Source: 00000000.00000002.834854327.00000000021C0000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "http://45.137.22.91/blm.bin"} |
Source: Yara match |
File source: AfWu3i35ny.exe, type: SAMPLE |
Source: Yara match |
File source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: 0.0.AfWu3i35ny.exe.400000.0.unpack |
Avira: Label: TR/Dropper.Gen2 |
Source: 0.2.AfWu3i35ny.exe.400000.0.unpack |
Avira: Label: TR/Dropper.Gen2 |
Source: AfWu3i35ny.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: http://45.137.22.91/blm.bin |
Source: AfWu3i35ny.exe, 00000000.00000002.833477625.000000000066A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: Yara match |
File source: AfWu3i35ny.exe, type: SAMPLE |
Source: Yara match |
File source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: AfWu3i35ny.exe, type: SAMPLE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: AfWu3i35ny.exe, type: SAMPLE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: AfWu3i35ny.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: AfWu3i35ny.exe, type: SAMPLE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: AfWu3i35ny.exe, type: SAMPLE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: AfWu3i35ny.exe, 00000000.00000000.306480854.0000000000446000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameDikter.exe vs AfWu3i35ny.exe |
Source: AfWu3i35ny.exe, 00000000.00000002.835081490.0000000002A10000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameDikter.exeFE2X vs AfWu3i35ny.exe |
Source: AfWu3i35ny.exe |
Binary or memory string: OriginalFilenameDikter.exe vs AfWu3i35ny.exe |
Source: AfWu3i35ny.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_0043802D |
0_2_0043802D |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_0043212D |
0_2_0043212D |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_0043234D |
0_2_0043234D |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_004303CD |
0_2_004303CD |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_00421E50 |
0_2_00421E50 |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_00422F20 |
0_2_00422F20 |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_021C6672 |
0_2_021C6672 |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_021C8706 |
0_2_021C8706 |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_021C6872 |
0_2_021C6872 |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_021C69A6 |
0_2_021C69A6 |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: String function: 0040177E appears 94 times |
|
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Process Stats: CPU usage > 98% |
Source: AfWu3i35ny.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: classification engine |
Classification label: mal100.rans.troj.evad.winEXE@1/0@0/0 |
Source: Yara match |
File source: 00000000.00000002.834854327.00000000021C0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_00402070 push ebx; iretd |
0_2_004020D4 |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_0040F87D push ds; ret |
0_2_0040F8A3 |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_004059C4 push cs; iretw |
0_2_004059FA |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_00421DAF push eax; ret |
0_2_00421DB5 |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_00421E19 push eax; ret |
0_2_00421E1F |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_021C027E push ds; iretd |
0_2_021C0391 |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_021C766E push ds; iretd |
0_2_021C7688 |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_021C030C push ds; iretd |
0_2_021C0391 |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_021C1F50 push ebp; ret |
0_2_021C1F64 |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_021C0392 push ds; iretd |
0_2_021C0391 |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_021C4FB9 pushfd ; iretd |
0_2_021C4FC4 |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_021C78EB push ebx; iretd |
0_2_021C78FC |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_021C74E1 push edi; iretd |
0_2_021C74E4 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.17479842318 |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
RDTSC instruction interceptor: First address: 00000000021CA82E second address: 00000000021CA82E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 27162939h 0x00000007 add eax, FB6A8BD9h 0x0000000c add eax, 26ECCA53h 0x00000011 sub eax, 496D7F64h 0x00000016 cpuid 0x00000018 test cl, bl 0x0000001a popad 0x0000001b call 00007F23608F1008h 0x00000020 lfence 0x00000023 mov edx, 3E29BAC0h 0x00000028 sub edx, 048E8A76h 0x0000002e sub edx, 3246429Ah 0x00000034 xor edx, 78AAEDA4h 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f cmp dl, al 0x00000041 cmp edx, D97DEC47h 0x00000047 test ah, dh 0x00000049 cmp bx, ax 0x0000004c ret 0x0000004d sub edx, esi 0x0000004f ret 0x00000050 cmp bh, ch 0x00000052 add edi, edx 0x00000054 dec dword ptr [ebp+000000F8h] 0x0000005a cmp dl, cl 0x0000005c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000063 jne 00007F23608F0FE3h 0x00000065 test ch, bh 0x00000067 cmp cl, 00000012h 0x0000006a call 00007F23608F10CEh 0x0000006f call 00007F23608F102Bh 0x00000074 lfence 0x00000077 mov edx, 3E29BAC0h 0x0000007c sub edx, 048E8A76h 0x00000082 sub edx, 3246429Ah 0x00000088 xor edx, 78AAEDA4h 0x0000008e mov edx, dword ptr [edx] 0x00000090 lfence 0x00000093 cmp dl, al 0x00000095 cmp edx, D97DEC47h 0x0000009b test ah, dh 0x0000009d cmp bx, ax 0x000000a0 ret 0x000000a1 mov esi, edx 0x000000a3 pushad 0x000000a4 rdtsc |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_004379AD rdtsc |
0_2_004379AD |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_021CA3C8 mov eax, dword ptr fs:[00000030h] |
0_2_021CA3C8 |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_021C8012 mov eax, dword ptr fs:[00000030h] |
0_2_021C8012 |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_021C9D8F mov eax, dword ptr fs:[00000030h] |
0_2_021C9D8F |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\AfWu3i35ny.exe |
Code function: 0_2_004379AD rdtsc |
0_2_004379AD |
Source: AfWu3i35ny.exe, 00000000.00000002.833785069.0000000000CF0000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: AfWu3i35ny.exe, 00000000.00000002.833785069.0000000000CF0000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: AfWu3i35ny.exe, 00000000.00000002.833785069.0000000000CF0000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: AfWu3i35ny.exe, 00000000.00000002.833785069.0000000000CF0000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |
Source: Yara match |
File source: AfWu3i35ny.exe, type: SAMPLE |
Source: Yara match |
File source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: AfWu3i35ny.exe, type: SAMPLE |
Source: Yara match |
File source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORY |