Loading ...

Play interactive tourEdit tour

Windows Analysis Report Se adjunta el pedido, proforma.exe

Overview

General Information

Sample Name:Se adjunta el pedido, proforma.exe
Analysis ID:528688
MD5:deea7525a547ed7a9ef6c81b04478f3e
SHA1:b29c935913a55c9bad3979d05d97a6ebda871604
SHA256:413e8df7f149aa643aaa1ef70e953ab2112827b652f1cf05b6420ed6a119962d
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Se adjunta el pedido, proforma.exe (PID: 7088 cmdline: "C:\Users\user\Desktop\Se adjunta el pedido, proforma.exe" MD5: DEEA7525A547ED7A9EF6C81B04478F3E)
    • mobsync.exe (PID: 6648 cmdline: C:\Windows\System32\mobsync.exe MD5: 44C19378FA529DD88674BAF647EBDC3C)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • Lxtcsmeg.exe (PID: 5740 cmdline: "C:\Users\user\Contacts\Lxtcsmeg\Lxtcsmeg.exe" MD5: DEEA7525A547ED7A9EF6C81B04478F3E)
          • logagent.exe (PID: 5048 cmdline: C:\Windows\System32\logagent.exe MD5: E2036AC444AB4AD91EECC1A80FF7212F)
        • Lxtcsmeg.exe (PID: 6868 cmdline: "C:\Users\user\Contacts\Lxtcsmeg\Lxtcsmeg.exe" MD5: DEEA7525A547ED7A9EF6C81B04478F3E)
          • mobsync.exe (PID: 5036 cmdline: C:\Windows\System32\mobsync.exe MD5: 44C19378FA529DD88674BAF647EBDC3C)
        • cscript.exe (PID: 6820 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 6384 cmdline: /c del "C:\Windows\SysWOW64\mobsync.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • explorer.exe (PID: 740 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rematedeldia.com/euv4/"], "decoy": ["anniebapartments.com", "hagenbicycles.com", "herbalist101.com", "southerncorrosion.net", "kuechenpruefer.com", "tajniezdrzi.quest", "segurofunerarioar.com", "boardsandbeamsdecor.com", "alifdanismanlik.com", "pkem.top", "mddc.clinic", "handejqr.com", "crux-at.com", "awp.email", "hugsforbubbs.com", "cielotherepy.com", "turkcuyuz.com", "teamidc.com", "lankasirinspa.com", "68135.online", "oprimanumerodos.com", "launchclik.com", "customapronsnow.com", "thecuratedpour.com", "20dzwww.com", "encludemedia.com", "kreativevisibility.net", "mehfeels.com", "oecmgroup.com", "alert78.info", "1207rossmoyne.com", "spbutoto.com", "t1uba.com", "protection-onepa.com", "byausorsm26-plala.xyz", "bestpleasure4u.com", "allmnlenem.quest", "mobilpartes.com", "fabio.tools", "bubu3cin.com", "nathanmartinez.digital", "shristiprintingplaces.com", "silkyflawless.com", "berylgrote.top", "laidbackfurniture.store", "leatherman-neal.com", "uschargeport.com", "the-pumps.com", "deepootech.com", "drimev.com", "seo-art.agency", "jasabacklinkweb20.com", "tracynicolalamond.com", "dandtglaziers.com", "vulacils.com", "bendyourtongue.com", "gulfund.com", "ahmadfaizlajis.com", "595531.com", "metavillagehub.com", "librairie-adrienne.com", "77777.store", "gongwenbo.com", "game2plays.com"]}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Contacts\Lxtcsmeg\gemsctxL.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000000.726500145.000000000E234000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000000.726500145.000000000E234000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000000.726500145.000000000E234000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x6ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x6bec:$sqlite3step: 68 34 1C 7B E1
    • 0x6b08:$sqlite3text: 68 38 2A 90 C5
    • 0x6c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
    0000000F.00000000.783906150.0000000072480000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000F.00000000.783906150.0000000072480000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 61 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.mobsync.exe.72480000.4.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.mobsync.exe.72480000.4.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.mobsync.exe.72480000.4.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cd9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dec:$sqlite3step: 68 34 1C 7B E1
        • 0x15d08:$sqlite3text: 68 38 2A 90 C5
        • 0x15e2d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
        18.0.mobsync.exe.72480000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          18.0.mobsync.exe.72480000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 85 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000F.00000000.783906150.0000000072480000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.rematedeldia.com/euv4/"], "decoy": ["anniebapartments.com", "hagenbicycles.com", "herbalist101.com", "southerncorrosion.net", "kuechenpruefer.com", "tajniezdrzi.quest", "segurofunerarioar.com", "boardsandbeamsdecor.com", "alifdanismanlik.com", "pkem.top", "mddc.clinic", "handejqr.com", "crux-at.com", "awp.email", "hugsforbubbs.com", "cielotherepy.com", "turkcuyuz.com", "teamidc.com", "lankasirinspa.com", "68135.online", "oprimanumerodos.com", "launchclik.com", "customapronsnow.com", "thecuratedpour.com", "20dzwww.com", "encludemedia.com", "kreativevisibility.net", "mehfeels.com", "oecmgroup.com", "alert78.info", "1207rossmoyne.com", "spbutoto.com", "t1uba.com", "protection-onepa.com", "byausorsm26-plala.xyz", "bestpleasure4u.com", "allmnlenem.quest", "mobilpartes.com", "fabio.tools", "bubu3cin.com", "nathanmartinez.digital", "shristiprintingplaces.com", "silkyflawless.com", "berylgrote.top", "laidbackfurniture.store", "leatherman-neal.com", "uschargeport.com", "the-pumps.com", "deepootech.com", "drimev.com", "seo-art.agency", "jasabacklinkweb20.com", "tracynicolalamond.com", "dandtglaziers.com", "vulacils.com", "bendyourtongue.com", "gulfund.com", "ahmadfaizlajis.com", "595531.com", "metavillagehub.com", "librairie-adrienne.com", "77777.store", "gongwenbo.com", "game2plays.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Se adjunta el pedido, proforma.exeVirustotal: Detection: 42%Perma Link
          Source: Se adjunta el pedido, proforma.exeReversingLabs: Detection: 50%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.mobsync.exe.72480000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.0.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.0.mobsync.exe.72480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.mobsync.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.mobsync.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.mobsync.exe.72480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.mobsync.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.0.mobsync.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.mobsync.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.0.mobsync.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.0.mobsync.exe.72480000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.mobsync.exe.72480000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.mobsync.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.mobsync.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.0.mobsync.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.mobsync.exe.72480000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.0.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.0.mobsync.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.726500145.000000000E234000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.783906150.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.700205465.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.945274610.00000000003D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000000.797142151.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000000.797529980.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.783440695.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000000.797983718.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.782555506.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.946259387.0000000000BC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.782971513.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.802925802.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.700532908.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.779255223.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.775386122.0000000000C50000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.700902769.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.775973432.0000000000D80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.804512443.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.701236114.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000000.796733965.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.752416776.000000000E234000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.946446675.0000000000BF0000.00000004.00000001.sdmp, type: MEMORY
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\Contacts\Lxtcsmeg\Lxtcsmeg.exeReversingLabs: Detection: 50%
          Source: 18.2.mobsync.exe.72480000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 15.0.logagent.exe.72480000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.mobsync.exe.72480000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 15.0.logagent.exe.72480000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.mobsync.exe.72480000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.mobsync.exe.72480000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 18.0.mobsync.exe.72480000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.mobsync.exe.72480000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 15.2.logagent.exe.72480000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 15.0.logagent.exe.72480000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.mobsync.exe.72480000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 18.0.mobsync.exe.72480000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 15.0.logagent.exe.72480000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 18.0.mobsync.exe.72480000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 18.0.mobsync.exe.72480000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Se adjunta el pedido, proforma.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
          Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49759 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49763 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.4:49764 version: TLS 1.2
          Source: Binary string: wntdll.pdb source: mobsync.exe, cscript.exe
          Source: C:\Windows\SysWOW64\mobsync.exeCode function: 4x nop then pop ebx5_2_72486AB4
          Source: C:\Windows\SysWOW64\mobsync.exeCode function: 4x nop then pop edi5_2_72495676
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop ebx12_2_003D6AB5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi12_2_003E5676

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49849 -> 104.233.161.196:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49849 -> 104.233.161.196:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49849 -> 104.233.161.196:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49850 -> 85.194.202.138:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49850 -> 85.194.202.138:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49850 -> 85.194.202.138:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.rematedeldia.com/euv4/
          Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
          Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
          Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
          Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
          Source: Se adjunta el pedido, proforma.exe, 00000000.00000003.665782531.00000000006F9000.00000004.00000001.sdmp, Se adjunta el pedido, proforma.exe, 00000000.00000003.667080485.00000000006F9000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: Se adjunta el pedido, proforma.exe, 00000000.00000003.665782531.00000000006F9000.00000004.00000001.sdmp, Se adjunta el pedido, proforma.exe, 00000000.00000003.667080485.00000000006F9000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
          Source: Se adjunta el pedido, proforma.exe, 00000000.00000003.667080485.00000000006F9000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/
          Source: Se adjunta el pedido, proforma.exe, 00000000.00000003.667080485.00000000006F9000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/900622540588843013/912979191073476678/Lxtcsmegwxhfqoabkjaduxy
          Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
          Source: global trafficHTTP traffic detected: GET /attachments/900622540588843013/912979191073476678/Lxtcsmegwxhfqoabkjaduxyckamobho HTTP/1.1User-Agent: lValiHost: cdn.discordapp.com
          Source: global trafficHTTP traffic detected: GET /attachments/900622540588843013/912979191073476678/Lxtcsmegwxhfqoabkjaduxyckamobho HTTP/1.1User-Agent: asweHost: cdn.discordapp.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /attachments/900622540588843013/912979191073476678/Lxtcsmegwxhfqoabkjaduxyckamobho HTTP/1.1User-Agent: asweHost: cdn.discordapp.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /attachments/900622540588843013/912979191073476678/Lxtcsmegwxhfqoabkjaduxyckamobho HTTP/1.1User-Agent: asweHost: cdn.discordapp.comCache-Control: no-cache
          Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49759 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49763 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.4:49764 version: TLS 1.2

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.mobsync.exe.72480000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.0.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.0.mobsync.exe.72480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.mobsync.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.mobsync.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.mobsync.exe.72480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.mobsync.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.0.mobsync.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.mobsync.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.0.mobsync.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.0.mobsync.exe.72480000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.mobsync.exe.72480000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.mobsync.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.mobsync.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.0.mobsync.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.mobsync.exe.72480000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.0.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.0.mobsync.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.726500145.000000000E234000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.783906150.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.700205465.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.945274610.00000000003D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000000.797142151.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000000.797529980.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.783440695.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000000.797983718.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.782555506.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.946259387.0000000000BC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.782971513.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.802925802.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.700532908.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.779255223.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.775386122.0000000000C50000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.700902769.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.775973432.0000000000D80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.804512443.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.701236114.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000000.796733965.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.752416776.000000000E234000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.946446675.0000000000BF0000.00000004.00000001.sdmp, type: MEMORY

          System Summary: