Loading ...

Play interactive tourEdit tour

Windows Analysis Report Quote#56432.exe

Overview

General Information

Sample Name:Quote#56432.exe
Analysis ID:483794
MD5:3812ebc395330bef949cc2c7264d1632
SHA1:4dc9fd68e73e0b14ab02670bb7c80372d0043bc4
SHA256:97ea895e92f76192010e02f12aca8ec4ffa1b667e84c9958332d280ced624402
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Quote#56432.exe (PID: 6792 cmdline: 'C:\Users\user\Desktop\Quote#56432.exe' MD5: 3812EBC395330BEF949CC2C7264D1632)
    • schtasks.exe (PID: 7100 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ySWmXEgh' /XML 'C:\Users\user\AppData\Local\Temp\tmp994F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 5848 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • systray.exe (PID: 5944 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
        • cmd.exe (PID: 6492 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.constructioncleanup.pro/vd9n/"], "decoy": ["theunwrappedcollective.com", "seckj-ic.com", "tyresandover.com", "thetrophyworld.com", "fonggrconstruction.com", "hopiproject.com", "sktitle.com", "charlotteobscurer.com", "qjuhe.com", "girlzglitter.com", "createmylawn.com", "hempcbgpill.com", "zzdfdzkj.com", "shreehariessential.com", "226sm.com", "getcupscall.com", "neuralviolin.com", "sanskaar.life", "xn--fhqrm54yyukopc.com", "togetherx4fantasy5star.today", "buyonlinesaree.com", "percyshandman.site", "hatchethangout.com", "rugpat.com", "zen-gizmo.com", "vipmomali.com", "lacerasavall.cat", "aqueouso.com", "mkolgems.com", "sevenhundredseventysix.fund", "fotografhannaneret.com", "mitravy.com", "bmtrans.net", "linterpreting.com", "izquay.com", "sawaturkey.com", "marche-maman.com", "eemygf.com", "animenovel.com", "travelssimply.com", "montecitobutterfly.com", "volebahis.com", "daniela.red", "ramseyedk12.com", "leyterealestate.info", "patriotstrong.net", "vkgcrew.com", "nadhiradeebaazkiya.online", "hotelcarre.com", "myfabulouscollection.com", "stellantis-luxury-rent.com", "hn2020.xyz", "emilyscopes.com", "lotosouq.com", "lovecord.date", "stconstant.online", "volkite-culverin.net", "allwaysautism.com", "sheisnatashasimone.com", "sepantaceram.com", "ishopgrady.com", "lifestorycard.com", "sexybbwavailable.website", "domainbaycapital.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 27 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.RegSvcs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.RegSvcs.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        7.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 2 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
          Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Quote#56432.exe' , ParentImage: C:\Users\user\Desktop\Quote#56432.exe, ParentProcessId: 6792, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5848
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Quote#56432.exe' , ParentImage: C:\Users\user\Desktop\Quote#56432.exe, ParentProcessId: 6792, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5848

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.constructioncleanup.pro/vd9n/"], "decoy": ["theunwrappedcollective.com", "seckj-ic.com", "tyresandover.com", "thetrophyworld.com", "fonggrconstruction.com", "hopiproject.com", "sktitle.com", "charlotteobscurer.com", "qjuhe.com", "girlzglitter.com", "createmylawn.com", "hempcbgpill.com", "zzdfdzkj.com", "shreehariessential.com", "226sm.com", "getcupscall.com", "neuralviolin.com", "sanskaar.life", "xn--fhqrm54yyukopc.com", "togetherx4fantasy5star.today", "buyonlinesaree.com", "percyshandman.site", "hatchethangout.com", "rugpat.com", "zen-gizmo.com", "vipmomali.com", "lacerasavall.cat", "aqueouso.com", "mkolgems.com", "sevenhundredseventysix.fund", "fotografhannaneret.com", "mitravy.com", "bmtrans.net", "linterpreting.com", "izquay.com", "sawaturkey.com", "marche-maman.com", "eemygf.com", "animenovel.com", "travelssimply.com", "montecitobutterfly.com", "volebahis.com", "daniela.red", "ramseyedk12.com", "leyterealestate.info", "patriotstrong.net", "vkgcrew.com", "nadhiradeebaazkiya.online", "hotelcarre.com", "myfabulouscollection.com", "stellantis-luxury-rent.com", "hn2020.xyz", "emilyscopes.com", "lotosouq.com", "lovecord.date", "stconstant.online", "volkite-culverin.net", "allwaysautism.com", "sheisnatashasimone.com", "sepantaceram.com", "ishopgrady.com", "lifestorycard.com", "sexybbwavailable.website", "domainbaycapital.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Quote#56432.exeVirustotal: Detection: 29%Perma Link
          Source: Quote#56432.exeMetadefender: Detection: 28%Perma Link
          Source: Quote#56432.exeReversingLabs: Detection: 78%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, type: MEMORY
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\ySWmXEgh.exeMetadefender: Detection: 28%Perma Link
          Source: C:\Users\user\AppData\Roaming\ySWmXEgh.exeReversingLabs: Detection: 78%
          Machine Learning detection for sampleShow sources
          Source: Quote#56432.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\ySWmXEgh.exeJoe Sandbox ML: detected
          Source: 7.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Quote#56432.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Quote#56432.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: systray.pdb source: RegSvcs.exe, 00000007.00000002.782499789.0000000001910000.00000040.00020000.sdmp
          Source: Binary string: systray.pdbGCTL source: RegSvcs.exe, 00000007.00000002.782499789.0000000001910000.00000040.00020000.sdmp
          Source: Binary string: RegSvcs.pdb, source: systray.exe, 0000000F.00000002.927302675.0000000004A8F000.00000004.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000007.00000002.784083913.0000000001A3F000.00000040.00000001.sdmp, systray.exe, 0000000F.00000002.926821802.000000000467F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, systray.exe
          Source: Binary string: RegSvcs.pdb source: systray.exe, 0000000F.00000002.927302675.0000000004A8F000.00000004.00020000.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 44.227.76.166 80
          Source: C:\Windows\explorer.exeDomain query: www.lovecord.date
          Source: C:\Windows\explorer.exeDomain query: www.neuralviolin.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.constructioncleanup.pro/vd9n/
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: global trafficHTTP traffic detected: GET /vd9n/?NfB=6+C1z2NTXQU5TtDgYCNVveFhDHAhXY7UdOammGZxKywecd1Rk4eK0uo6Q7X2XlF/f8Go&o87p=d640H6WhXv9 HTTP/1.1Host: www.lovecord.dateConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 44.227.76.166 44.227.76.166
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: systray.exe, 0000000F.00000002.927431554.0000000004F7F000.00000004.00020000.sdmpString found in binary or memory: http://lovecord.date
          Source: Quote#56432.exe, 00000000.00000002.690221413.0000000002B51000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Quote#56432.exe, 00000000.00000003.665504791.00000000058CE000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000003.665428445.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
          Source: Quote#56432.exe, 00000000.00000003.664495208.00000000058CF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: Quote#56432.exe, 00000000.00000003.664495208.00000000058CF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.123
          Source: Quote#56432.exe, 00000000.00000003.664495208.00000000058CF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Quote#56432.exe, 00000000.00000003.664613718.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Quote#56432.exe, 00000000.00000003.666494619.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/3
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Quote#56432.exe, 00000000.00000003.667501678.00000000058D0000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000003.667456774.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Quote#56432.exe, 00000000.00000003.666549661.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cz;a
          Source: Quote#56432.exe, 00000000.00000003.667061903.00000000058CF000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: Quote#56432.exe, 00000000.00000003.667061903.00000000058CF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html3
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Quote#56432.exe, 00000000.00000003.666850356.00000000058CF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersR
          Source: Quote#56432.exe, 00000000.00000003.666549661.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersg
          Source: Quote#56432.exe, 00000000.00000003.666754869.00000000058CF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersi
          Source: Quote#56432.exe, 00000000.00000003.673228256.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersx
          Source: Quote#56432.exe, 00000000.00000002.692495401.00000000058A0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
          Source: Quote#56432.exe, 00000000.00000002.692495401.00000000058A0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: Quote#56432.exe, 00000000.00000002.692495401.00000000058A0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comiono
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Quote#56432.exe, 00000000.00000003.663958515.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Quote#56432.exe, 00000000.00000003.663958515.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnk
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Quote#56432.exe, 00000000.00000003.669659423.00000000058D0000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000003.664849579.00000000058A4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Quote#56432.exe, 00000000.00000003.664849579.00000000058A4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-t4
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//z
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Norm
          Source: Quote#56432.exe, 00000000.00000003.665005799.00000000058A5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-d
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/adnl
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: Quote#56432.exe, 00000000.00000003.665374375.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n-us
          Source: Quote#56432.exe, 00000000.00000003.672566366.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Quote#56432.exe, 00000000.00000003.665504791.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Quote#56432.exe, 00000000.00000003.664716460.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Quote#56432.exe, 00000000.00000003.668210925.00000000058D0000.00000004.00000001.sdmp, Quote#56432.exe, 00000000.00000003.668015602.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: Quote#56432.exe, 00000000.00000003.667982119.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de%Y
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Quote#56432.exe, 00000000.00000003.668046451.00000000058D0000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deFT
          Source: Quote#56432.exe, 00000000.00000003.666447003.00000000058CE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deoc
          Source: Quote#56432.exe, 00000000.00000002.693028363.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownDNS traffic detected: queries for: www.lovecord.date
          Source: global trafficHTTP traffic detected: GET /vd9n/?NfB=6+C1z2NTXQU5TtDgYCNVveFhDHAhXY7UdOammGZxKywecd1Rk4eK0uo6Q7X2XlF/f8Go&o87p=d640H6WhXv9 HTTP/1.1Host: www.lovecord.dateConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large stringsShow sources
          Source: Quote#56432.exe, Cheeeeeeeeese/MainForm.csLong String: Length: 38272
          Source: ySWmXEgh.exe.0.dr, Cheeeeeeeeese/MainForm.csLong String: Length: 38272
          Source: 0.0.Quote#56432.exe.680000.0.unpack, Cheeeeeeeeese/MainForm.csLong String: Length: 38272
          Source: 0.2.Quote#56432.exe.680000.0.unpack, Cheeeeeeeeese/MainForm.csLong String: Length: 38272
          Source: Quote#56432.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.925308127.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.781503558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.738249263.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.925553519.0000000000B00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.925610906.0000000000B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.782221543.0000000001490000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.690791851.0000000003B59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.782183245.0000000001460000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.720837328.000000000E47D000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_00687380
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_00684E85
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_0295CC14
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_0295F218
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_0295F208
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7D808
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B75D68
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B70F10
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7AF08
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B70040
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B73668
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7A7A8
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7B880
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7B870
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B72938
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B72948
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B71BE0
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B72C60
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B72C53
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B71DB8
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B71DAB
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B75D58
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7BEB0
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7BEA0
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B7AEF7
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B70E20
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B74E20
          Source: C:\Users\user\Desktop\Quote#56432.exeCode function: 0_2_08B74E78
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041E032
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041D121
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041DA37
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041DB68
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041D3E6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00409E40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041E62C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00409E3C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041D681
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0194F900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01964120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0195B090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019720A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A01002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0197EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01972581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0195D5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01940D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A11D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0195841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01966E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0459841F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04641002
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0459B090
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B20A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04651D55
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0458F900
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_04580D20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045A4120
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0459D5E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045B2581
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045A6E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045BEBB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0037E032
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_0037D121
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00362D90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00369E3C
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00369E40
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00362FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0194B150 appears 35 times
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 0458B150 appears 35 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419D60 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419E10 NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419E90 NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419D5A NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419DBA NtCreateFile,NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419E8A NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019899A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019898F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019895D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019897A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019896E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019899D0 NtCreateProcessEx,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989950 NtQueueApcThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019898A0 NtWriteVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989820 NtEnumerateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0198B040 NtSuspendThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0198A3B0 NtGetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989B00 NtSetValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989A80 NtOpenDirectoryObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989A10 NtQuerySection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019895F0 NtQueryInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0198AD30 NtSetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989520 NtWaitForSingleObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989560 NtWriteFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989FE0 NtCreateMutant,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0198A710 NtOpenProcessToken,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989730 NtQueryVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989770 NtSetInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0198A770 NtOpenThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989760 NtOpenProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_019896D0 NtCreateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989610 NtEnumerateValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989650 NtQueryValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01989670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045CB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045CAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045CA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045CA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045CA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_045C97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00379D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00379E10 NtReadFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00379E90 NtClose,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00379F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00379D5A NtCreateFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00379DBA NtCreateFile,NtReadFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 15_2_00379E8A NtClose,
          Source: Quote#56432.exeBinary or memory string: OriginalFilename vs Quote#56432.exe
          Source: Quote#56432.exe, 00000000.00000002.690946204.0000000003C70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs Quote#56432.exe
          Source: Quote#56432.exe, 00000000.00000002.690221413.0000000002B51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEnvoySinks.dll6 vs Quote#56432.exe
          Source: Quote#56432.exe, 00000000.00000002.689196044.0000000000682000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRangeWork.exe< vs Quote#56432.exe
          Source: Quote#56432.exeBinary or memory string: OriginalFilenameRangeWork.exe< vs Quote#56432.exe
          Source: Quote#56432.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: ySWmXEgh.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Quote#56432.exeVirustotal: Detection: 29%
          Source: Quote#56432.exeMetadefender: Detection: 28%
          Source: Quote#56432.exeReversingLabs: Detection: 78%
          Source: C:\Users\user\Desktop\Quote#56432.exeFile read: C:\Users\user\Desktop\Quote#56432.exeJump to behavior
          Source: Quote#56432.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ