff.com", "eastcohemp.com", "acordolimpo.com", "mediacpstreamchile.com", "wholesalefleuerdelis.com", "chuangyuanfz.com", "getcenteredwithclay.com", "retaboo.com", "ikonicboatcharters.com", "parakhonskiy.com", "tropical-therapy.com", "metropitstop.com", "municipiodeanton.net", "valorplanodesaudemaranhao.info", "alibabakanaat.com", "creditsoptionsnow.com", "arabgerman.digital", "webspazio.com", "sunsyncindia.com", "jlsolutionspty.com", "almightyamerican.com", "nadirshirts.com", "gdxinmu.com", "postcaremedical.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: scan files 15-9-21.exeVirustotal: Detection: 29%Perma Link
          Source: scan files 15-9-21.exeReversingLabs: Detection: 26%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.scan files 15-9-21.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.scan files 15-9-21.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.342717924.00000000015D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.340222255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.296739231.000000000E0BC000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.316398859.000000000E0BC000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.520331838.0000000000870000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.342785187.0000000001600000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.520884940.0000000000A80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.521187644.0000000000B00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.262326263.0000000003979000.00000004.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: scan files 15-9-21.exeJoe Sandbox ML: detected
          Source: 2.2.scan files 15-9-21.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: scan files 15-9-21.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: scan files 15-9-21.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: WWAHost.pdb source: scan files 15-9-21.exe, 00000002.00000003.335101550.0000000003940000.00000004.00000001.sdmp
          Source: Binary string: WWAHost.pdbUGP source: scan files 15-9-21.exe, 00000002.00000003.335101550.0000000003940000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: scan files 15-9-21.exe, 00000002.00000002.343119287.0000000001AC0000.00000040.00000001.sdmp, WWAHost.exe, 0000000D.00000002.525382273.0000000003640000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: scan files 15-9-21.exe, 00000002.00000002.343119287.0000000001AC0000.00000040.00000001.sdmp, WWAHost.exe
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 4x nop then pop ebx2_2_00406A97
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 4x nop then pop edi2_2_00415692
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop ebx13_2_00876A97
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop edi13_2_00885692

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49777 -> 34.98.99.30:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49777 -> 34.98.99.30:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49777 -> 34.98.99.30:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49779 -> 35.237.65.63:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49779 -> 35.237.65.63:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49779 -> 35.237.65.63:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49785 -> 99.83.154.118:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49785 -> 99.83.154.118:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49785 -> 99.83.154.118:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.valorplanodesaudemaranhao.info
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.196.84 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.everybankatm.com
          Source: C:\Windows\explorer.exeDomain query: www.nordiqueluxury.com
          Source: C:\Windows\explorer.exeDomain query: www.quickskiplondon.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.98.99.30 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.singularity.institute
          Source: C:\Windows\explorer.exeDomain query: www.parakhonskiy.com
          Source: C:\Windows\explorer.exeDomain query: www.lifewithbriana.com
          Source: C:\Windows\explorer.exeNetwork Connect: 35.237.65.63 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 84.34.147.60 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.municipiodeanton.net
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.lifewithbriana.com/mej0/
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: TSF-IP-CORETeliaFinlandOyjEU TSF-IP-CORETeliaFinlandOyjEU
          Source: global trafficHTTP traffic detected: GET /mej0/?ZTSpa=l0iLI2tDMbyWX17YzQI3VU6Ovc+Srds2u4QKsmMGezHC91xioYtP6wjZJcIMhpUbXqNeFFgVfw==&vP=JtCxKN HTTP/1.1Host: www.nordiqueluxury.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mej0/?ZTSpa=JBp6XH2M4Q0SiKTdqMGnH1VhHOjyZ1YS2BfWCv8a5VwMthBJctfaCfrdZAs0prUxB4i8ziLjxQ==&vP=JtCxKN HTTP/1.1Host: www.valorplanodesaudemaranhao.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mej0/?ZTSpa=KB5aME/wLlFyZRHVaeByRa16oaYSLG5vTwTmPkRiuCF7mWnEGcyzal0mWpntA1EdT4HAAexMQQ==&vP=JtCxKN HTTP/1.1Host: www.municipiodeanton.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mej0/?ZTSpa=a/1Q0lHImOSlB3OMiE52M5irpU60+rDCM9jGEsCAFmqZfqxrPXb+yY2uJ0P5II+wgFq1rM2W6g==&vP=JtCxKN HTTP/1.1Host: www.quickskiplondon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mej0/?ZTSpa=RzUuUNIP5w6/jz6u/3nPHL71H0tFSqxvyYqd1E+XwjP7nDbVm/SW3vaLh5vwv8/S3nR/rxiqcA==&vP=JtCxKN HTTP/1.1Host: www.singularity.instituteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000003.00000000.270733342.000000000686B000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: unknownDNS traffic detected: queries for: www.parakhonskiy.com
          Source: global trafficHTTP traffic detected: GET /mej0/?ZTSpa=l0iLI2tDMbyWX17YzQI3VU6Ovc+Srds2u4QKsmMGezHC91xioYtP6wjZJcIMhpUbXqNeFFgVfw==&vP=JtCxKN HTTP/1.1Host: www.nordiqueluxury.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mej0/?ZTSpa=JBp6XH2M4Q0SiKTdqMGnH1VhHOjyZ1YS2BfWCv8a5VwMthBJctfaCfrdZAs0prUxB4i8ziLjxQ==&vP=JtCxKN HTTP/1.1Host: www.valorplanodesaudemaranhao.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mej0/?ZTSpa=KB5aME/wLlFyZRHVaeByRa16oaYSLG5vTwTmPkRiuCF7mWnEGcyzal0mWpntA1EdT4HAAexMQQ==&vP=JtCxKN HTTP/1.1Host: www.municipiodeanton.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mej0/?ZTSpa=a/1Q0lHImOSlB3OMiE52M5irpU60+rDCM9jGEsCAFmqZfqxrPXb+yY2uJ0P5II+wgFq1rM2W6g==&vP=JtCxKN HTTP/1.1Host: www.quickskiplondon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mej0/?ZTSpa=RzUuUNIP5w6/jz6u/3nPHL71H0tFSqxvyYqd1E+XwjP7nDbVm/SW3vaLh5vwv8/S3nR/rxiqcA==&vP=JtCxKN HTTP/1.1Host: www.singularity.instituteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.scan files 15-9-21.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.scan files 15-9-21.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.342717924.00000000015D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.340222255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.296739231.000000000E0BC000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.316398859.000000000E0BC000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.520331838.0000000000870000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.342785187.0000000001600000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.520884940.0000000000A80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.521187644.0000000000B00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.262326263.0000000003979000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 2.2.scan files 15-9-21.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.scan files 15-9-21.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.scan files 15-9-21.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.scan files 15-9-21.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.342717924.00000000015D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.342717924.00000000015D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.340222255.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.340222255.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.296739231.000000000E0BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.296739231.000000000E0BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.316398859.000000000E0BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.316398859.000000000E0BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.520331838.0000000000870000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.520331838.0000000000870000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.342785187.0000000001600000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.342785187.0000000001600000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.520884940.0000000000A80000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.520884940.0000000000A80000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.521187644.0000000000B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.521187644.0000000000B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.262326263.0000000003979000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.262326263.0000000003979000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large stringsShow sources
          Source: scan files 15-9-21.exe, Forms/mainForm.csLong String: Length: 38272
          Source: 0.0.scan files 15-9-21.exe.580000.0.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: 0.2.scan files 15-9-21.exe.580000.0.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: 2.2.scan files 15-9-21.exe.fd0000.1.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: 2.0.scan files 15-9-21.exe.fd0000.0.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: scan files 15-9-21.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 2.2.scan files 15-9-21.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.scan files 15-9-21.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.scan files 15-9-21.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.scan files 15-9-21.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.342717924.00000000015D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.342717924.00000000015D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.340222255.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.340222255.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.296739231.000000000E0BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.296739231.000000000E0BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.316398859.000000000E0BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.316398859.000000000E0BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.520331838.0000000000870000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.520331838.0000000000870000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.342785187.0000000001600000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.342785187.0000000001600000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.520884940.0000000000A80000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.520884940.0000000000A80000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.521187644.0000000000B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.521187644.0000000000B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.262326263.0000000003979000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.262326263.0000000003979000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 0_2_028530C00_2_028530C0
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 0_2_028561500_2_02856150
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 0_2_028530B20_2_028530B2
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 0_2_028514FA0_2_028514FA
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 0_2_028514480_2_02851448
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 0_2_028514580_2_02851458
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 0_2_02850D880_2_02850D88
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 0_2_02850D980_2_02850D98
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 0_2_02852DD70_2_02852DD7
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 0_2_02852DE80_2_02852DE8
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 0_2_04E847B00_2_04E847B0
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 0_2_04E8804C0_2_04E8804C
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 0_2_04E8BF380_2_04E8BF38
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 0_2_04E8EACB0_2_04E8EACB
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 0_2_04E847A30_2_04E847A3
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 0_2_04E8A1000_2_04E8A100
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 0_2_04E881040_2_04E88104
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_004011742_2_00401174
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_0041B9BD2_2_0041B9BD
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_0041BA6D2_2_0041BA6D
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_0041C31E2_2_0041C31E
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_0041CB972_2_0041CB97
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_00408C602_2_00408C60
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_00402D872_2_00402D87
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_0041C5972_2_0041C597
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_0041C77C2_2_0041C77C
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_0041BFCB2_2_0041BFCB
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_0041B7E32_2_0041B7E3
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_0369EBB013_2_0369EBB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_03686E3013_2_03686E30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_03731D5513_2_03731D55
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_03660D2013_2_03660D20
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_0368412013_2_03684120
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_0366F90013_2_0366F900
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_0367D5E013_2_0367D5E0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_0369258113_2_03692581
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_0372100213_2_03721002
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_0367841F13_2_0367841F
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036920A013_2_036920A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_0367B09013_2_0367B090
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_0088CB9713_2_0088CB97
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_00878C6013_2_00878C60
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_00872D8713_2_00872D87
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_00872D9013_2_00872D90
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_0088C59713_2_0088C597
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_00872FB013_2_00872FB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_0088B7E313_2_0088B7E3
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_0088C77C13_2_0088C77C
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 0366B150 appears 32 times
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_004181C0 NtCreateFile,2_2_004181C0
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_00418270 NtReadFile,2_2_00418270
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_004182F0 NtClose,2_2_004182F0
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_004183A0 NtAllocateVirtualMemory,2_2_004183A0
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_0041826A NtReadFile,2_2_0041826A
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_0041839A NtAllocateVirtualMemory,2_2_0041839A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9710 NtQueryInformationToken,LdrInitializeThunk,13_2_036A9710
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9FE0 NtCreateMutant,LdrInitializeThunk,13_2_036A9FE0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9780 NtMapViewOfSection,LdrInitializeThunk,13_2_036A9780
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9660 NtAllocateVirtualMemory,LdrInitializeThunk,13_2_036A9660
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9650 NtQueryValueKey,LdrInitializeThunk,13_2_036A9650
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9A50 NtCreateFile,LdrInitializeThunk,13_2_036A9A50
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A96E0 NtFreeVirtualMemory,LdrInitializeThunk,13_2_036A96E0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A96D0 NtCreateKey,LdrInitializeThunk,13_2_036A96D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9540 NtReadFile,LdrInitializeThunk,13_2_036A9540
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,13_2_036A9910
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A95D0 NtClose,LdrInitializeThunk,13_2_036A95D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A99A0 NtCreateSection,LdrInitializeThunk,13_2_036A99A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9860 NtQuerySystemInformation,LdrInitializeThunk,13_2_036A9860
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9840 NtDelayExecution,LdrInitializeThunk,13_2_036A9840
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9760 NtOpenProcess,13_2_036A9760
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9770 NtSetInformationFile,13_2_036A9770
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036AA770 NtOpenThread,13_2_036AA770
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9730 NtQueryVirtualMemory,13_2_036A9730
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9B00 NtSetValueKey,13_2_036A9B00
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036AA710 NtOpenProcessToken,13_2_036AA710
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A97A0 NtUnmapViewOfSection,13_2_036A97A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036AA3B0 NtGetContextThread,13_2_036AA3B0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9670 NtQueryInformationProcess,13_2_036A9670
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9A20 NtResumeThread,13_2_036A9A20
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9A00 NtProtectVirtualMemory,13_2_036A9A00
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9610 NtEnumerateValueKey,13_2_036A9610
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9A10 NtQuerySection,13_2_036A9A10
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9A80 NtOpenDirectoryObject,13_2_036A9A80
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9560 NtWriteFile,13_2_036A9560
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9950 NtQueueApcThread,13_2_036A9950
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9520 NtWaitForSingleObject,13_2_036A9520
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036AAD30 NtSetContextThread,13_2_036AAD30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A95F0 NtQueryInformationFile,13_2_036A95F0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A99D0 NtCreateProcessEx,13_2_036A99D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036AB040 NtSuspendThread,13_2_036AB040
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A9820 NtEnumerateKey,13_2_036A9820
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A98F0 NtReadVirtualMemory,13_2_036A98F0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036A98A0 NtWriteVirtualMemory,13_2_036A98A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_008881C0 NtCreateFile,13_2_008881C0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_008882F0 NtClose,13_2_008882F0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_00888270 NtReadFile,13_2_00888270
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_008883A0 NtAllocateVirtualMemory,13_2_008883A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_0088826A NtReadFile,13_2_0088826A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_0088839A NtAllocateVirtualMemory,13_2_0088839A
          Source: scan files 15-9-21.exe, 00000000.00000002.263517285.0000000005A70000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs scan files 15-9-21.exe
          Source: scan files 15-9-21.exe, 00000000.00000002.262075156.0000000002987000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEnvoySinks.dll6 vs scan files 15-9-21.exe
          Source: scan files 15-9-21.exe, 00000000.00000002.261491768.000000000060E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIObserv.exe4 vs scan files 15-9-21.exe
          Source: scan files 15-9-21.exe, 00000002.00000003.335101550.0000000003940000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWWAHost.exej% vs scan files 15-9-21.exe
          Source: scan files 15-9-21.exe, 00000002.00000000.260672638.000000000105E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIObserv.exe4 vs scan files 15-9-21.exe
          Source: scan files 15-9-21.exe, 00000002.00000002.343331105.0000000001BDF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs scan files 15-9-21.exe
          Source: scan files 15-9-21.exeBinary or memory string: OriginalFilenameIObserv.exe4 vs scan files 15-9-21.exe
          Source: scan files 15-9-21.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: scan files 15-9-21.exeVirustotal: Detection: 29%
          Source: scan files 15-9-21.exeReversingLabs: Detection: 26%
          Source: scan files 15-9-21.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\scan files 15-9-21.exe 'C:\Users\user\Desktop\scan files 15-9-21.exe'
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeProcess created: C:\Users\user\Desktop\scan files 15-9-21.exe C:\Users\user\Desktop\scan files 15-9-21.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\scan files 15-9-21.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeProcess created: C:\Users\user\Desktop\scan files 15-9-21.exe C:\Users\user\Desktop\scan files 15-9-21.exeJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\scan files 15-9-21.exe'Jump to behavior
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\scan files 15-9-21.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@10/4
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2752:120:WilError_01
          Source: scan files 15-9-21.exe, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 0.0.scan files 15-9-21.exe.580000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 0.2.scan files 15-9-21.exe.580000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 2.2.scan files 15-9-21.exe.fd0000.1.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 2.0.scan files 15-9-21.exe.fd0000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: scan files 15-9-21.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: scan files 15-9-21.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: scan files 15-9-21.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: WWAHost.pdb source: scan files 15-9-21.exe, 00000002.00000003.335101550.0000000003940000.00000004.00000001.sdmp
          Source: Binary string: WWAHost.pdbUGP source: scan files 15-9-21.exe, 00000002.00000003.335101550.0000000003940000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: scan files 15-9-21.exe, 00000002.00000002.343119287.0000000001AC0000.00000040.00000001.sdmp, WWAHost.exe, 0000000D.00000002.525382273.0000000003640000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: scan files 15-9-21.exe, 00000002.00000002.343119287.0000000001AC0000.00000040.00000001.sdmp, WWAHost.exe

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: scan files 15-9-21.exe, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.scan files 15-9-21.exe.580000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.scan files 15-9-21.exe.580000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.2.scan files 15-9-21.exe.fd0000.1.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.scan files 15-9-21.exe.fd0000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 0_2_04E8E622 push 0000001Ah; retf 0_2_04E8E624
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 0_2_04E8D131 push 0000001Ah; retf 0_2_04E8D133
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 0_2_04E8E8E8 push 0000001Ah; retf 0_2_04E8E907
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 0_2_04E8EA5C push 0000001Ah; retf 0_2_04E8EA5E
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_0041C949 push ecx; ret 2_2_0041C91E
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_0041C949 push ecx; ret 2_2_0041C91E
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_0040429D pushfd ; iretd 2_2_0040429E
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_0041B3B5 push eax; ret 2_2_0041B408
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_0041B46C push eax; ret 2_2_0041B472
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_0041B402 push eax; ret 2_2_0041B408
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeCode function: 2_2_0041B40B push eax; ret 2_2_0041B472
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_036BD0D1 push ecx; ret 13_2_036BD0E4
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_0088C949 push ecx; ret 13_2_0088C91E
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_0088C949 push ecx; ret 13_2_0088C91E
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_0087429D pushfd ; iretd 13_2_0087429E
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_0088B3B5 push eax; ret 13_2_0088B408
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_0088B40B push eax; ret 13_2_0088B472
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_0088B402 push eax; ret 13_2_0088B408
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 13_2_0088B46C push eax; ret 13_2_0088B472
          Source: scan files 15-9-21.exeStatic PE information: 0xEB59C8A3 [Mon Feb 14 13:50:27 2095 UTC]
          Source: initial sampleStatic PE information: section name: .text entropy: 7.20919367006

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: /c del 'C:\Users\user\Desktop\scan files 15-9-21.exe'
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: /c del 'C:\Users\user\Desktop\scan files 15-9-21.exe'Jump to behavior
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scan files 15-9-21.exeProcess information set: NOOPENFILEERRORBOX