Play interactive tourEdit tour

# Windows Analysis Report cK1g5gckZR9VHjj.exe

## Overview

### General Information

 Sample Name: cK1g5gckZR9VHjj.exe Analysis ID: 528618 MD5: 5f19b9a3e41ef2e6ec3200bf4a246cec SHA1: 25638b49edf7444005e1e02fb5d972da5920e1d8 SHA256: afac806262706aea36f8c34cb56ffa94f49da9b39b752cfd077f9b921e972c1d Tags: exeFormbookxloader Infos: Most interesting Screenshot:

### Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Uses netsh to modify the Windows network and firewall settings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

### Classification

 System is w10x64cK1g5gckZR9VHjj.exe (PID: 7160 cmdline: "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe" MD5: 5F19B9A3E41EF2E6EC3200BF4A246CEC)cK1g5gckZR9VHjj.exe (PID: 1312 cmdline: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe MD5: 5F19B9A3E41EF2E6EC3200BF4A246CEC)cK1g5gckZR9VHjj.exe (PID: 6104 cmdline: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe MD5: 5F19B9A3E41EF2E6EC3200BF4A246CEC)explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)netsh.exe (PID: 6904 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)cmd.exe (PID: 6900 cmdline: /c del "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)cleanup
``{"C2 list": ["www.spoiledzone.com/udeh/"], "decoy": ["pimpyoursmile.com", "mibikeshops.com", "blueprintroslyn.com", "onlinedatingthaiweb.com", "filmweltruhr.com", "apprigutimaunrpgroup.com", "prolineautoservices.com", "thejohnmatt.com", "predialisbolivia.com", "pittsburghdata.center", "janeflwr.com", "usxigroup.com", "canurfaliogli.net", "securebankofamericalog.site", "concernedclimatecitizen.com", "756256.xyz", "blaclyteproductions.com", "chaturey.com", "mesoftbilisim.com", "crochetastitch.com", "biggirlrantz.com", "trenddoffical.com", "eureka.quest", "syuanbao.com", "auspicious.tech", "mypc.host", "hemeishun.com", "3973rollingvalleydrive.com", "lovebydarius.store", "z1liner.com", "pspoint.com", "skincell-advanced.website", "937281.com", "mygranitepro.com", "masterlotz.com", "electricidadygasmx.com", "mmcyxx.com", "fixmetech.com", "teesworkshop.com", "topshelfbudshop.com", "ccnet.club", "myfranciscanshoe.com", "kyrstensinema2024.com", "selectioncoeur.com", "nrgd1.club", "qzttb.net", "ouidles.com", "royaldears.com", "downingmunroe.online", "seawooenc.com", "flagfootballcoaches.com", "tremblock.com", "finsits.com", "rcepjobs.com", "web-control.biz", "notvaccinatedjobs.com", "glueandstack.com", "modularbuildingsolutions.net", "sosibibyslot.website", "dragonmodz.net", "turkishdelightday.xyz", "dentalhealth24.com", "celtabet153.xyz", "pigsandbees.com"]}``
SourceRuleDescriptionAuthorStrings
00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x8608:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x89a2:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x146b5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x141a1:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x147b7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x1492f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x93ba:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1341c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa132:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x19ba7:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1ac4a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x16ad9:\$sqlite3step: 68 34 1C 7B E1
• 0x16bec:\$sqlite3step: 68 34 1C 7B E1
• 0x16b08:\$sqlite3text: 68 38 2A 90 C5
• 0x16c2d:\$sqlite3text: 68 38 2A 90 C5
• 0x16b1b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x16c43:\$sqlite3blob: 68 53 D8 7F 8C
00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x8608:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x89a2:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x146b5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x141a1:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x147b7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x1492f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x93ba:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1341c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa132:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x19ba7:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1ac4a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 31 entries
SourceRuleDescriptionAuthorStrings
2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x8608:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x89a2:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x146b5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x141a1:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x147b7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x1492f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x93ba:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1341c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa132:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x19ba7:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1ac4a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x16ad9:\$sqlite3step: 68 34 1C 7B E1
• 0x16bec:\$sqlite3step: 68 34 1C 7B E1
• 0x16b08:\$sqlite3text: 68 38 2A 90 C5
• 0x16c2d:\$sqlite3text: 68 38 2A 90 C5
• 0x16b1b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x16c43:\$sqlite3blob: 68 53 D8 7F 8C
2.0.cK1g5gckZR9VHjj.exe.400000.6.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
2.0.cK1g5gckZR9VHjj.exe.400000.6.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x7808:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x7ba2:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x138b5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x133a1:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x139b7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x13b2f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x85ba:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1261c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0x9332:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x18da7:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x19e4a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 18 entries

## Sigma Overview

No Sigma rule has matched

## Jbx Signature Overview

### AV Detection:

 Found malware configuration Show sources
 Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.spoiledzone.com/udeh/"], "decoy": ["pimpyoursmile.com", "mibikeshops.com", "blueprintroslyn.com", "onlinedatingthaiweb.com", "filmweltruhr.com", "apprigutimaunrpgroup.com", "prolineautoservices.com", "thejohnmatt.com", "predialisbolivia.com", "pittsburghdata.center", "janeflwr.com", "usxigroup.com", "canurfaliogli.net", "securebankofamericalog.site", "concernedclimatecitizen.com", "756256.xyz", "blaclyteproductions.com", "chaturey.com", "mesoftbilisim.com", "crochetastitch.com", "biggirlrantz.com", "trenddoffical.com", "eureka.quest", "syuanbao.com", "auspicious.tech", "mypc.host", "hemeishun.com", "3973rollingvalleydrive.com", "lovebydarius.store", "z1liner.com", "pspoint.com", "skincell-advanced.website", "937281.com", "mygranitepro.com", "masterlotz.com", "electricidadygasmx.com", "mmcyxx.com", "fixmetech.com", "teesworkshop.com", "topshelfbudshop.com", "ccnet.club", "myfranciscanshoe.com", "kyrstensinema2024.com", "selectioncoeur.com", "nrgd1.club", "qzttb.net", "ouidles.com", "royaldears.com", "downingmunroe.online", "seawooenc.com", "flagfootballcoaches.com", "tremblock.com", "finsits.com", "rcepjobs.com", "web-control.biz", "notvaccinatedjobs.com", "glueandstack.com", "modularbuildingsolutions.net", "sosibibyslot.website", "dragonmodz.net", "turkishdelightday.xyz", "dentalhealth24.com", "celtabet153.xyz", "pigsandbees.com"]}
 Yara detected FormBook Show sources
 Source: Yara match File source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE Source: Yara match File source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE Source: Yara match File source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE Source: Yara match File source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
 Uses 32bit PE files Show sources
 Source: cK1g5gckZR9VHjj.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
 Contains modern PE file flags such as dynamic base (ASLR) or NX Show sources
 Source: cK1g5gckZR9VHjj.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
 Binary contains paths to debug symbols Show sources
 Source: Binary string: netsh.pdb source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434873438.0000000002FB0000.00000040.00020000.sdmp Source: Binary string: netsh.pdbGCTL source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434873438.0000000002FB0000.00000040.00020000.sdmp Source: Binary string: wntdll.pdbUGP source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434367747.00000000010DF000.00000040.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp Source: Binary string: wntdll.pdb source: cK1g5gckZR9VHjj.exe, cK1g5gckZR9VHjj.exe, 00000002.00000002.434367747.00000000010DF000.00000040.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, netsh.exe, netsh.exe, 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp
 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 4x nop then pop edi Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 4x nop then pop esi Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 4x nop then pop esi Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop edi Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop esi Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop esi

### Networking:

 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) Show sources
 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49801 -> 3.64.163.50:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49801 -> 3.64.163.50:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49801 -> 3.64.163.50:80
 System process connects to network (likely due to code injection or exploit) Show sources
 Source: C:\Windows\explorer.exe Network Connect: 142.252.22.166 80 Source: C:\Windows\explorer.exe Network Connect: 154.94.210.101 80 Source: C:\Windows\explorer.exe Domain query: www.dragonmodz.net Source: C:\Windows\explorer.exe Network Connect: 3.64.163.50 80 Source: C:\Windows\explorer.exe Domain query: www.blueprintroslyn.com Source: C:\Windows\explorer.exe Domain query: www.qzttb.net Source: C:\Windows\explorer.exe Domain query: www.royaldears.com Source: C:\Windows\explorer.exe Domain query: www.pittsburghdata.center Source: C:\Windows\explorer.exe Network Connect: 209.17.116.163 80
 C2 URLs / IPs found in malware configuration Show sources
 Source: Malware configuration extractor URLs: www.spoiledzone.com/udeh/
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: EGIHOSTINGUS EGIHOSTINGUS Source: Joe Sandbox View ASN Name: ROOTNETWORKSUS ROOTNETWORKSUS
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /udeh/?Ipp=0GJ3uF0xqxUvxNgo0ZAG0/AKZrovZvEja3W0Pwl2ZRVpe8mYbBKREVo+7yTMDi1lrzUfYpfKkw==&w8e=oTrd HTTP/1.1Host: www.qzttb.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /udeh/?Ipp=v0MSI9GJGiZ1sOz/LzfG2QhElsQnBWapnw3k3ldXy2xTual36y4oBDIxb66ss1xce1kRKjOJbQ==&w8e=oTrd HTTP/1.1Host: www.royaldears.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /udeh/?Ipp=dUteF4ZXLzuJCUcYdQc1YLLQWaT61UR38kyqHblZtlDA/JK3c3P/1iwgVtH+FS5JjCNv5C6f7A==&w8e=oTrd HTTP/1.1Host: www.dragonmodz.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 3.64.163.50 3.64.163.50
 Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden) Show sources
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: PHP/7.0.33X-Powered-By: ASP.NETDate: Thu, 25 Nov 2021 14:11:35 GMTConnection: closeContent-Length: 7447Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 79 73 74 65 6d 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 34 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 31 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 32 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 33 2e 73 75 62 68 65 61 64 69 6e 67 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20
 URLs found in memory or binary data Show sources
 Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357245488.0000000002BD1000.00000004.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name Source: explorer.exe, 00000005.00000000.381972183.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.396876565.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.358537483.000000000095C000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: www.qzttb.net
 Source: global traffic HTTP traffic detected: GET /udeh/?Ipp=0GJ3uF0xqxUvxNgo0ZAG0/AKZrovZvEja3W0Pwl2ZRVpe8mYbBKREVo+7yTMDi1lrzUfYpfKkw==&w8e=oTrd HTTP/1.1Host: www.qzttb.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /udeh/?Ipp=v0MSI9GJGiZ1sOz/LzfG2QhElsQnBWapnw3k3ldXy2xTual36y4oBDIxb66ss1xce1kRKjOJbQ==&w8e=oTrd HTTP/1.1Host: www.royaldears.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /udeh/?Ipp=dUteF4ZXLzuJCUcYdQc1YLLQWaT61UR38kyqHblZtlDA/JK3c3P/1iwgVtH+FS5JjCNv5C6f7A==&w8e=oTrd HTTP/1.1Host: www.dragonmodz.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE Source: Yara match File source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE Source: Yara match File source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE Source: Yara match File source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY

### System Summary:

 Malicious sample detected (through community Yara rule) Show sources
 Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
 Uses 32bit PE files Show sources
 Source: cK1g5gckZR9VHjj.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
 Yara signature match Show sources