Loading ...

Play interactive tourEdit tour

Windows Analysis Report Fu94e0b1TR

Overview

General Information

Sample Name:Fu94e0b1TR (renamed file extension from none to exe)
Analysis ID:502374
MD5:6429aa83e4bc083b4f0b3f44b0d7950f
SHA1:0ead59881f054284f611accb61451ed1ffc818fc
SHA256:96c57ae661562e958e01bb0b490c09a0a51bb367931620223174963de88bdfcb
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Uses netstat to query active network connections and open ports
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Fu94e0b1TR.exe (PID: 4628 cmdline: 'C:\Users\user\Desktop\Fu94e0b1TR.exe' MD5: 6429AA83E4BC083B4F0B3F44B0D7950F)
    • Fu94e0b1TR.exe (PID: 4840 cmdline: C:\Users\user\Desktop\Fu94e0b1TR.exe MD5: 6429AA83E4BC083B4F0B3F44B0D7950F)
    • Fu94e0b1TR.exe (PID: 2848 cmdline: C:\Users\user\Desktop\Fu94e0b1TR.exe MD5: 6429AA83E4BC083B4F0B3F44B0D7950F)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 3204 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 1844 cmdline: /c del 'C:\Users\user\Desktop\Fu94e0b1TR.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.fis.photos/ef6c/"], "decoy": ["gicaredocs.com", "govusergroup.com", "conversationspit.com", "brondairy.com", "rjtherealest.com", "xn--9m1bq8wgkag3rjvb.com", "mylori.net", "softandcute.store", "ahljsm.com", "shacksolid.com", "weekendmusecollection.com", "gaminghallarna.net", "pgonline111.online", "44mpt.xyz", "ambrandt.com", "eddytattoo.com", "blendeqes.com", "upinmyfeels.com", "lacucinadesign.com", "docomoau.xyz", "xn--90armbk7e.online", "xzq585858.net", "kidzgovroom.com", "lhznqyl.press", "publicationsplace.com", "jakante.com", "csspadding.com", "test-testjisdnsec.store", "lafabriqueabeilleassurances.com", "clf010.com", "buybabysnuggle.com", "uzmdrmustafaalperaykanat.com", "levanttradegroup.com", "arcflorals.com", "kinglot2499.com", "freekagyans.com", "region10group.gmbh", "yeyelm744.com", "thehomedesigncentre.com", "vngc.xyz", "szesdkj.com", "charlottewright.online", "planetgreennetwork.com", "pacifica7.com", "analogueadapt.com", "sensorypantry.com", "narbaal.com", "restaurant-utopia.xyz", "golnay.com", "szyyglass.com", "redelirevearyseuiop.xyz", "goldsteelconstruction.com", "discovercotswoldcottages.com", "geniuseven.net", "apricitee.com", "stopmoshenik.online", "ya2gh.com", "instatechnovelz.com", "dbe648.com", "seifjuban.com", "conquershirts.store", "totalcovidtravel.com", "pamperotrabajo.com", "satellitphonestore.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16aa9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bbc:$sqlite3step: 68 34 1C 7B E1
    • 0x16ad8:$sqlite3text: 68 38 2A 90 C5
    • 0x16bfd:$sqlite3text: 68 38 2A 90 C5
    • 0x16aeb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c13:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 24 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        6.2.Fu94e0b1TR.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.2.Fu94e0b1TR.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d77:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          6.2.Fu94e0b1TR.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x15ca9:$sqlite3step: 68 34 1C 7B E1
          • 0x15dbc:$sqlite3step: 68 34 1C 7B E1
          • 0x15cd8:$sqlite3text: 68 38 2A 90 C5
          • 0x15dfd:$sqlite3text: 68 38 2A 90 C5
          • 0x15ceb:$sqlite3blob: 68 53 D8 7F 8C
          • 0x15e13:$sqlite3blob: 68 53 D8 7F 8C
          6.2.Fu94e0b1TR.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            6.2.Fu94e0b1TR.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 8 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.fis.photos/ef6c/"], "decoy": ["gicaredocs.com", "govusergroup.com", "conversationspit.com", "brondairy.com", "rjtherealest.com", "xn--9m1bq8wgkag3rjvb.com", "mylori.net", "softandcute.store", "ahljsm.com", "shacksolid.com", "weekendmusecollection.com", "gaminghallarna.net", "pgonline111.online", "44mpt.xyz", "ambrandt.com", "eddytattoo.com", "blendeqes.com", "upinmyfeels.com", "lacucinadesign.com", "docomoau.xyz", "xn--90armbk7e.online", "xzq585858.net", "kidzgovroom.com", "lhznqyl.press", "publicationsplace.com", "jakante.com", "csspadding.com", "test-testjisdnsec.store", "lafabriqueabeilleassurances.com", "clf010.com", "buybabysnuggle.com", "uzmdrmustafaalperaykanat.com", "levanttradegroup.com", "arcflorals.com", "kinglot2499.com", "freekagyans.com", "region10group.gmbh", "yeyelm744.com", "thehomedesigncentre.com", "vngc.xyz", "szesdkj.com", "charlottewright.online", "planetgreennetwork.com", "pacifica7.com", "analogueadapt.com", "sensorypantry.com", "narbaal.com", "restaurant-utopia.xyz", "golnay.com", "szyyglass.com", "redelirevearyseuiop.xyz", "goldsteelconstruction.com", "discovercotswoldcottages.com", "geniuseven.net", "apricitee.com", "stopmoshenik.online", "ya2gh.com", "instatechnovelz.com", "dbe648.com", "seifjuban.com", "conquershirts.store", "totalcovidtravel.com", "pamperotrabajo.com", "satellitphonestore.com"]}
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORY
            Source: 6.2.Fu94e0b1TR.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: Fu94e0b1TR.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: Fu94e0b1TR.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: netstat.pdbGCTL source: Fu94e0b1TR.exe, 00000006.00000002.371455073.0000000001150000.00000040.00020000.sdmp
            Source: Binary string: netstat.pdb source: Fu94e0b1TR.exe, 00000006.00000002.371455073.0000000001150000.00000040.00020000.sdmp
            Source: Binary string: wntdll.pdbUGP source: Fu94e0b1TR.exe, 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, NETSTAT.EXE, 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: Fu94e0b1TR.exe, NETSTAT.EXE
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 4x nop then pop ebx
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 4x nop then pop edi
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 4x nop then pop edi
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop ebx
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49795 -> 64.190.62.111:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49795 -> 64.190.62.111:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49795 -> 64.190.62.111:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 192.0.78.24:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 192.0.78.24:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 192.0.78.24:80
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.instatechnovelz.com
            Source: C:\Windows\explorer.exeNetwork Connect: 172.65.227.72 80
            Source: C:\Windows\explorer.exeDomain query: www.apricitee.com
            Source: C:\Windows\explorer.exeDomain query: www.shacksolid.com
            Source: C:\Windows\explorer.exeNetwork Connect: 64.190.62.111 80
            Source: C:\Windows\explorer.exeDomain query: www.brondairy.com
            Uses netstat to query active network connections and open portsShow sources
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.fis.photos/ef6c/
            Source: Joe Sandbox ViewASN Name: NBS11696US NBS11696US
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: global trafficHTTP traffic detected: GET /ef6c/?BJB=7nO80D&yrTlglv8=KSHN/72DEJPyd/OuGOIXNFBSZoOhZSSqcZP1Rqc2bg8KEPsXLZdPsQK+HlsXn3Jp1PaC HTTP/1.1Host: www.apricitee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ef6c/?yrTlglv8=JeohSOzXiZYIapiQlSWyFy7AWxQU0a2IMxMIOt5NBtSaZYcWimwRehmIZ/KtIrBMaY3r&BJB=7nO80D HTTP/1.1Host: www.shacksolid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 64.190.62.111 64.190.62.111
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Fu94e0b1TR.exe, 00000000.00000003.252645289.00000000059A1000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
            Source: Fu94e0b1TR.exe, 00000000.00000002.285145562.0000000005964000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Fu94e0b1TR.exe, 00000000.00000003.257245826.000000000599C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/%
            Source: Fu94e0b1TR.exe, 00000000.00000003.257106060.0000000005999000.00000004.00000001.sdmp, Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Fu94e0b1TR.exe, 00000000.00000003.260583802.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Fu94e0b1TR.exe, 00000000.00000003.260583802.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlr
            Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmp, Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: Fu94e0b1TR.exe, 00000000.00000003.259327134.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlx
            Source: Fu94e0b1TR.exe, 00000000.00000003.259563222.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers5
            Source: Fu94e0b1TR.exe, 00000000.00000003.259630894.0000000005999000.00000004.00000001.sdmp, Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Fu94e0b1TR.exe, 00000000.00000003.267018453.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersK
            Source: Fu94e0b1TR.exe, 00000000.00000003.258524788.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
            Source: Fu94e0b1TR.exe, 00000000.00000003.267018453.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersiva
            Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com7
            Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comD
            Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFk
            Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF
            Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comR.TTF
            Source: Fu94e0b1TR.exe, 00000000.00000003.260583802.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalicu
            Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
            Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdito
            Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
            Source: Fu94e0b1TR.exe, 00000000.00000003.260583802.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comk
            Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
            Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtuta
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: Fu94e0b1TR.exe, 00000000.00000003.252060604.000000000599A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Fu94e0b1TR.exe, 00000000.00000003.252293628.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Fu94e0b1TR.exe, 00000000.00000003.263851133.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Fu94e0b1TR.exe, 00000000.00000003.263851133.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/k
            Source: Fu94e0b1TR.exe, 00000000.00000003.264392875.000000000599E000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/denQ
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Fu94e0b1TR.exe, 00000000.00000003.264185208.000000000597A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmNormaldk
            Source: Fu94e0b1TR.exe, 00000000.00000003.263989086.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmS
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmp, Fu94e0b1TR.exe, 00000000.00000003.254492265.000000000596C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//lpk
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/7
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0ro
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ch
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: Fu94e0b1TR.exe, 00000000.00000003.254492265.000000000596C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/D
            Source: Fu94e0b1TR.exe, 00000000.00000003.254492265.000000000596C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ms
            Source: Fu94e0b1TR.exe, 00000000.00000003.253358837.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/nly
            Source: Fu94e0b1TR.exe, 00000000.00000003.253958296.0000000005968000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/nt
            Source: Fu94e0b1TR.exe, 00000000.00000003.254492265.000000000596C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/v
            Source: Fu94e0b1TR.exe, 00000000.00000003.253827230.000000000596D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/y
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: Fu94e0b1TR.exe, 00000000.00000003.252359089.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.coma-e
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: Fu94e0b1TR.exe, 00000000.00000003.261217392.000000000596E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Fu94e0b1TR.exe, 00000000.00000003.261217392.000000000596E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deMT
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: NETSTAT.EXE, 00000012.00000002.518424149.00000000033D2000.00000004.00020000.sdmpString found in binary or memory: https://flow.page/rjdarealest/ef6c/?BJB=7nO80D&yrTlglv8=yyRuLH34I
            Source: NETSTAT.EXE, 00000012.00000002.518424149.00000000033D2000.00000004.00020000.sdmpString found in binary or memory: https://sedo.com/search/details/?partnerid=324561&language=e&domain=shacksolid.com&origin=sales_land
            Source: unknownDNS traffic detected: queries for: www.apricitee.com
            Source: global trafficHTTP traffic detected: GET /ef6c/?BJB=7nO80D&yrTlglv8=KSHN/72DEJPyd/OuGOIXNFBSZoOhZSSqcZP1Rqc2bg8KEPsXLZdPsQK+HlsXn3Jp1PaC HTTP/1.1Host: www.apricitee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ef6c/?yrTlglv8=JeohSOzXiZYIapiQlSWyFy7AWxQU0a2IMxMIOt5NBtSaZYcWimwRehmIZ/KtIrBMaY3r&BJB=7nO80D HTTP/1.1Host: www.shacksolid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: Fu94e0b1TR.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 0_2_00F5D064
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 0_2_00F5F296
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 0_2_00F5F298
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00401030
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041B9DA
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041C2B0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00408C70
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041BC20
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00402D87
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041C58D
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00402D90
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041BE92
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00402FB0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0118F900
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01180D20
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011A4120
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01251D55
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B2581
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0119D5E0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0119841F
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01241002
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0119B090
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B20A0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011BEBB0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011A6E30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D66E30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D7EBB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D5B090
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D5841F
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E01002
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D5D5E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E11D55
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D4F900
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D40D20
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D64120
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DB9DA
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DC2B0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DBC20
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003C8C70
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003C2D90
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DC58D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003C2D87
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DBE92
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003C2FB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 02D4B150 appears 32 times
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: String function: 0118B150 appears 35 times
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_004185B0 NtCreateFile,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00418660 NtReadFile,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_004186E0 NtClose,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00418790 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_004185AA NtCreateFile,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_004186DA NtClose,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041878A NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9540 NtReadFile,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C99A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C95D0 NtClose,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C98F0 NtReadVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C97A0 NtUnmapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9A00 NtProtectVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9A20 NtResumeThread,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C96E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011CAD30 NtSetContextThread,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9520 NtWaitForSingleObject,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9950 NtQueueApcThread,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9560 NtWriteFile,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C99D0 NtCreateProcessEx,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C95F0 NtQueryInformationFile,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9820 NtEnumerateKey,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011CB040 NtSuspendThread,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C98A0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011CA710 NtOpenProcessToken,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9B00 NtSetValueKey,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9730 NtQueryVirtualMemory,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9770 NtSetInformationFile,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011CA770 NtOpenThread,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9760 NtOpenProcess,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011CA3B0 NtGetContextThread,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9610 NtEnumerateValueKey,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9A10 NtQuerySection,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9650 NtQueryValueKey,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9670 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9A80 NtOpenDirectoryObject,
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C96D0 NtCreateKey,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D896D0 NtCreateKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D896E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89650 NtQueryValueKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D895D0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D899A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89540 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89A80 NtOpenDirectoryObject,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89670 NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89610 NtEnumerateValueKey,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89A10 NtQuerySection,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89A00 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89A20 NtResumeThread,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D8A3B0 NtGetContextThread,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D897A0 NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89770 NtSetInformationFile,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D8A770 NtOpenThread,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89760 NtOpenProcess,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D8A710 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89B00 NtSetValueKey,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89730 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D898F0 NtReadVirtualMemory,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D898A0 NtWriteVirtualMemory,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D8B040 NtSuspendThread,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89820 NtEnumerateKey,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D899D0 NtCreateProcessEx,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D895F0 NtQueryInformationFile,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89950 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89560 NtWriteFile,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D8AD30 NtSetContextThread,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89520 NtWaitForSingleObject,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D85B0 NtCreateFile,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D8660 NtReadFile,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D86E0 NtClose,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D8790 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D85AA NtCreateFile,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D86DA NtClose,
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D878A NtAllocateVirtualMemory,
            Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameObjectMarshal.exe6 vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmpBinary or memory string: m,\\StringFileInfo\\000004B0\\OriginalFilename vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exe, 00000000.00000002.287588690.00000000070D0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exe, 00000005.00000002.272314311.00000000003AE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameObjectMarshal.exe6 vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exe, 00000006.00000000.272808507.000000000066E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameObjectMarshal.exe6 vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exe, 00000006.00000002.371649875.000000000127F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exe, 00000006.00000002.371455073.0000000001150000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exeBinary or memory string: OriginalFilenameObjectMarshal.exe6 vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Fu94e0b1TR.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: Fu94e0b1TR.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\Fu94e0b1TR.exe 'C:\Users\user\Desktop\Fu94e0b1TR.exe'
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess created: C:\Users\user\Desktop\Fu94e0b1TR.exe C:\Users\user\Desktop\Fu94e0b1TR.exe
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess created: C:\Users\user\Desktop\Fu94e0b1TR.exe C:\Users\user\Desktop\Fu94e0b1TR.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Fu94e0b1TR.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess created: C:\Users\user\Desktop\Fu94e0b1TR.exe C:\Users\user\Desktop\Fu94e0b1TR.exe
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess created: C:\Users\user\Desktop\Fu94e0b1TR.exe C:\Users\user\Desktop\Fu94e0b1TR.exe
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Fu94e0b1TR.exe'
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeFile created: C:\Users\user\AppData\Local\GottschalksJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@9/1@6/2
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_01
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: Fu94e0b1TR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Fu94e0b1TR.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: netstat.pdbGCTL source: Fu94e0b1TR.exe, 00000006.00000002.371455073.0000000001150000.00000040.00020000.sdmp
            Source: Binary string: netstat.pdb source: Fu94e0b1TR.exe, 00000006.00000002.371455073.0000000001150000.00000040.00020000.sdmp
            Source: Binary string: wntdll.pdbUGP source: Fu94e0b1TR.exe, 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, NETSTAT.EXE, 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: Fu94e0b1TR.exe, NETSTAT.EXE

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: Fu94e0b1TR.exe, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 0.0.Fu94e0b1TR.exe.6d0000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 0.2.Fu94e0b1TR.exe.6d0000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 5.0.Fu94e0b1TR.exe.350000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 5.2.Fu94e0b1TR.exe.350000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 6.2.Fu94e0b1TR.exe.610000.1.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 6.0.Fu94e0b1TR.exe.610000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 0_2_00F5203B push ebx; retf
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 0_2_07131CAA push 8406FDCBh; retf
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 0_2_07133B05 push FFFFFF8Bh; iretd
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041B85C push eax; ret
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00407027 push ebx; ret
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00415115 push es; iretd
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00414F3A push ds; iretd
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041B7F2 push eax; ret
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041B7FB push eax; ret
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041B7A5 push eax; ret
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011DD0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D9D0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003C7027 push ebx; ret
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DB85C push eax; ret
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D5115 push es; iretd
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D4F3A push ds; iretd
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DB7A5 push eax; ret
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DB7FB push eax; ret
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DB7F2 push eax; ret
            Source: initial sampleStatic PE information: section name: .text entropy: 7.77320879492

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Self deletion via cmd deleteShow sources
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: /c del 'C:\Users\user\Desktop\Fu94e0b1TR.exe'
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: /c del 'C:\Users\user\Desktop\Fu94e0b1TR.exe'
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exe