Loading ...

Play interactive tourEdit tour

Windows Analysis Report PI L032452021xxls.exe

Overview

General Information

Sample Name:PI L032452021xxls.exe
Analysis ID:483590
MD5:73c7fda15888b3b6cc025ce3d5f83161
SHA1:78b8467853dc5bdba4dd28a8602902fcc210f67c
SHA256:69394a249833f97289151fa8334f32e0b0467ce4ecb164b0706784fb836136a6
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • PI L032452021xxls.exe (PID: 660 cmdline: 'C:\Users\user\Desktop\PI L032452021xxls.exe' MD5: 73C7FDA15888B3B6CC025CE3D5F83161)
    • PI L032452021xxls.exe (PID: 6756 cmdline: C:\Users\user\Desktop\PI L032452021xxls.exe MD5: 73C7FDA15888B3B6CC025CE3D5F83161)
    • PI L032452021xxls.exe (PID: 6780 cmdline: C:\Users\user\Desktop\PI L032452021xxls.exe MD5: 73C7FDA15888B3B6CC025CE3D5F83161)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autoconv.exe (PID: 4456 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • msdt.exe (PID: 5316 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 5436 cmdline: /c del 'C:\Users\user\Desktop\PI L032452021xxls.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.barry-associates.com/ergs/"], "decoy": ["jardineriavilanova.com", "highkeyfashionboutique.com", "willingtobuyyourhouse.com", "ysfno.com", "bjkhjzzs.com", "hexmotif.com", "intentionalerror.com", "nuu-foundfreedom.com", "catalystspeechservices.com", "blackmybail.com", "xntaobaozhibo.com", "site-sozdat.online", "45quisisanadr.com", "ipawlove.com", "yifa5188.com", "admm.email", "houseoftealbh.com", "scale-biz.com", "vdvppt.club", "loveandlight.life", "529jpmorgan.com", "pupupe.com", "asantejaratmavi.com", "stereovisionstudio.com", "anhhoangnhatle.com", "robrowerealestate.com", "accessorthopaedics.com", "vanaform.com", "hataribeauty.com", "karnez.net", "meghanariana.com", "lawboutique30.com", "sailoame.com", "waystoearnmoneyontheside.com", "alkalides.com", "finqian.com", "ic-video-editing.co.uk", "vomartdesign.xyz", "xn--icknb7d2bb8tv280bco4a.com", "containerreefer.com", "maison-connect.com", "fbtowww.com", "phoenizoo.com", "bet365l6.com", "royalglossesbss.com", "justiceforashleymoore.com", "hupubets.com", "technomarkets.info", "ahhaads.com", "vvbeautystudio.com", "ddogo2o4r.online", "ameliefantaisie.com", "signupforhuntington.com", "antibodycovid19testkit.com", "kuznecova.center", "yuxingo.com", "heseasy.site", "wilmingtondollshow.com", "196197.com", "domineaconfeitaria.com", "veryzocn.com", "regenerativesouls.com", "llamshop.com", "miami-autoparts.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.476678595.0000000000CE0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.476678595.0000000000CE0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.476678595.0000000000CE0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.476370627.0000000000CB0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.476370627.0000000000CB0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.PI L032452021xxls.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.PI L032452021xxls.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.PI L032452021xxls.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        6.2.PI L032452021xxls.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.2.PI L032452021xxls.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 5316

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000006.00000002.476678595.0000000000CE0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.barry-associates.com/ergs/"], "decoy": ["jardineriavilanova.com", "highkeyfashionboutique.com", "willingtobuyyourhouse.com", "ysfno.com", "bjkhjzzs.com", "hexmotif.com", "intentionalerror.com", "nuu-foundfreedom.com", "catalystspeechservices.com", "blackmybail.com", "xntaobaozhibo.com", "site-sozdat.online", "45quisisanadr.com", "ipawlove.com", "yifa5188.com", "admm.email", "houseoftealbh.com", "scale-biz.com", "vdvppt.club", "loveandlight.life", "529jpmorgan.com", "pupupe.com", "asantejaratmavi.com", "stereovisionstudio.com", "anhhoangnhatle.com", "robrowerealestate.com", "accessorthopaedics.com", "vanaform.com", "hataribeauty.com", "karnez.net", "meghanariana.com", "lawboutique30.com", "sailoame.com", "waystoearnmoneyontheside.com", "alkalides.com", "finqian.com", "ic-video-editing.co.uk", "vomartdesign.xyz", "xn--icknb7d2bb8tv280bco4a.com", "containerreefer.com", "maison-connect.com", "fbtowww.com", "phoenizoo.com", "bet365l6.com", "royalglossesbss.com", "justiceforashleymoore.com", "hupubets.com", "technomarkets.info", "ahhaads.com", "vvbeautystudio.com", "ddogo2o4r.online", "ameliefantaisie.com", "signupforhuntington.com", "antibodycovid19testkit.com", "kuznecova.center", "yuxingo.com", "heseasy.site", "wilmingtondollshow.com", "196197.com", "domineaconfeitaria.com", "veryzocn.com", "regenerativesouls.com", "llamshop.com", "miami-autoparts.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: PI L032452021xxls.exeVirustotal: Detection: 20%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.PI L032452021xxls.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.PI L032452021xxls.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.476678595.0000000000CE0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.476370627.0000000000CB0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.416682205.0000000007630000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.622477273.0000000003370000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.475476363.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.619318186.0000000000D20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.438420225.0000000007630000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.622417859.0000000003340000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.385908241.0000000003A29000.00000004.00000001.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: www.barry-associates.com/ergs/Avira URL Cloud: Label: malware
          Source: 6.2.PI L032452021xxls.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: PI L032452021xxls.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: PI L032452021xxls.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: PI L032452021xxls.exe, 00000006.00000002.479958779.0000000003190000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: PI L032452021xxls.exe, 00000006.00000002.477252553.000000000123F000.00000040.00000001.sdmp, msdt.exe, 00000011.00000002.628655231.0000000005090000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PI L032452021xxls.exe, 00000006.00000002.477252553.000000000123F000.00000040.00000001.sdmp, msdt.exe
          Source: Binary string: msdt.pdb source: PI L032452021xxls.exe, 00000006.00000002.479958779.0000000003190000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 4x nop then pop esi6_2_004172E5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop esi17_2_00D372E5

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.karnez.net
          Source: C:\Windows\explorer.exeDomain query: www.vdvppt.club
          Source: C:\Windows\explorer.exeNetwork Connect: 99.83.154.118 80Jump to behavior
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.barry-associates.com/ergs/
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /ergs/?rt=jBPLMP3h1LcdC&J8uTkT=JWbjbWIzi5Xd8qR/4tQdqrKkFdlvhz2KwPZGVEcCMD5MfsK3CM+df9zTKLP63o3kNg3XOCoErQ== HTTP/1.1Host: www.vdvppt.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ergs/?J8uTkT=c9bkYQKJ+lNI6VVZ5eI1zueoz+82ajOViy0Ll3ZdIgo7PyasuomRPuIVCCVSa7haztcFmZ8CSw==&rt=jBPLMP3h1LcdC HTTP/1.1Host: www.karnez.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: PI L032452021xxls.exe, 00000000.00000003.361054370.000000000587D000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
          Source: explorer.exe, 00000007.00000000.429962276.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: PI L032452021xxls.exe, 00000000.00000003.362750701.0000000005876000.00000004.00000001.sdmp, PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: PI L032452021xxls.exe, 00000000.00000003.362716752.00000000058AE000.00000004.00000001.sdmp, PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: PI L032452021xxls.exe, 00000000.00000003.362750701.0000000005876000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
          Source: PI L032452021xxls.exe, 00000000.00000002.391202739.0000000005870000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comIr
          Source: PI L032452021xxls.exe, 00000000.00000003.362750701.0000000005876000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comT.TTFlr9=e
          Source: PI L032452021xxls.exe, 00000000.00000003.362750701.0000000005876000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
          Source: PI L032452021xxls.exe, 00000000.00000003.362750701.0000000005876000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed?rl=
          Source: PI L032452021xxls.exe, 00000000.00000003.362750701.0000000005876000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessedIr
          Source: PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: PI L032452021xxls.exe, 00000000.00000003.357574592.0000000005876000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.c
          Source: PI L032452021xxls.exe, 00000000.00000003.357173176.000000000587B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: PI L032452021xxls.exe, 00000000.00000003.358089167.000000000587F000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn-
          Source: PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: PI L032452021xxls.exe, 00000000.00000003.358089167.000000000587F000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna
          Source: PI L032452021xxls.exe, 00000000.00000003.357173176.000000000587B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd.
          Source: PI L032452021xxls.exe, 00000000.00000003.365423437.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: PI L032452021xxls.exe, 00000000.00000003.365423437.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmB
          Source: PI L032452021xxls.exe, 00000000.00000003.365423437.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmjf
          Source: PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: PI L032452021xxls.exe, 00000000.00000003.359682803.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: PI L032452021xxls.exe, 00000000.00000003.360266825.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/&rg=
          Source: PI L032452021xxls.exe, 00000000.00000003.359682803.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-r~=
          Source: PI L032452021xxls.exe, 00000000.00000003.360266825.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//nn~r/=e
          Source: PI L032452021xxls.exe, 00000000.00000003.359682803.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0r
          Source: PI L032452021xxls.exe, 00000000.00000003.360266825.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Br
          Source: PI L032452021xxls.exe, 00000000.00000003.359682803.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Ian
          Source: PI L032452021xxls.exe, 00000000.00000003.359682803.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Ir
          Source: PI L032452021xxls.exe, 00000000.00000003.359682803.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Sue
          Source: PI L032452021xxls.exe, 00000000.00000003.359682803.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Webd
          Source: PI L032452021xxls.exe, 00000000.00000003.358957608.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-d-r~=
          Source: PI L032452021xxls.exe, 00000000.00000003.359682803.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/aniewr
          Source: PI L032452021xxls.exe, 00000000.00000003.359682803.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/b
          Source: PI L032452021xxls.exe, 00000000.00000003.359682803.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/er&=p
          Source: PI L032452021xxls.exe, 00000000.00000003.359682803.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ers
          Source: PI L032452021xxls.exe, 00000000.00000003.359682803.0000000005874000.00000004.00000001.sdmp, PI L032452021xxls.exe, 00000000.00000003.360266825.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: PI L032452021xxls.exe, 00000000.00000003.360266825.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/-r~=
          Source: PI L032452021xxls.exe, 00000000.00000003.360084029.0000000005875000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/0r
          Source: PI L032452021xxls.exe, 00000000.00000003.360266825.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Ir
          Source: PI L032452021xxls.exe, 00000000.00000003.359682803.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/lr9=e
          Source: PI L032452021xxls.exe, 00000000.00000003.359207902.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/lr9=e
          Source: PI L032452021xxls.exe, 00000000.00000003.359682803.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/roso
          Source: PI L032452021xxls.exe, 00000000.00000003.359082297.0000000005874000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
          Source: PI L032452021xxls.exe, 00000000.00000003.365187933.0000000005877000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.W
          Source: PI L032452021xxls.exe, 00000000.00000003.355005880.00000000058AD000.00000004.00000001.sdmp, PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: PI L032452021xxls.exe, 00000000.00000003.355005880.00000000058AD000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com.
          Source: PI L032452021xxls.exe, 00000000.00000003.355005880.00000000058AD000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coms
          Source: PI L032452021xxls.exe, 00000000.00000003.355005880.00000000058AD000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt-i
          Source: PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: PI L032452021xxls.exe, 00000000.00000003.360580691.0000000005876000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comc
          Source: PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: PI L032452021xxls.exe, 00000000.00000002.391458911.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: PI L032452021xxls.exe, 00000000.00000003.358246478.0000000005877000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn5
          Source: PI L032452021xxls.exe, 00000000.00000003.358246478.0000000005877000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
          Source: unknownDNS traffic detected: queries for: www.vdvppt.club
          Source: global trafficHTTP traffic detected: GET /ergs/?rt=jBPLMP3h1LcdC&J8uTkT=JWbjbWIzi5Xd8qR/4tQdqrKkFdlvhz2KwPZGVEcCMD5MfsK3CM+df9zTKLP63o3kNg3XOCoErQ== HTTP/1.1Host: www.vdvppt.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ergs/?J8uTkT=c9bkYQKJ+lNI6VVZ5eI1zueoz+82ajOViy0Ll3ZdIgo7PyasuomRPuIVCCVSa7haztcFmZ8CSw==&rt=jBPLMP3h1LcdC HTTP/1.1Host: www.karnez.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.PI L032452021xxls.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.PI L032452021xxls.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.476678595.0000000000CE0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.476370627.0000000000CB0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.416682205.0000000007630000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.622477273.0000000003370000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.475476363.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.619318186.0000000000D20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.438420225.0000000007630000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.622417859.0000000003340000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.385908241.0000000003A29000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 6.2.PI L032452021xxls.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.PI L032452021xxls.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.PI L032452021xxls.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.PI L032452021xxls.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.476678595.0000000000CE0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.476678595.0000000000CE0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.476370627.0000000000CB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.476370627.0000000000CB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.416682205.0000000007630000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.416682205.0000000007630000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.622477273.0000000003370000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.622477273.0000000003370000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.475476363.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.475476363.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.619318186.0000000000D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.619318186.0000000000D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.438420225.0000000007630000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.438420225.0000000007630000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.622417859.0000000003340000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.622417859.0000000003340000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.385908241.0000000003A29000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.385908241.0000000003A29000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large stringsShow sources
          Source: PI L032452021xxls.exe, Form1.csLong String: Length: 38272
          Source: 0.0.PI L032452021xxls.exe.5b0000.0.unpack, Form1.csLong String: Length: 38272
          Source: 0.2.PI L032452021xxls.exe.5b0000.0.unpack, Form1.csLong String: Length: 38272
          Source: 5.2.PI L032452021xxls.exe.390000.0.unpack, Form1.csLong String: Length: 38272
          Source: 5.0.PI L032452021xxls.exe.390000.0.unpack, Form1.csLong String: Length: 38272
          Source: 6.2.PI L032452021xxls.exe.670000.1.unpack, Form1.csLong String: Length: 38272
          Source: 6.0.PI L032452021xxls.exe.670000.0.unpack, Form1.csLong String: Length: 38272
          Source: PI L032452021xxls.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 6.2.PI L032452021xxls.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.PI L032452021xxls.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.PI L032452021xxls.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.PI L032452021xxls.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.476678595.0000000000CE0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.476678595.0000000000CE0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.476370627.0000000000CB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.476370627.0000000000CB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.416682205.0000000007630000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.416682205.0000000007630000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.622477273.0000000003370000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.622477273.0000000003370000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.475476363.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.475476363.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.619318186.0000000000D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.619318186.0000000000D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.438420225.0000000007630000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.438420225.0000000007630000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.622417859.0000000003340000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.622417859.0000000003340000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.385908241.0000000003A29000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.385908241.0000000003A29000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 0_2_00FF27900_2_00FF2790
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 0_2_00FF10600_2_00FF1060
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 0_2_00FF10500_2_00FF1050
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 0_2_00FF53000_2_00FF5300
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 0_2_0296E6120_2_0296E612
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 0_2_0296E6180_2_0296E618
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_0041E81B6_2_0041E81B
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_004010266_2_00401026
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_004010306_2_00401030
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_0041D8F06_2_0041D8F0
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_0041D9756_2_0041D975
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_0041E1DE6_2_0041E1DE
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_0041DCDD6_2_0041DCDD
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_0041D4896_2_0041D489
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_0041D5C46_2_0041D5C4
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_0041E5F36_2_0041E5F3
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_00402D8A6_2_00402D8A
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_00402D906_2_00402D90
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_00409E406_2_00409E40
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_0041DE426_2_0041DE42
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_00409E3C6_2_00409E3C
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_0041D6C76_2_0041D6C7
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_0041CFA36_2_0041CFA3
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_00402FB06_2_00402FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050BF90017_2_050BF900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05182D0717_2_05182D07
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050B0D2017_2_050B0D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050D412017_2_050D4120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05181D5517_2_05181D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050E258117_2_050E2581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050CD5E017_2_050CD5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050C841F17_2_050C841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0517100217_2_05171002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050CB09017_2_050CB090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050E20A017_2_050E20A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_051820A817_2_051820A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05182B2817_2_05182B28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050EEBB017_2_050EEBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05181FF117_2_05181FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050D6E3017_2_050D6E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_051822AE17_2_051822AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05182EF717_2_05182EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00D3E81B17_2_00D3E81B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00D3E1DE17_2_00D3E1DE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00D3E5F317_2_00D3E5F3
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00D22D9017_2_00D22D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00D22D8A17_2_00D22D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00D29E4017_2_00D29E40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00D29E3C17_2_00D29E3C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00D22FB017_2_00D22FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00D3CFA317_2_00D3CFA3
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 050BB150 appears 35 times
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_00419D60 NtCreateFile,6_2_00419D60
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_00419E10 NtReadFile,6_2_00419E10
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_00419E90 NtClose,6_2_00419E90
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_00419F40 NtAllocateVirtualMemory,6_2_00419F40
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_00419D5B NtCreateFile,6_2_00419D5B
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_00419DB4 NtCreateFile,6_2_00419DB4
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeCode function: 6_2_00419E0A NtReadFile,6_2_00419E0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,17_2_050F9910
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9540 NtReadFile,LdrInitializeThunk,17_2_050F9540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F99A0 NtCreateSection,LdrInitializeThunk,17_2_050F99A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F95D0 NtClose,LdrInitializeThunk,17_2_050F95D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9840 NtDelayExecution,LdrInitializeThunk,17_2_050F9840
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9860 NtQuerySystemInformation,LdrInitializeThunk,17_2_050F9860
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9710 NtQueryInformationToken,LdrInitializeThunk,17_2_050F9710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9780 NtMapViewOfSection,LdrInitializeThunk,17_2_050F9780
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9FE0 NtCreateMutant,LdrInitializeThunk,17_2_050F9FE0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9A50 NtCreateFile,LdrInitializeThunk,17_2_050F9A50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9650 NtQueryValueKey,LdrInitializeThunk,17_2_050F9650
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9660 NtAllocateVirtualMemory,LdrInitializeThunk,17_2_050F9660
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F96D0 NtCreateKey,LdrInitializeThunk,17_2_050F96D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F96E0 NtFreeVirtualMemory,LdrInitializeThunk,17_2_050F96E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9520 NtWaitForSingleObject,17_2_050F9520
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050FAD30 NtSetContextThread,17_2_050FAD30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9950 NtQueueApcThread,17_2_050F9950
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9560 NtWriteFile,17_2_050F9560
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F99D0 NtCreateProcessEx,17_2_050F99D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F95F0 NtQueryInformationFile,17_2_050F95F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9820 NtEnumerateKey,17_2_050F9820
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050FB040 NtSuspendThread,17_2_050FB040
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F98A0 NtWriteVirtualMemory,17_2_050F98A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F98F0 NtReadVirtualMemory,17_2_050F98F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9B00 NtSetValueKey,17_2_050F9B00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050FA710 NtOpenProcessToken,17_2_050FA710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9730 NtQueryVirtualMemory,17_2_050F9730
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9760 NtOpenProcess,17_2_050F9760
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9770 NtSetInformationFile,17_2_050F9770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050FA770 NtOpenThread,17_2_050FA770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F97A0 NtUnmapViewOfSection,17_2_050F97A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050FA3B0 NtGetContextThread,17_2_050FA3B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9A00 NtProtectVirtualMemory,17_2_050F9A00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9A10 NtQuerySection,17_2_050F9A10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9610 NtEnumerateValueKey,17_2_050F9610
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9A20 NtResumeThread,17_2_050F9A20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9670 NtQueryInformationProcess,17_2_050F9670
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050F9A80 NtOpenDirectoryObject,17_2_050F9A80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00D39D60 NtCreateFile,17_2_00D39D60
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00D39E90 NtClose,17_2_00D39E90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00D39E10 NtReadFile,17_2_00D39E10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00D39F40 NtAllocateVirtualMemory,17_2_00D39F40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00D39DB4 NtCreateFile,17_2_00D39DB4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00D39D5B NtCreateFile,17_2_00D39D5B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00D39E0A NtReadFile,17_2_00D39E0A
          Source: PI L032452021xxls.exeBinary or memory string: OriginalFilename vs PI L032452021xxls.exe
          Source: PI L032452021xxls.exe, 00000000.00000002.382841822.0000000002A37000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEnvoySinks.dll6 vs PI L032452021xxls.exe
          Source: PI L032452021xxls.exe, 00000000.00000000.352313746.00000000005B2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRefFla.exeh$ vs PI L032452021xxls.exe
          Source: PI L032452021xxls.exe, 00000000.00000002.392040604.00000000070D0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs PI L032452021xxls.exe
          Source: PI L032452021xxls.exeBinary or memory string: OriginalFilename vs PI L032452021xxls.exe
          Source: PI L032452021xxls.exe, 00000005.00000002.377835074.0000000000392000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRefFla.exeh$ vs PI L032452021xxls.exe
          Source: PI L032452021xxls.exeBinary or memory string: OriginalFilename vs PI L032452021xxls.exe
          Source: PI L032452021xxls.exe, 00000006.00000002.477767429.00000000013CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PI L032452021xxls.exe
          Source: PI L032452021xxls.exe, 00000006.00000002.475602589.0000000000672000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRefFla.exeh$ vs PI L032452021xxls.exe
          Source: PI L032452021xxls.exe, 00000006.00000002.479958779.0000000003190000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs PI L032452021xxls.exe
          Source: PI L032452021xxls.exeBinary or memory string: OriginalFilenameRefFla.exeh$ vs PI L032452021xxls.exe
          Source: PI L032452021xxls.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: PI L032452021xxls.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: PI L032452021xxls.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: PI L032452021xxls.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: PI L032452021xxls.exeVirustotal: Detection: 20%
          Source: PI L032452021xxls.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\PI L032452021xxls.exe 'C:\Users\user\Desktop\PI L032452021xxls.exe'
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeProcess created: C:\Users\user\Desktop\PI L032452021xxls.exe C:\Users\user\Desktop\PI L032452021xxls.exe
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeProcess created: C:\Users\user\Desktop\PI L032452021xxls.exe C:\Users\user\Desktop\PI L032452021xxls.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PI L032452021xxls.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeProcess created: C:\Users\user\Desktop\PI L032452021xxls.exe C:\Users\user\Desktop\PI L032452021xxls.exeJump to behavior
          Source: C:\Users\user\Desktop\PI L032452021xxls.exeProcess created: C:\Users\user\Desktop\PI L032452021xxls.exe C:\Users\user\Desktop\PI L032452021xxls.exeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PI L032452021xxls.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID