Windows Analysis Report fTset285bI.exe

Overview

General Information

Sample Name: fTset285bI.exe
Analysis ID: 491713
MD5: 1fb012f2414da5a3515f704e855ab770
SHA1: 1d5ff9db7dfeaf2d4b0200fbbda00e89d058f525
SHA256: 6caf3e91a0bb501d8e7d08d8463407315debb31757137e5362795d91c161e6d6
Tags: exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Writes to foreign memory regions
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
PE file contains strange resources
Drops PE files
Checks if the current process is being debugged
Uses reg.exe to modify the Windows registry
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000020.00000000.499908275.0000000050481000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.llaa11.xyz/scb0/"], "decoy": ["austinsv.net", "nothernballet.com", "mycoursey.com", "exodiduis.com", "frankserranolaw.com", "dingyiemail.com", "woodstocktimbersandbeams.com", "somphones.com", "goalcations.com", "boraeresici.com", "spiegelverwarming.store", "8676789.rest", "tametaverse.com", "suppliesdevon.com", "sergiofisheronmcl.com", "reevophilippines.com", "oemlift.com", "helloworld.agency", "klaydoge.com", "cristinadiasoficial.com", "rentalsbox.com", "mydigbook.icu", "karamanescortbayan.xyz", "pyxis.digital", "kak-izbavitsya.xyz", "brakepad114.com", "scribr.net", "accountable-measures.com", "tj5288.com", "profit-fx.com", "melomis.com", "afroditas.online", "mvptcodesupport.com", "immerseinagro.com", "mustibayankuaforu.com", "ticketpremiado.com", "xxxpornmodels.com", "regalosyartesania.com", "imaginariss.com", "blockart.digital", "cn363.com", "titanpestsolutions.com", "laceswap.store", "individucars.com", "ysgo.club", "wpzone.online", "fromtotravel.com", "hbpartyrentals.com", "tectonicvi.com", "gaia32.com", "tubesn.com", "c7performance.com", "andysmittkamp.com", "wildcatsclan.net", "arbiafashion.com", "ivonnedekeizer.com", "kmarket.club", "deployinghigh.com", "sasanos.com", "rick078.xyz", "shahroodisales.com", "chillrn.com", "xn--2ckzf.com", "14ideedumois.com"]}
Multi AV Scanner detection for submitted file
Source: fTset285bI.exe Virustotal: Detection: 28% Perma Link
Source: fTset285bI.exe ReversingLabs: Detection: 26%
Yara detected FormBook
Source: Yara match File source: 00000020.00000000.499908275.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.434632754.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.483776660.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.401918878.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.400917340.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.541225227.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.396428901.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.560729262.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.482020111.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.478412279.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.496967732.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.501814123.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Virustotal: Detection: 28% Perma Link
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe ReversingLabs: Detection: 26%

Compliance:

barindex
Uses 32bit PE files
Source: fTset285bI.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.6:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.6:49746 version: TLS 1.2
Source: Binary string: profapi.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbo1 source: WerFault.exe, 0000000F.00000003.409099360.00000000057F1000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.406022334.0000000003708000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.489730419.0000000004E5F000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.514625482.000000000491E000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdbk source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.406017453.0000000003702000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdbk source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdbk source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdbk source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.406276057.000000000370E000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb{ source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000F.00000003.406276057.000000000370E000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000F.00000003.406022334.0000000003708000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb> source: WerFault.exe, 00000022.00000003.523781598.0000000004D01000.00000004.00000040.sdmp
Source: Binary string: wkscli.pdbk source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp
Source: Binary string: wkscli.pdb source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: mobsync.pdb source: WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp
Source: Binary string: secinit.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdbk source: WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000F.00000003.406017453.0000000003702000.00000004.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\secinit.exe Code function: 4x nop then pop ebx 5_2_50486ABC
Source: C:\Windows\SysWOW64\secinit.exe Code function: 4x nop then pop edi 5_2_5048C3EF
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 4x nop then pop ebx 27_2_50486ABC
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 4x nop then pop edi 27_2_5048C3EF
Source: C:\Windows\SysWOW64\secinit.exe Code function: 4x nop then pop ebx 32_2_50486ABC
Source: C:\Windows\SysWOW64\secinit.exe Code function: 4x nop then pop edi 32_2_5048C3EF

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.llaa11.xyz/scb0/
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.159.130.233 162.159.130.233
Source: Joe Sandbox View IP Address: 162.159.130.233 162.159.130.233
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: WerFault.exe, 0000000F.00000002.431594497.00000000036D6000.00000004.00000020.sdmp, WerFault.exe, 0000001D.00000003.533064961.0000000004E05000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/836211098164265024/892047706770509844/Qybpdxzxxjklicipydzdiinowujxlof HTTP/1.1User-Agent: lValiHost: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/836211098164265024/892047706770509844/Qybpdxzxxjklicipydzdiinowujxlof HTTP/1.1User-Agent: asweHost: cdn.discordapp.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /attachments/836211098164265024/892047706770509844/Qybpdxzxxjklicipydzdiinowujxlof HTTP/1.1User-Agent: asweHost: cdn.discordapp.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /attachments/836211098164265024/892047706770509844/Qybpdxzxxjklicipydzdiinowujxlof HTTP/1.1User-Agent: asweHost: cdn.discordapp.comCache-Control: no-cache
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.6:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.6:49746 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000020.00000000.499908275.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.434632754.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.483776660.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.401918878.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.400917340.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.541225227.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.396428901.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.560729262.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.482020111.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.478412279.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.496967732.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.501814123.0000000050481000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000020.00000000.499908275.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000020.00000000.499908275.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.434632754.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.434632754.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000000.483776660.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000000.483776660.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.401918878.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.401918878.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.400917340.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.400917340.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.541225227.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000002.541225227.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.396428901.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.396428901.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.560729262.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000020.00000002.560729262.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000000.482020111.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000000.482020111.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000000.478412279.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000000.478412279.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000000.496967732.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000020.00000000.496967732.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000000.501814123.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000020.00000000.501814123.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: fTset285bI.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Yara signature match
Source: 00000020.00000000.499908275.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000020.00000000.499908275.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.434632754.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.434632754.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000000.483776660.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000000.483776660.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.401918878.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.401918878.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.400917340.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.400917340.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.541225227.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000002.541225227.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.396428901.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.396428901.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000002.560729262.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000020.00000002.560729262.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000000.482020111.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000000.482020111.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000000.478412279.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000000.478412279.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000000.496967732.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000020.00000000.496967732.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000000.501814123.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000020.00000000.501814123.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\Public\Libraries\zxdpbyQ.url, type: DROPPED Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
One or more processes crash
Source: C:\Windows\SysWOW64\secinit.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 240
Detected potential crypto function
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_50481030 5_2_50481030
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_5049C086 5_2_5049C086
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_5049C988 5_2_5049C988
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_50481209 5_2_50481209
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_5049BB80 5_2_5049BB80
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_50488C6B 5_2_50488C6B
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_50488C70 5_2_50488C70
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_50482D87 5_2_50482D87
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_50482D90 5_2_50482D90
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_50482FB0 5_2_50482FB0
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_50481030 27_2_50481030
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_5049C086 27_2_5049C086
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_5049C988 27_2_5049C988
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_50481209 27_2_50481209
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_5049BB80 27_2_5049BB80
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_50488C6B 27_2_50488C6B
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_50488C70 27_2_50488C70
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_50482D87 27_2_50482D87
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_50482D90 27_2_50482D90
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_50482FB0 27_2_50482FB0
Source: C:\Windows\SysWOW64\secinit.exe Code function: 32_2_50481030 32_2_50481030
Source: C:\Windows\SysWOW64\secinit.exe Code function: 32_2_5049C086 32_2_5049C086
Source: C:\Windows\SysWOW64\secinit.exe Code function: 32_2_5049C988 32_2_5049C988
Source: C:\Windows\SysWOW64\secinit.exe Code function: 32_2_50481209 32_2_50481209
Source: C:\Windows\SysWOW64\secinit.exe Code function: 32_2_5049BB80 32_2_5049BB80
Source: C:\Windows\SysWOW64\secinit.exe Code function: 32_2_50488C6B 32_2_50488C6B
Source: C:\Windows\SysWOW64\secinit.exe Code function: 32_2_50488C70 32_2_50488C70
Source: C:\Windows\SysWOW64\secinit.exe Code function: 32_2_50482D87 32_2_50482D87
Source: C:\Windows\SysWOW64\secinit.exe Code function: 32_2_50482D90 32_2_50482D90
Source: C:\Windows\SysWOW64\secinit.exe Code function: 32_2_50482FB0 32_2_50482FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\secinit.exe Code function: String function: 5049A4A0 appears 38 times
Source: C:\Windows\SysWOW64\secinit.exe Code function: String function: 5049A370 appears 38 times
PE file contains strange resources
Source: fTset285bI.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: fTset285bI.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Qybpdxz.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Qybpdxz.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: fTset285bI.exe Virustotal: Detection: 28%
Source: fTset285bI.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\Desktop\fTset285bI.exe File read: C:\Users\user\Desktop\fTset285bI.exe Jump to behavior
Source: C:\Users\user\Desktop\fTset285bI.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\fTset285bI.exe 'C:\Users\user\Desktop\fTset285bI.exe'
Source: C:\Users\user\Desktop\fTset285bI.exe Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe
Source: C:\Users\user\Desktop\fTset285bI.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fTset285bI.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\secinit.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 240
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: C:\Windows\SysWOW64\reg.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe 'C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe'
Source: unknown Process created: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe 'C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe'
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Windows\SysWOW64\mobsync.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 484
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe
Source: C:\Windows\SysWOW64\secinit.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 236
Source: C:\Users\user\Desktop\fTset285bI.exe Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe Jump to behavior
Source: C:\Users\user\Desktop\fTset285bI.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' Jump to behavior
Source: C:\Users\user\Desktop\fTset285bI.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe Jump to behavior
Source: C:\Users\user\Desktop\fTset285bI.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\fTset285bI.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\Qybpdxzxxjklicipydzdiinowujxlof[1] Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER79AC.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@26/22@3/2
Source: C:\Users\user\Desktop\fTset285bI.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\fTset285bI.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\fTset285bI.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6920:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6840
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1312
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4788
Source: C:\Users\user\Desktop\fTset285bI.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Source: C:\Users\user\Desktop\fTset285bI.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\fTset285bI.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: profapi.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbo1 source: WerFault.exe, 0000000F.00000003.409099360.00000000057F1000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.406022334.0000000003708000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.489730419.0000000004E5F000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.514625482.000000000491E000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdbk source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.406017453.0000000003702000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdbk source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdbk source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdbk source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.406276057.000000000370E000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb{ source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000F.00000003.406276057.000000000370E000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001D.00000003.497897039.0000000005137000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000F.00000003.406022334.0000000003708000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb> source: WerFault.exe, 00000022.00000003.523781598.0000000004D01000.00000004.00000040.sdmp
Source: Binary string: wkscli.pdbk source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp
Source: Binary string: wkscli.pdb source: WerFault.exe, 0000000F.00000003.409219260.00000000057F3000.00000004.00000040.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001D.00000003.497875440.0000000005130000.00000004.00000040.sdmp
Source: Binary string: mobsync.pdb source: WerFault.exe, 0000001D.00000003.497859249.0000000005331000.00000004.00000001.sdmp
Source: Binary string: secinit.pdb source: WerFault.exe, 0000000F.00000003.409196797.0000000005701000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.523851702.0000000004BA1000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdbk source: WerFault.exe, 00000022.00000003.523896029.0000000004D03000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000F.00000003.406017453.0000000003702000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_5049B86C push eax; ret 5_2_5049B872
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_5049B80B push eax; ret 5_2_5049B872
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_5049B802 push eax; ret 5_2_5049B808
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_5049510E push ecx; iretd 5_2_50495114
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_5049513F push ebp; retf 5_2_50495144
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_50496230 push eax; retf 5_2_50496237
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_5048C37D pushad ; retf 5_2_5048C34C
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_5048C332 pushad ; retf 5_2_5048C34C
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_50495D7E push edx; retf 5_2_50495D81
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_50494DD5 push edx; iretd 5_2_50494DD7
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_50494E85 push 93A712F1h; ret 5_2_50494E8E
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_5048E723 push ebp; retf 5_2_5048E72D
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_5049B7B5 push eax; ret 5_2_5049B808
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_5049B86C push eax; ret 27_2_5049B872
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_5049B80B push eax; ret 27_2_5049B872
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_5049B802 push eax; ret 27_2_5049B808
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_5049510E push ecx; iretd 27_2_50495114
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_5049513F push ebp; retf 27_2_50495144
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_50496230 push eax; retf 27_2_50496237
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_5048C37D pushad ; retf 27_2_5048C34C
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_5048C332 pushad ; retf 27_2_5048C34C
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_50495D7E push edx; retf 27_2_50495D81
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_50494DD5 push edx; iretd 27_2_50494DD7
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_50494E85 push 93A712F1h; ret 27_2_50494E8E
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_5048E723 push ebp; retf 27_2_5048E72D
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 27_2_5049B7B5 push eax; ret 27_2_5049B808
Source: C:\Windows\SysWOW64\secinit.exe Code function: 32_2_5049B86C push eax; ret 32_2_5049B872
Source: C:\Windows\SysWOW64\secinit.exe Code function: 32_2_5049B80B push eax; ret 32_2_5049B872
Source: C:\Windows\SysWOW64\secinit.exe Code function: 32_2_5049B802 push eax; ret 32_2_5049B808
Source: C:\Windows\SysWOW64\secinit.exe Code function: 32_2_5049510E push ecx; iretd 32_2_50495114
Source: C:\Windows\SysWOW64\secinit.exe Code function: 32_2_5049513F push ebp; retf 32_2_50495144
PE file contains sections with non-standard names
Source: fTset285bI.exe Static PE information: section name: .....
Source: fTset285bI.exe Static PE information: section name: ......
Source: fTset285bI.exe Static PE information: section name: .....
Source: fTset285bI.exe Static PE information: section name: ....
Source: fTset285bI.exe Static PE information: section name: ......
Source: fTset285bI.exe Static PE information: section name: ....
Source: fTset285bI.exe Static PE information: section name: ......
Source: fTset285bI.exe Static PE information: section name: ......
Source: fTset285bI.exe Static PE information: section name: .....
Source: Qybpdxz.exe.0.dr Static PE information: section name: .....
Source: Qybpdxz.exe.0.dr Static PE information: section name: ......
Source: Qybpdxz.exe.0.dr Static PE information: section name: .....
Source: Qybpdxz.exe.0.dr Static PE information: section name: ....
Source: Qybpdxz.exe.0.dr Static PE information: section name: ......
Source: Qybpdxz.exe.0.dr Static PE information: section name: ....
Source: Qybpdxz.exe.0.dr Static PE information: section name: ......
Source: Qybpdxz.exe.0.dr Static PE information: section name: ......
Source: Qybpdxz.exe.0.dr Static PE information: section name: .....
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: ......

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\fTset285bI.exe File created: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Jump to dropped file
Source: C:\Users\user\Desktop\fTset285bI.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Qybpdxz Jump to behavior
Source: C:\Users\user\Desktop\fTset285bI.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Qybpdxz Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: icon4828.png
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WerFault.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\fTset285bI.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_504888C0 rdtsc 5_2_504888C0
Source: WerFault.exe, 0000000F.00000002.431569582.00000000036BF000.00000004.00000020.sdmp, Qybpdxz.exe, 00000016.00000003.440961646.000000000072B000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.532842830.0000000004E50000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000002.558910221.0000000004910000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Qybpdxz.exe, 00000016.00000003.440961646.000000000072B000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW,

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_504888C0 rdtsc 5_2_504888C0
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\secinit.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\secinit.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\secinit.exe Code function: 5_2_5048A000 LdrInitializeThunk, 5_2_5048A000

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\fTset285bI.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 50480000 Jump to behavior
Source: C:\Users\user\Desktop\fTset285bI.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 2E20000 Jump to behavior
Source: C:\Users\user\Desktop\fTset285bI.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 2E30000 Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 50480000 Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 660000 Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 670000 Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 50480000 Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 2F30000 Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 2F40000 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\fTset285bI.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 50480000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\fTset285bI.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 2E20000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\fTset285bI.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 2E30000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 50480000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 660000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 670000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 50480000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 2F30000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 2F40000 protect: page execute and read and write Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\fTset285bI.exe Thread created: C:\Windows\SysWOW64\secinit.exe EIP: 2E30000 Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: 670000 Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Thread created: C:\Windows\SysWOW64\secinit.exe EIP: 2F40000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\fTset285bI.exe Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe Jump to behavior
Source: mobsync.exe, 0000001B.00000000.481817173.0000000002F30000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: mobsync.exe, 0000001B.00000000.481817173.0000000002F30000.00000002.00020000.sdmp Binary or memory string: Progman
Source: mobsync.exe, 0000001B.00000000.481817173.0000000002F30000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: mobsync.exe, 0000001B.00000000.481817173.0000000002F30000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\Qybpdxz\Qybpdxz.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000020.00000000.499908275.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.434632754.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.483776660.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.401918878.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.400917340.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.541225227.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.396428901.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.560729262.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.482020111.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.478412279.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.496967732.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.501814123.0000000050481000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000020.00000000.499908275.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.434632754.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.483776660.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.401918878.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.400917340.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.541225227.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.396428901.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.560729262.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.482020111.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.478412279.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.496967732.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.501814123.0000000050481000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491713 Sample: fTset285bI.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->55 57 3 other signatures 2->57 8 fTset285bI.exe 1 22 2->8         started        13 Qybpdxz.exe 13 2->13         started        15 Qybpdxz.exe 14 2->15         started        process3 dnsIp4 47 cdn.discordapp.com 162.159.130.233, 443, 49740, 49741 CLOUDFLARENETUS United States 8->47 45 C:\Users\Public\Libraries\...\Qybpdxz.exe, PE32 8->45 dropped 59 Writes to foreign memory regions 8->59 61 Allocates memory in foreign processes 8->61 63 Creates a thread in another existing process (thread injection) 8->63 17 cmd.exe 1 8->17         started        19 cmd.exe 1 8->19         started        21 secinit.exe 8->21         started        49 162.159.133.233, 443, 49744 CLOUDFLARENETUS United States 13->49 65 Multi AV Scanner detection for dropped file 13->65 23 mobsync.exe 13->23         started        25 secinit.exe 15->25         started        file5 signatures6 process7 process8 27 reg.exe 1 17->27         started        29 conhost.exe 17->29         started        31 cmd.exe 1 19->31         started        33 conhost.exe 19->33         started        35 WerFault.exe 23 9 21->35         started        37 WerFault.exe 19 9 23->37         started        39 WerFault.exe 9 25->39         started        process9 41 conhost.exe 27->41         started        43 conhost.exe 31->43         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.159.130.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false
162.159.133.233
 unknown United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
cdn.discordapp.com 162.159.130.233 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.llaa11.xyz/scb0/ true
  • Avira URL Cloud: safe
 low
https://cdn.discordapp.com/attachments/836211098164265024/892047706770509844/Qybpdxzxxjklicipydzdiinowujxlof false
    		high