Loading ...

Play interactive tourEdit tour

Windows Analysis Report 56460021473877.exe

Overview

General Information

Sample Name:56460021473877.exe
Analysis ID:502358
MD5:d95e9bb2fa064a984c391b5bfc1d01e6
SHA1:6b045974084794b785110909351e2a25950c5ed6
SHA256:b499be4b6955eebcf4228039f67a65a38b322f0ca1d58d8071de9a428ced8720
Tags:exeXloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 56460021473877.exe (PID: 5240 cmdline: 'C:\Users\user\Desktop\56460021473877.exe' MD5: D95E9BB2FA064A984C391B5BFC1D01E6)
    • 56460021473877.exe (PID: 5276 cmdline: C:\Users\user\Desktop\56460021473877.exe MD5: D95E9BB2FA064A984C391B5BFC1D01E6)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 980 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 7156 cmdline: /c del 'C:\Users\user\Desktop\56460021473877.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nottryingdoing.com/ni8b/"], "decoy": ["billaning.com", "nhmingwei.com", "sapphiremodule.com", "533washingtonave.com", "dlscord-partners.com", "303cf.com", "hooleyfamilygoods.com", "productiongv.com", "intaom.com", "juanmarket.net", "thecrystalconsciousness.com", "sgosthirxz.sbs", "solobookings.com", "formulaonline.xyz", "gulliblegirls.com", "pureselva.com", "rusporn.xxx", "ed-institute.com", "serviciosgeneralesjba.online", "4x4pac.com", "trpgame.com", "shopbeerbelly.com", "box-770.com", "3tshaircreations.com", "nstyle.one", "txsports.club", "chirmano.com", "herehardcore.com", "shoetowers.com", "flipkartsdealscart.xyz", "lechila.com", "aag-trading.com", "werloshop.com", "bcmegroupbrd.xyz", "bogosamba.com", "sehermughal.com", "flexzapato.online", "citestaccnt1631552650.com", "anisyuko.xyz", "norllix.com", "socichat.one", "mia-mania.net", "web3designstudio.com", "eastsidescooters.com", "mymillionmission.com", "media777.club", "undeclined.info", "zhongrct.com", "sifangktv.mobi", "lindseystirlingvip.com", "kiccleaningservicesfl.com", "rafaelelais.com", "davewalkergreenberet.com", "prideparties.com", "ouzoudcaro.com", "ps-sac.com", "holmdelfirst.com", "ville-fogalmam.com", "sellmycarhudsoncounty.com", "celltecstore.com", "australiapost.digital", "rajinderbeas.com", "cabofishingreport.com", "purpari.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9b87:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x6ab9:$sqlite3step: 68 34 1C 7B E1
    • 0x6bcc:$sqlite3step: 68 34 1C 7B E1
    • 0x6ae8:$sqlite3text: 68 38 2A 90 C5
    • 0x6c0d:$sqlite3text: 68 38 2A 90 C5
    • 0x6afb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x6c23:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.56460021473877.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.56460021473877.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.56460021473877.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ab9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bcc:$sqlite3step: 68 34 1C 7B E1
        • 0x16ae8:$sqlite3text: 68 38 2A 90 C5
        • 0x16c0d:$sqlite3text: 68 38 2A 90 C5
        • 0x16afb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c23:$sqlite3blob: 68 53 D8 7F 8C
        3.2.56460021473877.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.56460021473877.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d87:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 8 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.nottryingdoing.com/ni8b/"], "decoy": ["billaning.com", "nhmingwei.com", "sapphiremodule.com", "533washingtonave.com", "dlscord-partners.com", "303cf.com", "hooleyfamilygoods.com", "productiongv.com", "intaom.com", "juanmarket.net", "thecrystalconsciousness.com", "sgosthirxz.sbs", "solobookings.com", "formulaonline.xyz", "gulliblegirls.com", "pureselva.com", "rusporn.xxx", "ed-institute.com", "serviciosgeneralesjba.online", "4x4pac.com", "trpgame.com", "shopbeerbelly.com", "box-770.com", "3tshaircreations.com", "nstyle.one", "txsports.club", "chirmano.com", "herehardcore.com", "shoetowers.com", "flipkartsdealscart.xyz", "lechila.com", "aag-trading.com", "werloshop.com", "bcmegroupbrd.xyz", "bogosamba.com", "sehermughal.com", "flexzapato.online", "citestaccnt1631552650.com", "anisyuko.xyz", "norllix.com", "socichat.one", "mia-mania.net", "web3designstudio.com", "eastsidescooters.com", "mymillionmission.com", "media777.club", "undeclined.info", "zhongrct.com", "sifangktv.mobi", "lindseystirlingvip.com", "kiccleaningservicesfl.com", "rafaelelais.com", "davewalkergreenberet.com", "prideparties.com", "ouzoudcaro.com", "ps-sac.com", "holmdelfirst.com", "ville-fogalmam.com", "sellmycarhudsoncounty.com", "celltecstore.com", "australiapost.digital", "rajinderbeas.com", "cabofishingreport.com", "purpari.com"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.56460021473877.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.56460021473877.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.56460021473877.exe.350fe30.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.56460021473877.exe.34c5c10.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.730886485.000000000EEF1000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.763748004.00000000015D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.940364992.0000000002530000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.695508447.00000000033A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.939915779.0000000000500000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.763621485.00000000011C0000.00000040.00020000.sdmp, type: MEMORY
          Multi AV Scanner detection for domain / URLShow sources
          Source: serviciosgeneralesjba.onlineVirustotal: Detection: 5%Perma Link
          Source: 3.2.56460021473877.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 56460021473877.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 56460021473877.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: 56460021473877.exe, 00000003.00000002.763826486.0000000001610000.00000040.00000001.sdmp, control.exe, 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: 56460021473877.exe, 00000003.00000002.764793089.0000000001A00000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: 56460021473877.exe, 00000003.00000002.763826486.0000000001610000.00000040.00000001.sdmp, control.exe
          Source: Binary string: control.pdbUGP source: 56460021473877.exe, 00000003.00000002.764793089.0000000001A00000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 4x nop then pop ebx3_2_00406ABB
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop ebx8_2_02836ABB

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49811 -> 154.208.173.144:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49811 -> 154.208.173.144:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49811 -> 154.208.173.144:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49817 -> 67.205.83.103:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49817 -> 67.205.83.103:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49817 -> 67.205.83.103:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49851 -> 31.170.167.144:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49851 -> 31.170.167.144:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49851 -> 31.170.167.144:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49854 -> 44.227.65.245:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49854 -> 44.227.65.245:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49854 -> 44.227.65.245:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 213.186.33.5 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 52.5.157.71 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 216.10.241.4 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.eastsidescooters.com
          Source: C:\Windows\explorer.exeNetwork Connect: 67.205.83.103 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.celltecstore.com
          Source: C:\Windows\explorer.exeDomain query: www.thecrystalconsciousness.com
          Source: C:\Windows\explorer.exeDomain query: www.ps-sac.com
          Source: C:\Windows\explorer.exeDomain query: www.ville-fogalmam.com
          Source: C:\Windows\explorer.exeDomain query: www.box-770.com
          Source: C:\Windows\explorer.exeDomain query: www.txsports.club
          Source: C:\Windows\explorer.exeDomain query: www.rajinderbeas.com
          Source: C:\Windows\explorer.exeNetwork Connect: 31.170.167.144 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.nhmingwei.com
          Source: C:\Windows\explorer.exeNetwork Connect: 154.208.173.144 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 148.72.177.185 80Jump to behavior
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.nottryingdoing.com/ni8b/
          Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
          Source: global trafficHTTP traffic detected: GET /ni8b/?ZfEhPp=bnsPHpJ0JXfYedDeyyRM0T59hyvcJozMf52DwVsUkht3MP5YfvQl77Z8cLzJCfxgsHVQ&kTY=TdZdU HTTP/1.1Host: www.nhmingwei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ni8b/?ZfEhPp=Zvg5mbxlh1FEUeAb4a18wQGVMNqECI22VVMpQ/dBRbKZgYLiDL5+JoutiYtpnsrAj+vq&kTY=TdZdU HTTP/1.1Host: www.celltecstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ni8b/?ZfEhPp=Eseu83Nj43qLBMj7MwWHNBqOzdwc7j/6ub3THp3k2Y03CkKraCnGH8IbXpARdpoCPKFf&kTY=TdZdU HTTP/1.1Host: www.ps-sac.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ni8b/?ZfEhPp=lGGQ0sEZ2PLdmlcqvZgUhQs2XHM9QQiXiItD8ZWi5Y/Bd+WpsK3C+f5erJECmSl9JpeM&kTY=TdZdU HTTP/1.1Host: www.txsports.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ni8b/?ZfEhPp=NtJPN2JufTPSUZxhVG2lwHAXNu/91wCxk6QRP91Jym6+DWJgifkFBuY1HfUXqRvRWjoF&kTY=TdZdU HTTP/1.1Host: www.rajinderbeas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ni8b/?ZfEhPp=5gklYs16rcBoTPwexQgZaEg2WcCOIBmXVnGtPO+7DRUqV3YS52r/gKUkKnDwsfv+vOIy&kTY=TdZdU HTTP/1.1Host: www.box-770.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ni8b/?ZfEhPp=JVySAPp733wZmQfNstMcOnNrXbLvf0xUB0jZ2Inh4UzmMU775P3StTy/F8q5n6jJiQm6&kTY=TdZdU HTTP/1.1Host: www.thecrystalconsciousness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 213.186.33.5 213.186.33.5
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: control.exe, 00000008.00000002.941761338.0000000004CE2000.00000004.00020000.sdmpString found in binary or memory: http://thecrystalconsciousness.com/ni8b/?ZfEhPp=JVySAPp733wZmQfNstMcOnNrXbLvf0xUB0jZ2Inh4UzmMU775P3S
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: 56460021473877.exe, 00000000.00000002.699621675.0000000006A60000.00000004.00020000.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: 56460021473877.exe, 00000000.00000002.694670637.0000000000AF7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: 56460021473877.exe, 00000000.00000002.694670637.0000000000AF7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comceomz
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 56460021473877.exe, 00000000.00000002.699180917.00000000065B2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownDNS traffic detected: queries for: www.nhmingwei.com
          Source: global trafficHTTP traffic detected: GET /ni8b/?ZfEhPp=bnsPHpJ0JXfYedDeyyRM0T59hyvcJozMf52DwVsUkht3MP5YfvQl77Z8cLzJCfxgsHVQ&kTY=TdZdU HTTP/1.1Host: www.nhmingwei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ni8b/?ZfEhPp=Zvg5mbxlh1FEUeAb4a18wQGVMNqECI22VVMpQ/dBRbKZgYLiDL5+JoutiYtpnsrAj+vq&kTY=TdZdU HTTP/1.1Host: www.celltecstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ni8b/?ZfEhPp=Eseu83Nj43qLBMj7MwWHNBqOzdwc7j/6ub3THp3k2Y03CkKraCnGH8IbXpARdpoCPKFf&kTY=TdZdU HTTP/1.1Host: www.ps-sac.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ni8b/?ZfEhPp=lGGQ0sEZ2PLdmlcqvZgUhQs2XHM9QQiXiItD8ZWi5Y/Bd+WpsK3C+f5erJECmSl9JpeM&kTY=TdZdU HTTP/1.1Host: www.txsports.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ni8b/?ZfEhPp=NtJPN2JufTPSUZxhVG2lwHAXNu/91wCxk6QRP91Jym6+DWJgifkFBuY1HfUXqRvRWjoF&kTY=TdZdU HTTP/1.1Host: www.rajinderbeas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ni8b/?ZfEhPp=5gklYs16rcBoTPwexQgZaEg2WcCOIBmXVnGtPO+7DRUqV3YS52r/gKUkKnDwsfv+vOIy&kTY=TdZdU HTTP/1.1Host: www.box-770.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ni8b/?ZfEhPp=JVySAPp733wZmQfNstMcOnNrXbLvf0xUB0jZ2Inh4UzmMU775P3StTy/F8q5n6jJiQm6&kTY=TdZdU HTTP/1.1Host: www.thecrystalconsciousness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: 56460021473877.exe, 00000000.00000002.693859689.00000000007F0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.56460021473877.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.56460021473877.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.56460021473877.exe.350fe30.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.56460021473877.exe.34c5c10.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.730886485.000000000EEF1000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.763748004.00000000015D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.940364992.0000000002530000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.695508447.00000000033A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.939915779.0000000000500000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.763621485.00000000011C0000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 3.2.56460021473877.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.56460021473877.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.56460021473877.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.56460021473877.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.56460021473877.exe.350fe30.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.56460021473877.exe.350fe30.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.56460021473877.exe.34c5c10.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.56460021473877.exe.34c5c10.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.730886485.000000000EEF1000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.730886485.000000000EEF1000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.763748004.00000000015D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.763748004.00000000015D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.940364992.0000000002530000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.940364992.0000000002530000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.695508447.00000000033A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.695508447.00000000033A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.939915779.0000000000500000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.939915779.0000000000500000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.763621485.00000000011C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.763621485.00000000011C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 56460021473877.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 3.2.56460021473877.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.56460021473877.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.56460021473877.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.56460021473877.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.56460021473877.exe.350fe30.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.56460021473877.exe.350fe30.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.56460021473877.exe.34c5c10.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.56460021473877.exe.34c5c10.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.752209654.000000000EEF1000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.940519272.0000000002830000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.730886485.000000000EEF1000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.730886485.000000000EEF1000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.763748004.00000000015D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.763748004.00000000015D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.940364992.0000000002530000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.940364992.0000000002530000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.695508447.00000000033A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.695508447.00000000033A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.762828125.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.939915779.0000000000500000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.939915779.0000000000500000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.763621485.00000000011C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.763621485.00000000011C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 0_2_000480A90_2_000480A9
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 0_2_007ECCCC0_2_007ECCCC
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 0_2_007EF0900_2_007EF090
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 0_2_007EF0820_2_007EF082
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 3_2_0041D1733_2_0041D173
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 3_2_004011753_2_00401175
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 3_2_0041C1FB3_2_0041C1FB
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 3_2_0041BBBB3_2_0041BBBB
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 3_2_00408C803_2_00408C80
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 3_2_0041C50E3_2_0041C50E
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 3_2_00402D8B3_2_00402D8B
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 3_2_00BA80A93_2_00BA80A9
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_047110028_2_04711002
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0466841F8_2_0466841F
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0466B0908_2_0466B090
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04721D558_2_04721D55
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04650D208_2_04650D20
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_046741208_2_04674120
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0465F9008_2_0465F900
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0466D5E08_2_0466D5E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04676E308_2_04676E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0468EBB08_2_0468EBB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0284BBBB8_2_0284BBBB
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0284C1FB8_2_0284C1FB
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02832FB08_2_02832FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02838C808_2_02838C80
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02832D8B8_2_02832D8B
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02832D908_2_02832D90
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0284C50E8_2_0284C50E
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0465B150 appears 32 times
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 3_2_004185C0 NtCreateFile,3_2_004185C0
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 3_2_00418670 NtReadFile,3_2_00418670
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 3_2_004186F0 NtClose,3_2_004186F0
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 3_2_004187A0 NtAllocateVirtualMemory,3_2_004187A0
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 3_2_004185BB NtCreateFile,3_2_004185BB
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 3_2_0041866A NtReadFile,3_2_0041866A
          Source: C:\Users\user\Desktop\56460021473877.exeCode function: 3_2_004186EA NtClose,3_2_004186EA
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699860 NtQuerySystemInformation,LdrInitializeThunk,8_2_04699860
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699840 NtDelayExecution,LdrInitializeThunk,8_2_04699840
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699540 NtReadFile,LdrInitializeThunk,8_2_04699540
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_04699910
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_046995D0 NtClose,LdrInitializeThunk,8_2_046995D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_046999A0 NtCreateSection,LdrInitializeThunk,8_2_046999A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699660 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_04699660
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699A50 NtCreateFile,LdrInitializeThunk,8_2_04699A50
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699650 NtQueryValueKey,LdrInitializeThunk,8_2_04699650
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_046996E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_046996E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_046996D0 NtCreateKey,LdrInitializeThunk,8_2_046996D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699710 NtQueryInformationToken,LdrInitializeThunk,8_2_04699710
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699FE0 NtCreateMutant,LdrInitializeThunk,8_2_04699FE0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699780 NtMapViewOfSection,LdrInitializeThunk,8_2_04699780
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0469B040 NtSuspendThread,8_2_0469B040
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699820 NtEnumerateKey,8_2_04699820
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_046998F0 NtReadVirtualMemory,8_2_046998F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_046998A0 NtWriteVirtualMemory,8_2_046998A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699560 NtWriteFile,8_2_04699560
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699950 NtQueueApcThread,8_2_04699950
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699520 NtWaitForSingleObject,8_2_04699520
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0469AD30 NtSetContextThread,8_2_0469AD30
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_046995F0 NtQueryInformationFile,8_2_046995F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_046999D0 NtCreateProcessEx,8_2_046999D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699670 NtQueryInformationProcess,8_2_04699670
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699A20 NtResumeThread,8_2_04699A20
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699A00 NtProtectVirtualMemory,8_2_04699A00
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699610 NtEnumerateValueKey,8_2_04699610
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699A10 NtQuerySection,8_2_04699A10
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699A80 NtOpenDirectoryObject,8_2_04699A80
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699760 NtOpenProcess,8_2_04699760
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699770 NtSetInformationFile,8_2_04699770
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0469A770 NtOpenThread,8_2_0469A770
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699730 NtQueryVirtualMemory,8_2_04699730
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04699B00 NtSetValueKey,8_2_04699B00
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0469A710 NtOpenProcessToken,8_2_0469A710
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_046997A0 NtUnmapViewOfSection,8_2_046997A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0469A3B0 NtGetContextThread,8_2_0469A3B0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_028486F0 NtClose,8_2_028486F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_02848670 NtReadFile,8_2_02848670
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_028487A0 NtAllocateVirtualMemory,8_2_028487A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_028485C0 NtCreateFile,8_2_028485C0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_028486EA NtClose,8_2_028486EA
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0284866A NtReadFile,8_2_0284866A
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_028485BB NtCreateFile,8_2_028485BB
          Source: 56460021473877.exeBinary or memory string: OriginalFilename vs 56460021473877.exe
          Source: 56460021473877.exe, 00000000.00000002.693859689.00000000007F0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 56460021473877.exe
          Source: 56460021473877.exe, 00000000.00000002.693132347.0000000000042000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCLSCompliantAttribu.exeD vs 56460021473877.exe
          Source: 56460021473877.exe, 00000000.00000002.699650451.0000000006C20000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs 56460021473877.exe
          Source: 56460021473877.exe, 00000000.00000002.694839132.00000000023A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs 56460021473877.exe
          Source: 56460021473877.exe, 00000000.00000002.694839132.00000000023A1000.00000004.00000001.sdmpBinary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs 56460021473877.exe
          Source: 56460021473877.exeBinary or memory string: OriginalFilename vs 56460021473877.exe
          Source: 56460021473877.exe, 00000003.00000002.762957590.0000000000BA2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCLSCompliantAttribu.exeD vs 56460021473877.exe
          Source: 56460021473877.exe, 00000003.00000002.764806655.0000000001A05000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs 56460021473877.exe
          Source: 56460021473877.exe, 00000003.00000002.764551885.00000000018BF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 56460021473877.exe
          Source: 56460021473877.exeBinary or memory string: OriginalFilenameCLSCompliantAttribu.exeD vs 56460021473877.exe
          Source: 56460021473877.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 56460021473877.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 56460021473877.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\56460021473877.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\56460021473877.exe 'C:\Users\user\Desktop\56460021473877.exe'
          Source: C:\Users\user\Desktop\56460021473877.exeProcess created: C:\Users\user\Desktop\56460021473877.exe C:\Users\user\Desktop\56460021473877.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\56460021473877.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\56460021473877.exeProcess created: C:\Users\user\Desktop\56460021473877.exe C:\Users\user\Desktop\56460021473877.exeJump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\56460021473877.exe'Jump to behavior
          Source: C:\Users\user\Desktop\56460021473877.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\56460021473877.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@11/7
          Source: C:\Users\user\Desktop\56460021473877.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\56460021473877.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: 56460021473877.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 56460021473877.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: 56460021473877.exe, 00000003.00000002.763826486.0000000001610000.00000040.00000001.sdmp, control.exe, 00000008.00000002.940884541.0000000004630000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: 56460021473877.exe, 00000003.00000002.764793089.0000000001A00000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: 56460021473877.exe, 00000003.00000002.763826486.0000000001610000.00000040.00000001.sdmp, control.exe
          Source: Binary string: control.pdbUGP source: 56460021473877.exe, 00000003.00000002.764793089.0000000001A00000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 56460021473877.exe, MainForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.0.56460021473877.exe.40000.0.unpack, MainForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.2.56460021473877.exe.40000.0.unpack, MainForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.2.56460021473877.exe.ba0000.1.unpack, MainForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])