Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report CNEW ORDER17.exe

Overview

General Information

Sample Name:CNEW ORDER17.exe
Analysis ID:502245
MD5:c54edc9ef9d72fe0fe048e8ac884626b
SHA1:11dce70f33e490eb9b89726776915a374bb59a59
SHA256:43fcb442b80665d42271689310ebd569e84f74287063a62e14beba808178e098
Tags:exeformbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • CNEW ORDER17.exe (PID: 4344 cmdline: 'C:\Users\user\Desktop\CNEW ORDER17.exe' MD5: C54EDC9EF9D72FE0FE048E8AC884626B)
    • CNEW ORDER17.exe (PID: 5680 cmdline: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe MD5: C54EDC9EF9D72FE0FE048E8AC884626B)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • raserver.exe (PID: 4632 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
        • cmd.exe (PID: 4476 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.cursoukulelegospel.com/h0c4/"], "decoy": ["looknewly.com", "icha2016.com", "datnenhoalachn.xyz", "fark.ltd", "zjlj.site", "carpinteriacansino.com", "atozmp33.com", "oficialacesso.com", "tuningfrance.com", "rmm-mx96r.net", "outsidestyleshop.com", "eufundas.com", "a91furniture.com", "sfme.net", "englisch.coach", "wallacechen.info", "nyayeo.com", "jintongstore.com", "vanwerknaarwerk.info", "thekimlab.net", "morvirtualassistant.com", "ichatbengal.com", "doctors-technology.com", "mississippisms.com", "koopa.codes", "sproutheads.com", "gardenkitchenspa.com", "hoom.life", "wiselogistic.com", "appadaptor.com", "jumtix.xyz", "academiavirtualjjb.com", "pcmrmf.com", "hlsx069.com", "sunielkapoor.com", "truetaster.com", "rylautosales.com", "cgmobile.net", "www-inloggen-nl.info", "businesswebstrategy.net", "fetch-a-sg-hair-transplant.fyi", "paintingservicespune.com", "cakeeyes.net", "tandebrokers.com", "navigantcapitalpartners.com", "hubska.com", "foillaws.com", "battletraining.com", "bitcoin-recovery.com", "yourbuildvideos.com", "naturalsumaq.com", "prasikapsychotherapy.com", "jphousecleaningservices.com", "fetch-hepatitis-c.zone", "easypay-agent.com", "ronaldcraig.com", "highonloveshop.com", "bayharborislandhouse2.com", "aventuramaker.com", "han-chill.com", "wrapmeupbkk.com", "videomarketing.tips", "ishouldntbthareasonugohard.com", "psychotherapie-wermuth.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x2685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x2171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x2787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x28ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x13ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x84f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x94fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x5419:$sqlite3step: 68 34 1C 7B E1
    • 0x552c:$sqlite3step: 68 34 1C 7B E1
    • 0x5448:$sqlite3text: 68 38 2A 90 C5
    • 0x556d:$sqlite3text: 68 38 2A 90 C5
    • 0x545b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x5583:$sqlite3blob: 68 53 D8 7F 8C
    00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      15.2.CNEW ORDER17.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        15.2.CNEW ORDER17.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        15.2.CNEW ORDER17.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17619:$sqlite3step: 68 34 1C 7B E1
        • 0x1772c:$sqlite3step: 68 34 1C 7B E1
        • 0x17648:$sqlite3text: 68 38 2A 90 C5
        • 0x1776d:$sqlite3text: 68 38 2A 90 C5
        • 0x1765b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17783:$sqlite3blob: 68 53 D8 7F 8C
        15.2.CNEW ORDER17.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          15.2.CNEW ORDER17.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.cursoukulelegospel.com/h0c4/"], "decoy": ["looknewly.com", "icha2016.com", "datnenhoalachn.xyz", "fark.ltd", "zjlj.site", "carpinteriacansino.com", "atozmp33.com", "oficialacesso.com", "tuningfrance.com", "rmm-mx96r.net", "outsidestyleshop.com", "eufundas.com", "a91furniture.com", "sfme.net", "englisch.coach", "wallacechen.info", "nyayeo.com", "jintongstore.com", "vanwerknaarwerk.info", "thekimlab.net", "morvirtualassistant.com", "ichatbengal.com", "doctors-technology.com", "mississippisms.com", "koopa.codes", "sproutheads.com", "gardenkitchenspa.com", "hoom.life", "wiselogistic.com", "appadaptor.com", "jumtix.xyz", "academiavirtualjjb.com", "pcmrmf.com", "hlsx069.com", "sunielkapoor.com", "truetaster.com", "rylautosales.com", "cgmobile.net", "www-inloggen-nl.info", "businesswebstrategy.net", "fetch-a-sg-hair-transplant.fyi", "paintingservicespune.com", "cakeeyes.net", "tandebrokers.com", "navigantcapitalpartners.com", "hubska.com", "foillaws.com", "battletraining.com", "bitcoin-recovery.com", "yourbuildvideos.com", "naturalsumaq.com", "prasikapsychotherapy.com", "jphousecleaningservices.com", "fetch-hepatitis-c.zone", "easypay-agent.com", "ronaldcraig.com", "highonloveshop.com", "bayharborislandhouse2.com", "aventuramaker.com", "han-chill.com", "wrapmeupbkk.com", "videomarketing.tips", "ishouldntbthareasonugohard.com", "psychotherapie-wermuth.com"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORY
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: CNEW ORDER17.exeAvira: detected
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeAvira: detection malicious, Label: HEUR/AGEN.1142543
          Machine Learning detection for sampleShow sources
          Source: CNEW ORDER17.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeJoe Sandbox ML: detected
          Source: 15.2.CNEW ORDER17.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: CNEW ORDER17.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: CNEW ORDER17.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: CNEW ORDER17.exe, 0000000F.00000002.519709359.0000000000FB0000.00000040.00000001.sdmp, raserver.exe, 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp
          Source: Binary string: RAServer.pdb source: CNEW ORDER17.exe, 0000000F.00000002.521099012.0000000003030000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: CNEW ORDER17.exe, 0000000F.00000002.519709359.0000000000FB0000.00000040.00000001.sdmp, raserver.exe
          Source: Binary string: RAServer.pdbGCTL source: CNEW ORDER17.exe, 0000000F.00000002.521099012.0000000003030000.00000040.00020000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.cursoukulelegospel.com/h0c4/
          Source: CNEW ORDER17.exe, 0000000F.00000002.519538682.0000000000B7A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: CNEW ORDER17.exe
          Source: CNEW ORDER17.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041E8F3
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041E1F9
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041D300
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00409E40
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00409E3C
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00402FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1002
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443841F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443B090
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F1D55
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442F900
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04420D20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04444120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04446E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445EBB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5D300
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5E8F3
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5E1F9
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E49E40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E49E3C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E42FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E42D87
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E42D90
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041A060 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041A110 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00419F30 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00419FE0 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041A05B NtClose,
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00419F2A NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00419FDA NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00419F84 NtCreateFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044695D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044696D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0446B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044698F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044698A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469560 NtWriteFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0446AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044699D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044695F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0446A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0446A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044697A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0446A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5A060 NtClose,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5A110 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E59FE0 NtReadFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E59F30 NtCreateFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5A05B NtClose,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E59FDA NtReadFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E59F84 NtCreateFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E59F2A NtCreateFile,
          Source: CNEW ORDER17.exe, 00000000.00000000.296992741.000000000026A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConsoleApp17.exeB vs CNEW ORDER17.exe
          Source: CNEW ORDER17.exe, 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePlyqntsieflxwczqxdgrrbh.dll" vs CNEW ORDER17.exe
          Source: CNEW ORDER17.exe, 0000000F.00000002.520200234.000000000125F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CNEW ORDER17.exe
          Source: CNEW ORDER17.exe, 0000000F.00000003.518794069.0000000000BBF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameraserver.exej% vs CNEW ORDER17.exe
          Source: CNEW ORDER17.exe, 0000000F.00000000.421473120.000000000059A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConsoleApp17.exeB vs CNEW ORDER17.exe
          Source: CNEW ORDER17.exeBinary or memory string: OriginalFilenameConsoleApp17.exeB vs CNEW ORDER17.exe
          Source: CNEW ORDER17.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: CNEW ORDER17.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: CNEW ORDER17.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: CNEW ORDER17.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: CNEW ORDER17.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: CNEW ORDER17.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: CNEW ORDER17.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: CNEW ORDER17.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeFile read: C:\Users\user\Desktop\CNEW ORDER17.exeJump to behavior
          Source: CNEW ORDER17.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\CNEW ORDER17.exe 'C:\Users\user\Desktop\CNEW ORDER17.exe'
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess created: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess created: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CNEW ORDER17.exe.logJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeFile created: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/3@0/0
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6628:120:WilError_01
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: CNEW ORDER17.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: CNEW ORDER17.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: CNEW ORDER17.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: CNEW ORDER17.exe, 0000000F.00000002.519709359.0000000000FB0000.00000040.00000001.sdmp, raserver.exe, 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp
          Source: Binary string: RAServer.pdb source: CNEW ORDER17.exe, 0000000F.00000002.521099012.0000000003030000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: CNEW ORDER17.exe, 0000000F.00000002.519709359.0000000000FB0000.00000040.00000001.sdmp, raserver.exe
          Source: Binary string: RAServer.pdbGCTL source: CNEW ORDER17.exe, 0000000F.00000002.521099012.0000000003030000.00000040.00020000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041D0D2 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041D0DB push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041D085 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041D13C push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00417C84 pushfd ; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0447D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5D0D2 push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5D0DB push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5D085 push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5D13C push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E57C84 pushfd ; ret
          Source: CNEW ORDER17.exeStatic PE information: 0xE32C5996 [Tue Oct 10 16:02:30 2090 UTC]
          Source: initial sampleStatic PE information: section name: .text entropy: 7.99906118019
          Source: initial sampleStatic PE information: section name: .text entropy: 7.99906118019
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeFile created: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xEA
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe'
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe'
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 0000000002E498E4 second address: 0000000002E498EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 0000000002E49B5E second address: 0000000002E49B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\CNEW ORDER17.exe TID: 4348Thread sleep count: 1054 > 30
          Source: C:\Users\user\Desktop\CNEW ORDER17.exe TID: 4348Thread sleep count: 34 > 30
          Source: C:\Users\user\Desktop\CNEW ORDER17.exe TID: 4348Thread sleep time: -34000s >= -30000s
          Source: C:\Users\user\Desktop\CNEW ORDER17.exe TID: 2244Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeWindow / User API: threadDelayed 1054
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000010.00000000.455691375.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000010.00000000.455828193.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
          Source: explorer.exe, 00000010.00000000.470059747.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000010.00000000.455691375.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
          Source: explorer.exe, 00000010.00000000.470059747.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
          Source: explorer.exe, 00000010.00000000.455691375.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\raserver.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04440050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04440050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044690AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04463D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04447D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04444120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04444120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04444120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04444120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04444120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044AA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04454D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04454D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04454D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044D8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04422D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04422D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04422D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04422D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04422D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044535A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0446927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04443A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044DFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04468EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044536CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044DFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044376E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044516E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04453B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04453B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04424F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04424F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04431B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04431B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044DD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: C0000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeThread register set: target process: 3352
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeThread register set: target process: 3352
          Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 3352
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess created: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe'
          Source: explorer.exe, 00000010.00000000.495329240.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000010.00000000.448733880.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
          Source: explorer.exe, 00000010.00000000.495329240.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000010.00000000.495329240.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000010.00000000.495329240.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000010.00000000.455828193.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeQueries volume information: C:\Users\user\Desktop\CNEW ORDER17.exe VolumeInformation
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection412Rootkit1Credential API Hooking1Security Software Discovery121Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1Input Capture1Process Discovery2Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection412LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          CNEW ORDER17.exe100%AviraHEUR/AGEN.1142543
          CNEW ORDER17.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe100%AviraHEUR/AGEN.1142543
          C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.0.CNEW ORDER17.exe.1a0000.0.unpack100%AviraHEUR/AGEN.1142543Download File
          15.2.CNEW ORDER17.exe.4d0000.1.unpack100%AviraHEUR/AGEN.1142543Download File
          15.0.CNEW ORDER17.exe.4d0000.0.unpack100%AviraHEUR/AGEN.1142543Download File
          15.2.CNEW ORDER17.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.CNEW ORDER17.exe.1a0000.0.unpack100%AviraHEUR/AGEN.1142543Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.cursoukulelegospel.com/h0c4/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          www.cursoukulelegospel.com/h0c4/true
          • Avira URL Cloud: safe
          		low

          Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox Version:33.0.0 White Diamond
          Analysis ID:502245
          Start date:13.10.2021
          Start time:18:34:34
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 9m 44s
          Hypervisor based Inspection enabled:false
          Report type:light
          Sample file name:CNEW ORDER17.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:23
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@8/3@0/0
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 44% (good quality ratio 39.1%)
          • Quality average: 68.5%
          • Quality standard deviation: 33.4%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
          • Excluded IPs from analysis (whitelisted): 20.49.157.6, 209.197.3.8, 93.184.221.240, 20.199.120.182, 20.54.110.249, 40.112.88.60, 52.251.79.25, 20.199.120.151, 2.20.178.33, 2.20.178.24, 20.199.120.85
          • Excluded domains from analysis (whitelisted): consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, ris.api.iris.microsoft.com, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
          • Not all processes where analyzed, report is missing behavior information
          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/502245/sample/CNEW ORDER17.exe

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASN

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CNEW ORDER17.exe.log
          Process:C:\Users\user\Desktop\CNEW ORDER17.exe
          File Type:ASCII text, with CRLF line terminators
          Category:modified
          Size (bytes):425
          Entropy (8bit):5.340009400190196
          Encrypted:false
          SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
          MD5:CC144808DBAF00E03294347EADC8E779
          SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
          SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
          SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
          Malicious:true
          Reputation:moderate, very likely benign file
          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
          C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe
          Process:C:\Users\user\Desktop\CNEW ORDER17.exe
          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):983040
          Entropy (8bit):7.643700581671609
          Encrypted:false
          SSDEEP:12288:lxGAAVPJ9rY0Vjf23ZgTJt8mwSwtpaYKXrEUpDK30dBlVhxYuWyrZFvn6+OhO:eAGNYoOiT/8mN+aYW4OHboirZFv6/
          MD5:C54EDC9EF9D72FE0FE048E8AC884626B
          SHA1:11DCE70F33E490EB9B89726776915A374BB59A59
          SHA-256:43FCB442B80665D42271689310EBD569E84F74287063A62E14BEBA808178E098
          SHA-512:C65D37DE77AD4598EE0B665145C988681D38FC26AA2EB2F5B5D1B73646EAA843CB18C4172D0ED7DCEE4BD25BDF692E7B1AACC410A56B6959158F9E3BAB1F0C81
          Malicious:true
          Antivirus:
          • Antivirus: Avira, Detection: 100%
          • Antivirus: Joe Sandbox ML, Detection: 100%
          Reputation:low
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y,...............0..l..........j.... ........@.. .......................`............@.....................................O............................@....................................................... ............... ..H............text...pj... ...l.................. ..`.rsrc................n..............@..@.reloc.......@......................@..B................L.......H.......(#...............3...V..........................................~r...p(......-.(....*r...p(....*.0..H.......s......o....+..o.......(....(......(.....o.......(....#......3@2..o....*.0..M.......(....(....o.......+2.....o....,"..( ...,..o!...r...p("...,..(....&..X....i2.*....0..4.......ri..p(#...r...p ............%.(....(.....o$...t....*.0.."........r...p .......o$....$......&...*.*...................(....*..0.......... .....%..... .....%.......i.&.....(%...r...po&......
          C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe:Zone.Identifier
          Process:C:\Users\user\Desktop\CNEW ORDER17.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):26
          Entropy (8bit):3.95006375643621
          Encrypted:false
          SSDEEP:3:ggPYV:rPYV
          MD5:187F488E27DB4AF347237FE461A079AD
          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
          Malicious:true
          Reputation:high, very likely benign file
          Preview: [ZoneTransfer]....ZoneId=0

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Entropy (8bit):7.643700581671609
          TrID:
          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          • Win32 Executable (generic) a (10002005/4) 49.78%
          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
          • Generic Win/DOS Executable (2004/3) 0.01%
          • DOS Executable Generic (2002/1) 0.01%
          File name:CNEW ORDER17.exe
          File size:983040
          MD5:c54edc9ef9d72fe0fe048e8ac884626b
          SHA1:11dce70f33e490eb9b89726776915a374bb59a59
          SHA256:43fcb442b80665d42271689310ebd569e84f74287063a62e14beba808178e098
          SHA512:c65d37de77ad4598ee0b665145c988681d38fc26aa2eb2f5b5d1b73646eaa843cb18c4172d0ed7dcee4bd25bdf692e7b1aacc410a56b6959158f9e3bab1f0c81
          SSDEEP:12288:lxGAAVPJ9rY0Vjf23ZgTJt8mwSwtpaYKXrEUpDK30dBlVhxYuWyrZFvn6+OhO:eAGNYoOiT/8mN+aYW4OHboirZFv6/
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y,...............0..l..........j.... ........@.. .......................`............@................................

          File Icon

          Icon Hash:07d8d8d4d4d85026

          Static PE Info

          General

          Entrypoint:0x4c8a6a
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Time Stamp:0xE32C5996 [Tue Oct 10 16:02:30 2090 UTC]
          TLS Callbacks:
          CLR (.Net) Version:v4.0.30319
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

          Entrypoint Preview

          Instruction
          jmp dword ptr [00402000h]
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xc8a180x4f.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xca0000x28f18.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0xf40000xc.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0xc89fc0x1c.text
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x20000xc6a700xc6c00False0.997636595912data7.99906118019IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          .rsrc0xca0000x28f180x29000False0.0645364900915data3.05282770232IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0xf40000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          RT_ICON0xca3c00x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 1650615026, next used block 1650614882
          RT_ICON0xca6b80x128GLS_BINARY_LSB_FIRST
          RT_ICON0xca7f00x2ca8dBase IV DBT of \300.DBF, block length 9216, next free block index 40, next free block 16843009, next used block 16843009
          RT_ICON0xcd4a80x1bc8data
          RT_ICON0xcf0800x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295
          RT_ICON0xd06b80x1418data
          RT_ICON0xd1ae00xea8data
          RT_ICON0xd29980xba8data
          RT_ICON0xd35500x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
          RT_ICON0xd3e080x6c8data
          RT_ICON0xd44e00x608data
          RT_ICON0xd4af80x568GLS_BINARY_LSB_FIRST
          RT_ICON0xd50700xc33PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
          RT_ICON0xd5cb40x94a8data
          RT_ICON0xdf16c0x5488data
          RT_ICON0xe46040x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0
          RT_ICON0xe883c0x3a48data
          RT_ICON0xec2940x25a8data
          RT_ICON0xee84c0x1a68data
          RT_ICON0xf02c40x10a8data
          RT_ICON0xf137c0x988data
          RT_ICON0xf1d140x6b8data
          RT_ICON0xf23dc0x468GLS_BINARY_LSB_FIRST
          RT_GROUP_ICON0xf28540x148data
          RT_VERSION0xf29ac0x36cdata
          RT_MANIFEST0xf2d280x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

          Imports

          DLLImport
          mscoree.dll_CorExeMain

          Version Infos

          DescriptionData
          Translation0x0000 0x04b0
          LegalCopyrightCopyright 2021
          Assembly Version1.0.0.0
          InternalNameConsoleApp17.exe
          FileVersion1.0.0.0
          CompanyName
          LegalTrademarks
          CommentsWindowsFormsApp7
          ProductNameWindowsFormsApp7
          ProductVersion1.0.0.0
          FileDescriptionWindowsFormsApp7
          OriginalFilenameConsoleApp17.exe

          Network Behavior

          No network behavior found

          Code Manipulations

          User Modules

          Hook Summary

          Function NameHook TypeActive in Processes
          PeekMessageAINLINEexplorer.exe
          PeekMessageWINLINEexplorer.exe
          GetMessageWINLINEexplorer.exe
          GetMessageAINLINEexplorer.exe

          Processes

          Process: explorer.exe, Module: user32.dll
          Function NameHook TypeNew Data
          PeekMessageAINLINE0x48 0x8B 0xB8 0x89 0x9E 0xEA
          PeekMessageWINLINE0x48 0x8B 0xB8 0x81 0x1E 0xEA
          GetMessageWINLINE0x48 0x8B 0xB8 0x81 0x1E 0xEA
          GetMessageAINLINE0x48 0x8B 0xB8 0x89 0x9E 0xEA

          Statistics

          Behavior

          Click to jump to process

          System Behavior

          Analysis Process: CNEW ORDER17.exe PID: 4344 Parent PID: 3088

          General

          Start time:18:35:34
          Start date:13/10/2021
          Path:C:\Users\user\Desktop\CNEW ORDER17.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\Desktop\CNEW ORDER17.exe'
          Imagebase:0x1a0000
          File size:983040 bytes
          MD5 hash:C54EDC9EF9D72FE0FE048E8AC884626B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
          Reputation:low

          Analysis Process: CNEW ORDER17.exe PID: 5680 Parent PID: 4344

          General

          Start time:18:36:33
          Start date:13/10/2021
          Path:C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe
          Imagebase:0x4d0000
          File size:983040 bytes
          MD5 hash:C54EDC9EF9D72FE0FE048E8AC884626B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
          Antivirus matches:
          • Detection: 100%, Avira
          • Detection: 100%, Joe Sandbox ML
          Reputation:low

          Analysis Process: explorer.exe PID: 3352 Parent PID: 5680

          General

          Start time:18:36:35
          Start date:13/10/2021
          Path:C:\Windows\explorer.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\Explorer.EXE
          Imagebase:0x7ff720ea0000
          File size:3933184 bytes
          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
          Reputation:high

          Analysis Process: raserver.exe PID: 4632 Parent PID: 5680

          General

          Start time:18:37:16
          Start date:13/10/2021
          Path:C:\Windows\SysWOW64\raserver.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\raserver.exe
          Imagebase:0xc0000
          File size:108544 bytes
          MD5 hash:2AADF65E395BFBD0D9B71D7279C8B5EC
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
          Reputation:moderate

          Analysis Process: cmd.exe PID: 4476 Parent PID: 4632

          General

          Start time:18:37:20
          Start date:13/10/2021
          Path:C:\Windows\SysWOW64\cmd.exe
          Wow64 process (32bit):true
          Commandline:/c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe'
          Imagebase:0xd80000
          File size:232960 bytes
          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: conhost.exe PID: 6628 Parent PID: 4476

          General

          Start time:18:37:20
          Start date:13/10/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7f20f0000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Disassembly

          Code Analysis

          Reset < >