{"C2 list": ["www.simpeltattofor.men/mjyv/"], "decoy": ["wenyuexuan.com", "tropicaldepression.info", "healthylifefit.com", "reemletenleafy.com", "jmrrve.com", "mabduh.com", "esomvw.com", "selfcaresereneneness.com", "murdabudz.com", "meinemail.online", "brandqrcodes.com", "live-in-pflege.com", "nickrecovery.com", "ziototoristorante.com", "chatcure.com", "corlora.com", "localagentlab.com", "yogo7.net", "krveop.com", "heianswer.xyz", "idproslot.xyz", "anielleharris.com", "lebonaharchitects.com", "chilestew.com", "ventasdecasasylotes.xyz", "welcome-sber.store", "ahmedintisher.com", "pastlinks.com", "productprinting.online", "babybox.media", "volteraenergy.net", "chinatowndeliver.com", "behiscalm.com", "totalselfconfidence.net", "single-on-purpose.com", "miyonbuilding.com", "medicalmanagementinc.info", "bellaalubo.com", "dubaibiologicdentist.com", "jspagnier-graveur.com", "deskbk.com", "thehauntdepot.com", "5fbuy.com", "calmingscience.com", "luvnecklace.com", "noun-bug.com", "mysenarai.com", "socialmediaplugin.com", "livinglovinglincoln.com", "vaxfreeschool.com", "bjjinmei.com", "p60p.com", "upgradepklohb.xyz", "georges-lego.com", "lkkogltoyof4.xyz", "fryhealty.com", "peacetransformationpath.com", "lightfootsteps.com", "recreativemysteriousgift.com", "luminoza.website", "mccorklehometeam.com", "car-insurance-rates-x2.info", "serpasboutiquedecarnes.com", "1971event.com"]}
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp | Malware Configuration Extractor: FormBook {"C2 list": ["www.simpeltattofor.men/mjyv/"], "decoy": ["wenyuexuan.com", "tropicaldepression.info", "healthylifefit.com", "reemletenleafy.com", "jmrrve.com", "mabduh.com", "esomvw.com", "selfcaresereneneness.com", "murdabudz.com", "meinemail.online", "brandqrcodes.com", "live-in-pflege.com", "nickrecovery.com", "ziototoristorante.com", "chatcure.com", "corlora.com", "localagentlab.com", "yogo7.net", "krveop.com", "heianswer.xyz", "idproslot.xyz", "anielleharris.com", "lebonaharchitects.com", "chilestew.com", "ventasdecasasylotes.xyz", "welcome-sber.store", "ahmedintisher.com", "pastlinks.com", "productprinting.online", "babybox.media", "volteraenergy.net", "chinatowndeliver.com", "behiscalm.com", "totalselfconfidence.net", "single-on-purpose.com", "miyonbuilding.com", "medicalmanagementinc.info", "bellaalubo.com", "dubaibiologicdentist.com", "jspagnier-graveur.com", "deskbk.com", "thehauntdepot.com", "5fbuy.com", "calmingscience.com", "luvnecklace.com", "noun-bug.com", "mysenarai.com", "socialmediaplugin.com", "livinglovinglincoln.com", "vaxfreeschool.com", "bjjinmei.com", "p60p.com", "upgradepklohb.xyz", "georges-lego.com", "lkkogltoyof4.xyz", "fryhealty.com", "peacetransformationpath.com", "lightfootsteps.com", "recreativemysteriousgift.com", "luminoza.website", "mccorklehometeam.com", "car-insurance-rates-x2.info", "serpasboutiquedecarnes.com", "1971event.com"]} |
Source: Yara match | File source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY |
Source: Traffic | Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49812 -> 108.179.246.105:80 |
Source: Traffic | Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49812 -> 108.179.246.105:80 |
Source: Traffic | Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49812 -> 108.179.246.105:80 |
Source: Traffic | Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49817 -> 23.227.38.74:80 |
Source: Traffic | Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49817 -> 23.227.38.74:80 |
Source: Traffic | Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49817 -> 23.227.38.74:80 |
Source: C:\Windows\explorer.exe | Network Connect: 108.179.246.105 80 | Jump to behavior |
Source: C:\Windows\explorer.exe | Domain query: www.corlora.com | |
Source: C:\Windows\explorer.exe | Network Connect: 23.227.38.74 80 | Jump to behavior |
Source: C:\Windows\explorer.exe | Domain query: www.thehauntdepot.com | |
Source: C:\Windows\explorer.exe | Domain query: www.bellaalubo.com | |
Source: C:\Windows\explorer.exe | Domain query: www.pastlinks.com | |
Source: C:\Windows\explorer.exe | Network Connect: 35.246.6.109 80 | Jump to behavior |
Source: C:\Windows\explorer.exe | Network Connect: 54.85.93.188 80 | Jump to behavior |
Source: C:\Windows\explorer.exe | Network Connect: 34.102.136.180 80 | Jump to behavior |
Source: C:\Windows\explorer.exe | Domain query: www.jspagnier-graveur.com | |
Source: C:\Windows\explorer.exe | Domain query: www.behiscalm.com | |
Source: C:\Windows\explorer.exe | Domain query: www.productprinting.online | |
Source: C:\Windows\explorer.exe | Domain query: www.miyonbuilding.com | |
Source: global traffic | HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=L63r4gynR7T+uFffjQ1lMOoDpS8QK6GZHdtzK1OvDTkBgsUpz0OkUj6/3F+1gpc5iCodVhQ8Dw== HTTP/1.1Host: www.bellaalubo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: global traffic | HTTP traffic detected: GET /mjyv/?0pK81=K9FJa1rwSUAAa7/ViuRfbodFPMpyTpIbchforJThhUgcBsFNcj++iNtzjC9b847wWXILaTLWiQ==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.behiscalm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: global traffic | HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=dI0EVfu3O8PRZHJYFiskZOhLU8OYvItQe6Md7KpFhlubQ63bIpFTgfxbi1sf92w0hSX5JIFUxQ== HTTP/1.1Host: www.productprinting.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: global traffic | HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=FJb0UZ01VWieyk9Q9MfOW6tWVMxtPQ65AKmCznKsSr2tdhgz0LXvq/VY7gtgl/S7OsM4m26iBg== HTTP/1.1Host: www.corlora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: global traffic | HTTP traffic detected: GET /mjyv/?0pK81=Th83CkuYiZ3yTy/NQYNDjmtPTEXY1rwCFz+4Jmb9PkUSuL5FI8psFzofsp4HlXm5aEcRz/p5bA==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.jspagnier-graveur.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: global traffic | HTTP traffic detected: GET /mjyv/?0pK81=XUhyKAoPsp+sS+2wc1lVw6UQrcGLXYJeNJI1ueZmTZNqKWlflngblX9CeHA9F+AScG6M63wGOw==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.chinatowndeliver.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp | String found in binary or memory: http://c.statcounter.com/9484561/0/b0cbab70/1/ |
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp | String found in binary or memory: http://statcounter.com/ |
Source: explorer.exe, 00000005.00000000.391155069.000000000095C000.00000004.00000020.sdmp | String found in binary or memory: http://www.autoitscript.com/autoit3/J |
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp | String found in binary or memory: https://www.namebrightstatic.com/images/bg.png) |
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp | String found in binary or memory: https://www.namebrightstatic.com/images/error_board.png) |
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp | String found in binary or memory: https://www.namebrightstatic.com/images/header_bg.png) |
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp | String found in binary or memory: https://www.namebrightstatic.com/images/logo_off.gif) |
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp | String found in binary or memory: https://www.namebrightstatic.com/images/site_maintenance.png) |
Source: global traffic | HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=L63r4gynR7T+uFffjQ1lMOoDpS8QK6GZHdtzK1OvDTkBgsUpz0OkUj6/3F+1gpc5iCodVhQ8Dw== HTTP/1.1Host: www.bellaalubo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: global traffic | HTTP traffic detected: GET /mjyv/?0pK81=K9FJa1rwSUAAa7/ViuRfbodFPMpyTpIbchforJThhUgcBsFNcj++iNtzjC9b847wWXILaTLWiQ==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.behiscalm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: global traffic | HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=dI0EVfu3O8PRZHJYFiskZOhLU8OYvItQe6Md7KpFhlubQ63bIpFTgfxbi1sf92w0hSX5JIFUxQ== HTTP/1.1Host: www.productprinting.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: global traffic | HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=FJb0UZ01VWieyk9Q9MfOW6tWVMxtPQ65AKmCznKsSr2tdhgz0LXvq/VY7gtgl/S7OsM4m26iBg== HTTP/1.1Host: www.corlora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: global traffic | HTTP traffic detected: GET /mjyv/?0pK81=Th83CkuYiZ3yTy/NQYNDjmtPTEXY1rwCFz+4Jmb9PkUSuL5FI8psFzofsp4HlXm5aEcRz/p5bA==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.jspagnier-graveur.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: global traffic | HTTP traffic detected: GET /mjyv/?0pK81=XUhyKAoPsp+sS+2wc1lVw6UQrcGLXYJeNJI1ueZmTZNqKWlflngblX9CeHA9F+AScG6M63wGOw==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.chinatowndeliver.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: Yara match | File source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY |
Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_008E275D | 0_2_008E275D |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_01792060 | 0_2_01792060 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_01796080 | 0_2_01796080 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_017947A0 | 0_2_017947A0 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_01796620 | 0_2_01796620 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_01792A48 | 0_2_01792A48 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_01797080 | 0_2_01797080 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_017954E8 | 0_2_017954E8 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_017919D0 | 0_2_017919D0 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_017941A8 | 0_2_017941A8 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_01794E00 | 0_2_01794E00 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_0179B1E8 | 0_2_0179B1E8 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_01793040 | 0_2_01793040 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_0179B808 | 0_2_0179B808 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_01793BC0 | 0_2_01793BC0 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_00911D21 | 0_2_00911D21 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_008E6458 | 0_2_008E6458 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_00401030 | 3_2_00401030 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_0041C970 | 3_2_0041C970 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_0041B9BF | 3_2_0041B9BF |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_0041D294 | 3_2_0041D294 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_0041CBD1 | 3_2_0041CBD1 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_00408C80 | 3_2_00408C80 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_0041CC9E | 3_2_0041CC9E |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_00402D88 | 3_2_00402D88 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_00402D90 | 3_2_00402D90 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_00402FB0 | 3_2_00402FB0 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_008E275D | 3_2_008E275D |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_00911D21 | 3_2_00911D21 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_008E6458 | 3_2_008E6458 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05220D20 | 9_2_05220D20 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05244120 | 9_2_05244120 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_0522F900 | 9_2_0522F900 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052F2D07 | 9_2_052F2D07 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052F1D55 | 9_2_052F1D55 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05252581 | 9_2_05252581 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_0523D5E0 | 9_2_0523D5E0 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052E1002 | 9_2_052E1002 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_0523841F | 9_2_0523841F |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052520A0 | 9_2_052520A0 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052F20A8 | 9_2_052F20A8 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_0523B090 | 9_2_0523B090 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052F2B28 | 9_2_052F2B28 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_0525EBB0 | 9_2_0525EBB0 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052F1FF1 | 9_2_052F1FF1 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05246E30 | 9_2_05246E30 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052F22AE | 9_2_052F22AE |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052F2EF7 | 9_2_052F2EF7 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DDB9BF | 9_2_00DDB9BF |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DDC970 | 9_2_00DDC970 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DDD294 | 9_2_00DDD294 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DDCBD1 | 9_2_00DDCBD1 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DDCC9E | 9_2_00DDCC9E |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DC8C80 | 9_2_00DC8C80 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DC2D90 | 9_2_00DC2D90 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DC2D88 | 9_2_00DC2D88 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DC2FB0 | 9_2_00DC2FB0 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_004185E0 NtCreateFile, | 3_2_004185E0 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_00418690 NtReadFile, | 3_2_00418690 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_00418710 NtClose, | 3_2_00418710 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_004187C0 NtAllocateVirtualMemory, | 3_2_004187C0 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_004185DA NtCreateFile, | 3_2_004185DA |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_0041868A NtReadFile, | 3_2_0041868A |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_0041868C NtReadFile, | 3_2_0041868C |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269910 NtAdjustPrivilegesToken,LdrInitializeThunk, | 9_2_05269910 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269540 NtReadFile,LdrInitializeThunk, | 9_2_05269540 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052699A0 NtCreateSection,LdrInitializeThunk, | 9_2_052699A0 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052695D0 NtClose,LdrInitializeThunk, | 9_2_052695D0 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269860 NtQuerySystemInformation,LdrInitializeThunk, | 9_2_05269860 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269840 NtDelayExecution,LdrInitializeThunk, | 9_2_05269840 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269710 NtQueryInformationToken,LdrInitializeThunk, | 9_2_05269710 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269780 NtMapViewOfSection,LdrInitializeThunk, | 9_2_05269780 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269FE0 NtCreateMutant,LdrInitializeThunk, | 9_2_05269FE0 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269660 NtAllocateVirtualMemory,LdrInitializeThunk, | 9_2_05269660 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269650 NtQueryValueKey,LdrInitializeThunk, | 9_2_05269650 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269A50 NtCreateFile,LdrInitializeThunk, | 9_2_05269A50 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052696E0 NtFreeVirtualMemory,LdrInitializeThunk, | 9_2_052696E0 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052696D0 NtCreateKey,LdrInitializeThunk, | 9_2_052696D0 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269520 NtWaitForSingleObject, | 9_2_05269520 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_0526AD30 NtSetContextThread, | 9_2_0526AD30 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269560 NtWriteFile, | 9_2_05269560 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269950 NtQueueApcThread, | 9_2_05269950 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052695F0 NtQueryInformationFile, | 9_2_052695F0 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052699D0 NtCreateProcessEx, | 9_2_052699D0 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269820 NtEnumerateKey, | 9_2_05269820 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_0526B040 NtSuspendThread, | 9_2_0526B040 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052698A0 NtWriteVirtualMemory, | 9_2_052698A0 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052698F0 NtReadVirtualMemory, | 9_2_052698F0 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269730 NtQueryVirtualMemory, | 9_2_05269730 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269B00 NtSetValueKey, | 9_2_05269B00 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_0526A710 NtOpenProcessToken, | 9_2_0526A710 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269760 NtOpenProcess, | 9_2_05269760 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269770 NtSetInformationFile, | 9_2_05269770 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_0526A770 NtOpenThread, | 9_2_0526A770 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052697A0 NtUnmapViewOfSection, | 9_2_052697A0 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_0526A3B0 NtGetContextThread, | 9_2_0526A3B0 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269A20 NtResumeThread, | 9_2_05269A20 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269A00 NtProtectVirtualMemory, | 9_2_05269A00 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269610 NtEnumerateValueKey, | 9_2_05269610 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269A10 NtQuerySection, | 9_2_05269A10 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269670 NtQueryInformationProcess, | 9_2_05269670 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269A80 NtOpenDirectoryObject, | 9_2_05269A80 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DD85E0 NtCreateFile, | 9_2_00DD85E0 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DD8690 NtReadFile, | 9_2_00DD8690 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DD87C0 NtAllocateVirtualMemory, | 9_2_00DD87C0 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DD8710 NtClose, | 9_2_00DD8710 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DD85DA NtCreateFile, | 9_2_00DD85DA |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DD868C NtReadFile, | 9_2_00DD868C |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DD868A NtReadFile, | 9_2_00DD868A |
Source: unknown | Process created: C:\Users\user\Desktop\UaTmOE6yP9.exe 'C:\Users\user\Desktop\UaTmOE6yP9.exe' | |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Process created: C:\Users\user\Desktop\UaTmOE6yP9.exe C:\Users\user\Desktop\UaTmOE6yP9.exe | |
Source: C:\Windows\explorer.exe | Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe | |
Source: C:\Windows\SysWOW64\wscript.exe | Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe' | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Process created: C:\Users\user\Desktop\UaTmOE6yP9.exe C:\Users\user\Desktop\UaTmOE6yP9.exe | Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe | Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe' | Jump to behavior |