Loading ...

Play interactive tourEdit tour

Windows Analysis Report document de commande.scr

Overview

General Information

Sample Name:document de commande.scr (renamed file extension from scr to exe)
Analysis ID:502021
MD5:1823dce627d29f5d4985501267f7ad9f
SHA1:1ce10042fccf2c8fcb2b0a93723f24b6c3b4ffb3
SHA256:c14ba2023f89dc57df157690e40042b8b090906257c59b6e5834b2212cd3142e
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • document de commande.exe (PID: 3116 cmdline: 'C:\Users\user\Desktop\document de commande.exe' MD5: 1823DCE627D29F5D4985501267F7AD9F)
    • document de commande.exe (PID: 6756 cmdline: C:\Users\user\Desktop\document de commande.exe MD5: 1823DCE627D29F5D4985501267F7AD9F)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • chkdsk.exe (PID: 6420 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
          • cmd.exe (PID: 5888 cmdline: /c del 'C:\Users\user\Desktop\document de commande.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.yourherogarden.net/dn7r/"], "decoy": ["eventphotographerdfw.com", "thehalalcoinstaking.com", "philipfaziofineart.com", "intercoh.com", "gaiaseyephotography.com", "chatbotforrealestate.com", "lovelancemg.com", "marlieskasberger.com", "elcongoenespanol.info", "lepirecredit.com", "distribution-concept.com", "e99game.com", "exit11festival.com", "twodollartoothbrushclub.com", "cocktailsandlawn.com", "performimprove.network", "24horas-telefono-11840.com", "cosmossify.com", "kellenleote.com", "perovskite.energy", "crosschain.services", "xiwanghe.com", "mollycayton.com", "bonipay.com", "uuwyxc.com", "viberiokno-online.com", "mobceo.com", "menzelna.com", "tiffaniefoster.com", "premiumautowesthartford.com", "ownhome.house", "bestmartinshop.com", "splashstoreofficial.com", "guidemining.com", "ecshopdemo.com", "bestprinting1.com", "s-circle2020.com", "ncagency.info", "easydigitalzone.com", "reikiforthecollective.com", "theknottteam.com", "evolvedpixel.com", "japxo.online", "ryansqualityrenovations.com", "dentimagenquito.net", "pantherprints.co.uk", "apoporangi.com", "thietkemietvuon.net", "ifernshop.com", "casaruralesgranada.com", "camp-3saumons.com", "eddsucks.com", "blwcd.com", "deldlab.com", "susanperb.com", "autosanitizingsolutions.com", "femhouse.com", "ironcageclash.com", "thekinghealer.com", "shaghayeghbovand.com", "advertfaces.com", "lonriley.com", "mased-world.online", "mythicspacex.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.752772430.00000000015B0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.752772430.00000000015B0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.document de commande.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.document de commande.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.document de commande.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a49:$sqlite3step: 68 34 1C 7B E1
        • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a78:$sqlite3text: 68 38 2A 90 C5
        • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
        3.2.document de commande.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.document de commande.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 3 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.yourherogarden.net/dn7r/"], "decoy": ["eventphotographerdfw.com", "thehalalcoinstaking.com", "philipfaziofineart.com", "intercoh.com", "gaiaseyephotography.com", "chatbotforrealestate.com", "lovelancemg.com", "marlieskasberger.com", "elcongoenespanol.info", "lepirecredit.com", "distribution-concept.com", "e99game.com", "exit11festival.com", "twodollartoothbrushclub.com", "cocktailsandlawn.com", "performimprove.network", "24horas-telefono-11840.com", "cosmossify.com", "kellenleote.com", "perovskite.energy", "crosschain.services", "xiwanghe.com", "mollycayton.com", "bonipay.com", "uuwyxc.com", "viberiokno-online.com", "mobceo.com", "menzelna.com", "tiffaniefoster.com", "premiumautowesthartford.com", "ownhome.house", "bestmartinshop.com", "splashstoreofficial.com", "guidemining.com", "ecshopdemo.com", "bestprinting1.com", "s-circle2020.com", "ncagency.info", "easydigitalzone.com", "reikiforthecollective.com", "theknottteam.com", "evolvedpixel.com", "japxo.online", "ryansqualityrenovations.com", "dentimagenquito.net", "pantherprints.co.uk", "apoporangi.com", "thietkemietvuon.net", "ifernshop.com", "casaruralesgranada.com", "camp-3saumons.com", "eddsucks.com", "blwcd.com", "deldlab.com", "susanperb.com", "autosanitizingsolutions.com", "femhouse.com", "ironcageclash.com", "thekinghealer.com", "shaghayeghbovand.com", "advertfaces.com", "lonriley.com", "mased-world.online", "mythicspacex.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: document de commande.exeVirustotal: Detection: 31%Perma Link
          Source: document de commande.exeMetadefender: Detection: 22%Perma Link
          Source: document de commande.exeReversingLabs: Detection: 50%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.document de commande.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.document de commande.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752772430.00000000015B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.931429948.0000000000320000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.732469683.000000000DA3A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.714080485.000000000DA3A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752920867.00000000019E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.682235921.00000000035C9000.00000004.00000001.sdmp, type: MEMORY
          Source: 3.2.document de commande.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: document de commande.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: document de commande.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: chkdsk.pdbGCTL source: document de commande.exe, 00000003.00000002.752978247.0000000001A10000.00000040.00020000.sdmp
          Source: Binary string: chkdsk.pdb source: document de commande.exe, 00000003.00000002.752978247.0000000001A10000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: document de commande.exe, 00000003.00000002.753021342.0000000001A20000.00000040.00000001.sdmp, chkdsk.exe, 00000009.00000002.932346690.00000000051DF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: document de commande.exe, 00000003.00000002.753021342.0000000001A20000.00000040.00000001.sdmp, chkdsk.exe, 00000009.00000002.932346690.00000000051DF000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 4x nop then jmp 06AF0D4Bh0_2_06AF0412
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 4x nop then pop edi3_2_00417DBC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop edi9_2_04D77DBC

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.ecshopdemo.com
          Source: C:\Windows\explorer.exeDomain query: www.gaiaseyephotography.com
          Source: C:\Windows\explorer.exeNetwork Connect: 217.160.0.186 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.casaruralesgranada.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.yourherogarden.net/dn7r/
          Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
          Source: global trafficHTTP traffic detected: GET /dn7r/?iR-Tzb=13xKs1CRhM6TBkg9XZx8aHv4jtF4dS/6+j4tMM4NOYQaHb7QxT/SxMO9vodW3MT/P4hK&qVV8Aj=6lIHIj6PDtc HTTP/1.1Host: www.casaruralesgranada.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1271Connection: closeDate: Wed, 13 Oct 2021 12:28:53 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 0a 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 2
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: document de commande.exe, 00000000.00000002.681705664.00000000025C1000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: document de commande.exe, 00000000.00000002.684698712.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownDNS traffic detected: queries for: www.ecshopdemo.com
          Source: global trafficHTTP traffic detected: GET /dn7r/?iR-Tzb=13xKs1CRhM6TBkg9XZx8aHv4jtF4dS/6+j4tMM4NOYQaHb7QxT/SxMO9vodW3MT/P4hK&qVV8Aj=6lIHIj6PDtc HTTP/1.1Host: www.casaruralesgranada.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.document de commande.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.document de commande.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752772430.00000000015B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.931429948.0000000000320000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.732469683.000000000DA3A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.714080485.000000000DA3A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752920867.00000000019E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.682235921.00000000035C9000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 3.2.document de commande.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.document de commande.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.document de commande.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.document de commande.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.752772430.00000000015B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.752772430.00000000015B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.931429948.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.931429948.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.732469683.000000000DA3A000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.732469683.000000000DA3A000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.714080485.000000000DA3A000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.714080485.000000000DA3A000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.752920867.00000000019E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.752920867.00000000019E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.682235921.00000000035C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.682235921.00000000035C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: document de commande.exe
          Source: document de commande.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 3.2.document de commande.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.document de commande.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.document de commande.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.document de commande.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.931899511.0000000004C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.752772430.00000000015B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.752772430.00000000015B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.931429948.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.931429948.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.732469683.000000000DA3A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.732469683.000000000DA3A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.752388131.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.714080485.000000000DA3A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.714080485.000000000DA3A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.752920867.00000000019E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.752920867.00000000019E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.932067660.0000000004D60000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.682235921.00000000035C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.682235921.00000000035C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 0_2_002266FF0_2_002266FF
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 0_2_002243510_2_00224351
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 0_2_06AF00400_2_06AF0040
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041D97A3_2_0041D97A
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041EC8A3_2_0041EC8A
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041DCAE3_2_0041DCAE
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_00409E5B3_2_00409E5B
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_00409E603_2_00409E60
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041E6903_2_0041E690
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_00FC43513_2_00FC4351
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_00FC66FF3_2_00FC66FF
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7EC8A9_2_04D7EC8A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D62D909_2_04D62D90
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7E6909_2_04D7E690
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D69E5B9_2_04D69E5B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D69E609_2_04D69E60
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D62FB09_2_04D62FB0
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041A360 NtCreateFile,3_2_0041A360
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041A410 NtReadFile,3_2_0041A410
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041A490 NtClose,3_2_0041A490
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041A540 NtAllocateVirtualMemory,3_2_0041A540
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041A35A NtCreateFile,3_2_0041A35A
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041A40A NtReadFile,3_2_0041A40A
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041A48A NtClose,3_2_0041A48A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7A490 NtClose,9_2_04D7A490
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7A410 NtReadFile,9_2_04D7A410
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7A540 NtAllocateVirtualMemory,9_2_04D7A540
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7A360 NtCreateFile,9_2_04D7A360
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7A48A NtClose,9_2_04D7A48A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7A40A NtReadFile,9_2_04D7A40A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7A35A NtCreateFile,9_2_04D7A35A
          Source: document de commande.exeBinary or memory string: OriginalFilename vs document de commande.exe
          Source: document de commande.exe, 00000000.00000002.686561299.0000000007340000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs document de commande.exe
          Source: document de commande.exeBinary or memory string: OriginalFilename vs document de commande.exe
          Source: document de commande.exe, 00000003.00000002.753270968.0000000001B3F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs document de commande.exe
          Source: document de commande.exe, 00000003.00000002.753001435.0000000001A16000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameCHKDSK.EXEj% vs document de commande.exe
          Source: document de commande.exeBinary or memory string: OriginalFilenameTimeZo.exe4 vs document de commande.exe
          Source: document de commande.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: document de commande.exeVirustotal: Detection: 31%
          Source: document de commande.exeMetadefender: Detection: 22%
          Source: document de commande.exeReversingLabs: Detection: 50%
          Source: document de commande.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\document de commande.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\document de commande.exe 'C:\Users\user\Desktop\document de commande.exe'
          Source: C:\Users\user\Desktop\document de commande.exeProcess created: C:\Users\user\Desktop\document de commande.exe C:\Users\user\Desktop\document de commande.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\document de commande.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\document de commande.exeProcess created: C:\Users\user\Desktop\document de commande.exe C:\Users\user\Desktop\document de commande.exeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\document de commande.exe'Jump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\document de commande.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@3/1
          Source: C:\Users\user\Desktop\document de commande.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6224:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: document de commande.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: document de commande.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: chkdsk.pdbGCTL source: document de commande.exe, 00000003.00000002.752978247.0000000001A10000.00000040.00020000.sdmp
          Source: Binary string: chkdsk.pdb source: document de commande.exe, 00000003.00000002.752978247.0000000001A10000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: document de commande.exe, 00000003.00000002.753021342.0000000001A20000.00000040.00000001.sdmp, chkdsk.exe, 00000009.00000002.932346690.00000000051DF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: document de commande.exe, 00000003.00000002.753021342.0000000001A20000.00000040.00000001.sdmp, chkdsk.exe, 00000009.00000002.932346690.00000000051DF000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: document de commande.exe, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.document de commande.exe.220000.0.unpack, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.document de commande.exe.220000.0.unpack, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.2.document de commande.exe.fc0000.1.unpack, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.0.document de commande.exe.fc0000.0.unpack, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 0_2_002264B9 push es; ret 0_2_0022659A
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 0_2_06AF342D push dword ptr [edx+ebp*2-75h]; iretd 0_2_06AF3437
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_004168AF push A8DF1C14h; ret 3_2_004168B7
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_004171D2 push edi; iretd 3_2_004171E0
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_004079FD pushfd ; ret 3_2_00407A03
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_00417A5D push cs; ret 3_2_00417A5E
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041EA34 push 0F02B573h; ret 3_2_0041EA58
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041D4B5 push eax; ret 3_2_0041D508
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041D56C push eax; ret 3_2_0041D572
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041D502 push eax; ret 3_2_0041D508
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0041D50B push eax; ret 3_2_0041D572
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_0040961A push ecx; ret 3_2_0040961B
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_00405F1A pushad ; iretd 3_2_00405F1B
          Source: C:\Users\user\Desktop\document de commande.exeCode function: 3_2_00FC6512 push es; ret 3_2_00FC659A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7D4B5 push eax; ret 9_2_04D7D508
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7D56C push eax; ret 9_2_04D7D572
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7D502 push eax; ret 9_2_04D7D508
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7D50B push eax; ret 9_2_04D7D572
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D6961A push ecx; ret 9_2_04D6961B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D65F1A pushad ; iretd 9_2_04D65F1B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D768AF push A8DF1C14h; ret 9_2_04D768B7
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D771D2 push edi; iretd 9_2_04D771E0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D679FD pushfd ; ret 9_2_04D67A03
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D77A5D push cs; ret 9_2_04D77A5E
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 9_2_04D7EA34 push 0F02B573h; ret 9_2_04D7EA58
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85154838784

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xED
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: /c del 'C:\Users\user\Desktop\document de commande.exe'
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: /c del 'C:\Users\user\Desktop\document de commande.exe'Jump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\document de commande.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Sou