Loading ...

Play interactive tourEdit tour

Windows Analysis Report Quote#56432.exe

Overview

General Information

Sample Name:Quote#56432.exe
Analysis ID:483794
MD5:3812ebc395330bef949cc2c7264d1632
SHA1:4dc9fd68e73e0b14ab02670bb7c80372d0043bc4
SHA256:97ea895e92f76192010e02f12aca8ec4ffa1b667e84c9958332d280ced624402
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Quote#56432.exe (PID: 6792 cmdline: 'C:\Users\user\Desktop\Quote#56432.exe' MD5: 3812EBC395330BEF949CC2C7264D1632)
    • schtasks.exe (PID: 7100 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ySWmXEgh' /XML 'C:\Users\user\AppData\Local\Temp\tmp994F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 5848 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • systray.exe (PID: 5944 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
        • cmd.exe (PID: 6492 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.constructioncleanup.pro/vd9n/"], "decoy": ["theunwrappedcollective.com", "seckj-ic.com", "tyresandover.com", "thetrophyworld.com", "fonggrconstruction.com", "hopiproject.com", "sktitle.com", "charlotteobscurer.com", "qjuhe.com", "girlzglitter.com", "createmylawn.com", "hempcbgpill.com", "zzdfdzkj.com", "shreehariessential.com", "226sm.com", "getcupscall.com", "neuralviolin.com", "sanskaar.life", "xn--fhqrm54yyukopc.com", "togetherx4fantasy5star.today", "buyonlinesaree.com", "percyshandman.site", "hatchethangout.com", "rugpat.com", "zen-gizmo.com", "vipmomali.com", "lacerasavall.cat", "aqueouso.com", "mkolgems.com", "sevenhundredseventysix.fund", "fotografhannaneret.com", "mitravy.com", "bmtrans.net", "linterpreting.com", "izquay.com", "sawaturkey.com", "marche-maman.com", "eemygf.com", "animenovel.com", "travelssimply.com", "montecitobutterfly.com", "volebahis.com", "daniela.red", "ramseyedk12.com", "leyterealestate.info", "patriotstrong.net", "vkgcrew.com", "nadhiradeebaazkiya.online", "hotelcarre.com", "myfabulouscollection.com", "stellantis-luxury-rent.com", "hn2020.xyz", "emilyscopes.com", "lotosouq.com", "lovecord.date", "stconstant.online", "volkite-culverin.net", "allwaysautism.com", "sheisnatashasimone.com", "sepantaceram.com", "ishopgrady.com", "lifestorycard.com", "sexybbwavailable.website", "domainbaycapital.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 27 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.RegSvcs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.RegSvcs.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        7.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 2 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
          Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Quote#56432.exe' , ParentImage: C:\Users\user\Desktop\Quote#56432.exe, ParentProcessId: 6792, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5848
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Quote#56432.exe' , ParentImage: C:\Users\user\Desktop\Quote#56432.exe, ParentProcessId: 6792, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5848

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.constructioncleanup.pro/vd9n/"], "decoy": ["theunwrappedcollective.com", "seckj-ic.com", "tyresandover.com", "thetrophyworld.com", "fonggrconstruction.com", "hopiproject.com", "sktitle.com", "charlotteobscurer.com", "qjuhe.com", "girlzglitter.com", "createmylawn.com", "hempcbgpill.com", "zzdfdzkj.com", "shreehariessential.com", "226sm.com", "getcupscall.com", "neuralviolin.com", "sanskaar.life", "xn--fhqrm54yyukopc.com", "togetherx4fantasy5star.today", "buyonlinesaree.com", "percyshandman.site", "hatchethangout.com", "rugpat.com", "zen-gizmo.com", "vipmomali.com", "lacerasavall.cat", "aqueouso.com", "mkolgems.com", "sevenhundredseventysix.fund", "fotografhannaneret.com", "mitravy.com", "bmtrans.net", "linterpreting.com", "izquay.com", "sawaturkey.com", "marche-maman.com", "eemygf.com", "animenovel.com", "travelssimply.com", "montecitobutterfly.com", "volebahis.com", "daniela.red", "ramseyedk12.com", "leyterealestate.info", "patriotstrong.net", "vkgcrew.com", "nadhiradeebaazkiya.online", "hotelcarre.com", "myfabulouscollection.com", "stellantis-luxury-rent.com", "hn2020.xyz", "emilyscopes.com", "lotosouq.com", "lovecord.date", "stconstant.online", "volkite-culverin.net", "allwaysautism.com", "sheisnatashasimone.com", "sepantaceram.com", "ishopgrady.com", "lifestorycard.com", "sexybbwavailable.website", "domainbaycapital.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Quote#56432.exeVirustotal: Detection: 29%Perma Link
          Source: Quote#56432.exeMetadefender: Detection: 28%Perma Link
          Source: Quote#56432.exeReversingLabs: Detection: 78%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, type: MEMORY
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\ySWmXEgh.exeMetadefender: Detection: 28%Perma Link
          Source: C:\Users\user\AppData\Roaming\ySWmXEgh.exeReversingLabs: Detection: 78%
          Machine Learning detection for sampleShow sources
          Source: Quote#56432.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\ySWmXEgh.exeJoe Sandbox ML: detected
          Source: 7.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Quote#56432.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Quote#56432.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: systray.pdb source: RegSvcs.exe, 00000007.00000002.782499789.0000000001910000.00000040.00020000.sdmp
          Source: Binary string: systray.pdbGCTL source: RegSvcs.exe, 00000007.00000002.782499789.0000000001910000.00000040.00020000.sdmp
          Source: Binary string: RegSvcs.pdb, source: systray.exe, 0000000F.00000002.927302675.0000000004A8F000.00000004.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000007.00000002.784083913.0000000001A3F000.00000040.00000001.sdmp, systray.exe, 0000000F.00000002.926821802.000000000467F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, systray.exe
          Source: Binary string: RegSvcs.pdb source: systray.exe, 0000000F.00000002.927302675.0000000004A8F000.00000004.00020000.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi7_2_0040E44C
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop edi15_2_0036E44C

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 44.227.76.166 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.lovecord.date
          Source: C:\Windows\explorer.exeDomain query: www.neuralviolin.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.constructioncleanup.pro/vd9n/
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: global trafficHTTP traffic detected: GET /vd9n/?NfB=6+C1z2NTXQU5TtDgYCNVveFhDHAhXY7UdOammGZxKywecd1Rk4eK0uo6Q7X2XlF/f8Go&o87p=d640H6WhXv9 HTTP/1.1Host: www.lovecord.dateConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 44.227.76.166 44.227.76.166
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: systray.exe, 0000000F.00000002.927431554.0000000004F7F000.00000004.00020000.sdmpString found in binary or memory: http://lovecord.date
          Source: Quote#56432.exe, 00000000.00000002.690221413.0000000002B51000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Quote#56432.exe, 00000000.00000003.665504791.00000000058CE000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000003.665428445.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
          Source: Quote#56432.exe, 00000000.00000003.664495208.00000000058CF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: Quote#56432.exe, 00000000.00000003.664495208.00000000058CF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.123
          Source: Quote#56432.exe, 00000000.00000003.664495208.00000000058CF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Quote#56432.exe, 00000000.00000003.664613718.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Quote#56432.exe, 00000000.00000003.666494619.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/3
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Quote#56432.exe, 00000000.00000003.667501678.00000000058D0000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000003.667456774.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Quote#56432.exe, 00000000.00000003.666549661.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cz;a
          Source: Quote#56432.exe, 00000000.00000003.667061903.00000000058CF000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: Quote#56432.exe, 00000000.00000003.667061903.00000000058CF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html3
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Quote#56432.exe, 00000000.00000003.666850356.00000000058CF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersR
          Source: Quote#56432.exe, 00000000.00000003.666549661.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersg
          Source: Quote#56432.exe, 00000000.00000003.666754869.00000000058CF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersi
          Source: Quote#56432.exe, 00000000.00000003.673228256.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersx
          Source: Quote#56432.exe, 00000000.00000002.692495401.00000000058A0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
          Source: Quote#56432.exe, 00000000.00000002.692495401.00000000058A0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: Quote#56432.exe, 00000000.00000002.692495401.00000000058A0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comiono
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Quote#56432.exe, 00000000.00000003.663958515.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Quote#56432.exe, 00000000.00000003.663958515.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnk
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Quote#56432.exe, 00000000.00000003.669659423.00000000058D0000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000003.664849579.00000000058A4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Quote#56432.exe, 00000000.00000003.664849579.00000000058A4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-t4
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//z
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Norm
          Source: Quote#56432.exe, 00000000.00000003.665005799.00000000058A5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-d
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/adnl
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n-us
          Source: Quote#56432.exe, 00000000.00000003.672566366.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Quote#56432.exe, 00000000.00000003.665504791.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Quote#56432.exe, 00000000.00000003.664716460.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Quote#56432.exe, 00000000.00000003.668210925.00000000058D0000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000003.668015602.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: Quote#56432.exe, 00000000.00000003.667982119.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de%Y
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Quote#56432.exe, 00000000.00000003.668046451.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deFT
          Source: Quote#56432.exe, 00000000.00000003.666447003.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deoc
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownDNS traffic detected: queries for: www.lovecord.date
          Source: global trafficHTTP traffic detected: GET /vd9n/?NfB=6+C1z2NTXQU5TtDgYCNVveFhDHAhXY7UdOammGZxKywecd1Rk4eK0uo6Q7X2XlF/f8Go&o87p=d640H6WhXv9 HTTP/1.1Host: www.lovecord.dateConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large stringsShow sources
          Source: Quote#56432.exe, Cheeeeeeeeese/MainForm.csLong String: Length: 38272
          Source: ySWmXEgh.exe.0.dr, Cheeeeeeeeese/MainForm.csLong String: Length: 38272
          Source: 0.0.Quote#56432.exe.680000.0.unpack, Cheeeeeeeeese/MainForm.csLong String: Length: 38272
          Source: 0.2.Quote#56432.exe.680000.0.unpack, Cheeeeeeeeese/MainForm.csLong String: Length: 38272
          Source: Quote#56432.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_006873800_2_00687380
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_00684E850_2_00684E85
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_0295CC140_2_0295CC14
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_0295F2180_2_0295F218
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_0295F2080_2_0295F208
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7D8080_2_08B7D808
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B75D680_2_08B75D68
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B70F100_2_08B70F10
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7AF080_2_08B7AF08
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B700400_2_08B70040
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B736680_2_08B73668
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7A7A80_2_08B7A7A8
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7B8800_2_08B7B880
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7B8700_2_08B7B870
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B729380_2_08B72938
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B729480_2_08B72948
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B71BE00_2_08B71BE0
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B72C600_2_08B72C60
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B72C530_2_08B72C53
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B71DB80_2_08B71DB8
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B71DAB0_2_08B71DAB
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B75D580_2_08B75D58
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7BEB00_2_08B7BEB0
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7BEA00_2_08B7BEA0
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7AEF70_2_08B7AEF7
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B70E200_2_08B70E20
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B74E200_2_08B74E20
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B74E780_2_08B74E78
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004010307_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041E0327_2_0041E032
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041D1217_2_0041D121
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041DA377_2_0041DA37
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041DB687_2_0041DB68
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041D3E67_2_0041D3E6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00402D907_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00409E407_2_00409E40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041E62C7_2_0041E62C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00409E3C7_2_00409E3C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041D6817_2_0041D681
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00402FB07_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0194F9007_2_0194F900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019641207_2_01964120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0195B0907_2_0195B090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019720A07_2_019720A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A010027_2_01A01002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197EBB07_2_0197EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019725817_2_01972581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0195D5E07_2_0195D5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01940D207_2_01940D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A11D557_2_01A11D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0195841F7_2_0195841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01966E307_2_01966E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0459841F15_2_0459841F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0464100215_2_04641002
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0459B09015_2_0459B090
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B20A015_2_045B20A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04651D5515_2_04651D55
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0458F90015_2_0458F900
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04580D2015_2_04580D20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045A412015_2_045A4120
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0459D5E015_2_0459D5E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B258115_2_045B2581
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045A6E3015_2_045A6E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045BEBB015_2_045BEBB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0037E03215_2_0037E032
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0037D12115_2_0037D121
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00362D9015_2_00362D90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00369E3C15_2_00369E3C
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00369E4015_2_00369E40
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00362FB015_2_00362FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0194B150 appears 35 times
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 0458B150 appears 35 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419D60 NtCreateFile,7_2_00419D60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419E10 NtReadFile,7_2_00419E10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419E90 NtClose,7_2_00419E90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419F40 NtAllocateVirtualMemory,7_2_00419F40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419D5A NtCreateFile,7_2_00419D5A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419DBA NtCreateFile,NtReadFile,7_2_00419DBA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419E8A NtClose,7_2_00419E8A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019899A0 NtCreateSection,LdrInitializeThunk,7_2_019899A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_01989910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019898F0 NtReadVirtualMemory,LdrInitializeThunk,7_2_019898F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989840 NtDelayExecution,LdrInitializeThunk,7_2_01989840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989860 NtQuerySystemInformation,LdrInitializeThunk,7_2_01989860
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989A00 NtProtectVirtualMemory,LdrInitializeThunk,7_2_01989A00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989A20 NtResumeThread,LdrInitializeThunk,7_2_01989A20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989A50 NtCreateFile,LdrInitializeThunk,7_2_01989A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019895D0 NtClose,LdrInitializeThunk,7_2_019895D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989540 NtReadFile,LdrInitializeThunk,7_2_01989540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989780 NtMapViewOfSection,LdrInitializeThunk,7_2_01989780
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019897A0 NtUnmapViewOfSection,LdrInitializeThunk,7_2_019897A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989710 NtQueryInformationToken,LdrInitializeThunk,7_2_01989710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019896E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_019896E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_01989660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019899D0 NtCreateProcessEx,7_2_019899D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989950 NtQueueApcThread,7_2_01989950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019898A0 NtWriteVirtualMemory,7_2_019898A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989820 NtEnumerateKey,7_2_01989820
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0198B040 NtSuspendThread,7_2_0198B040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0198A3B0 NtGetContextThread,7_2_0198A3B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989B00 NtSetValueKey,7_2_01989B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989A80 NtOpenDirectoryObject,7_2_01989A80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989A10 NtQuerySection,7_2_01989A10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019895F0 NtQueryInformationFile,7_2_019895F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0198AD30 NtSetContextThread,7_2_0198AD30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989520 NtWaitForSingleObject,7_2_01989520
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989560 NtWriteFile,7_2_01989560
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989FE0 NtCreateMutant,7_2_01989FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0198A710 NtOpenProcessToken,7_2_0198A710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989730 NtQueryVirtualMemory,7_2_01989730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989770 NtSetInformationFile,7_2_01989770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0198A770 NtOpenThread,7_2_0198A770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989760 NtOpenProcess,7_2_01989760