Loading ...

Play interactive tourEdit tour

Windows Analysis Report TNT Documents.exe

Overview

General Information

Sample Name:TNT Documents.exe
Analysis ID:528770
MD5:53213cdc9809c6debebe6400a4d1a891
SHA1:2383fe2e296a1f28deb600cfeadb0a3fa18856f3
SHA256:f49a87b9fa0e2e84273ad690ffe6d7548d7ed13a595fd4addf7c6211b0eb5108
Tags:exeFormbookTNT
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • TNT Documents.exe (PID: 6612 cmdline: "C:\Users\user\Desktop\TNT Documents.exe" MD5: 53213CDC9809C6DEBEBE6400A4D1A891)
    • TNT Documents.exe (PID: 6040 cmdline: {path} MD5: 53213CDC9809C6DEBEBE6400A4D1A891)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • autoconv.exe (PID: 6884 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
      • msdt.exe (PID: 6076 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
        • cmd.exe (PID: 5964 cmdline: /c del "C:\Users\user\Desktop\TNT Documents.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • explorer.exe (PID: 3240 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.floridanratraining.com/how6/"], "decoy": ["wealthcabana.com", "fourfortyfourcreations.com", "cqqcsy.com", "bhwzjd.com", "niftyfashionrewards.com", "andersongiftemporium.com", "smarttradingcoin.com", "ilarealty.com", "sherrywine.net", "fsecg.info", "xoti.top", "pirosconsulting.com", "fundapie.com", "bbgm4egda.xyz", "legalfortmyers.com", "improvizy.com", "yxdyhs.com", "lucky2balls.com", "panelmall.com", "davenportkartway.com", "springfieldlottery.com", "pentagonpublishers.com", "icanmakeyoufamous.com", "40m2k.com", "projectcentered.com", "webfactory.agency", "metronixmedical.com", "dalingtao.xyz", "functionalsoft.com", "klopert77.com", "cortepuroiberico.com", "viavelleiloes.online", "bamedia.online", "skolicalunjo.com", "kayhardy.com", "excellentappraisers.com", "sademakale.com", "zbycsb.com", "empirejewelss.com", "coached.info", "20215414.online", "dazzlehide.com", "swickstyle.com", "specialtyplastics.online", "noordinarysenior.com", "bluinfo.digital", "chuxiaoxin.xyz", "adwin-estate.com", "girlwithaglow.com", "auctions.email", "topekasecurestorage.com", "mountain-chicken.com", "lhdtrj.com", "mhtqph.club", "solatopotato.com", "mecitiris.com", "hotrodathangtrungquoc.com", "gapteknews.com", "mantraexchange.online", "cinematiccarpenter.com", "wozka.xyz", "car-tech.tech", "jssatchell.media", "joyokanji-cheer.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.798434648.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.798434648.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.798434648.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000002.962732138.0000000004670000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000B.00000002.962732138.0000000004670000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.0.TNT Documents.exe.400000.8.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.0.TNT Documents.exe.400000.8.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.0.TNT Documents.exe.400000.8.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
        • 0x16b18:$sqlite3text: 68 38 2A 90 C5
        • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
        4.2.TNT Documents.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.TNT Documents.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 19 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\TNT Documents.exe, ParentProcessId: 6040, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 6076

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000004.00000002.798434648.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.floridanratraining.com/how6/"], "decoy": ["wealthcabana.com", "fourfortyfourcreations.com", "cqqcsy.com", "bhwzjd.com", "niftyfashionrewards.com", "andersongiftemporium.com", "smarttradingcoin.com", "ilarealty.com", "sherrywine.net", "fsecg.info", "xoti.top", "pirosconsulting.com", "fundapie.com", "bbgm4egda.xyz", "legalfortmyers.com", "improvizy.com", "yxdyhs.com", "lucky2balls.com", "panelmall.com", "davenportkartway.com", "springfieldlottery.com", "pentagonpublishers.com", "icanmakeyoufamous.com", "40m2k.com", "projectcentered.com", "webfactory.agency", "metronixmedical.com", "dalingtao.xyz", "functionalsoft.com", "klopert77.com", "cortepuroiberico.com", "viavelleiloes.online", "bamedia.online", "skolicalunjo.com", "kayhardy.com", "excellentappraisers.com", "sademakale.com", "zbycsb.com", "empirejewelss.com", "coached.info", "20215414.online", "dazzlehide.com", "swickstyle.com", "specialtyplastics.online", "noordinarysenior.com", "bluinfo.digital", "chuxiaoxin.xyz", "adwin-estate.com", "girlwithaglow.com", "auctions.email", "topekasecurestorage.com", "mountain-chicken.com", "lhdtrj.com", "mhtqph.club", "solatopotato.com", "mecitiris.com", "hotrodathangtrungquoc.com", "gapteknews.com", "mantraexchange.online", "cinematiccarpenter.com", "wozka.xyz", "car-tech.tech", "jssatchell.media", "joyokanji-cheer.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: TNT Documents.exeReversingLabs: Detection: 48%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TNT Documents.exe.3fd4e40.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.798434648.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.962732138.0000000004670000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.960597354.00000000007A0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.962868450.0000000004800000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.698679096.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.756647993.000000000E4CE000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.799493056.00000000015D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.735741697.000000000E4CE000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.798798288.0000000000E30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.699262494.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.707439158.0000000003F39000.00000004.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: TNT Documents.exeJoe Sandbox ML: detected
          Source: 4.2.TNT Documents.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.0.TNT Documents.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.0.TNT Documents.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.0.TNT Documents.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: TNT Documents.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: TNT Documents.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: TNT Documents.exe, 00000004.00000002.800029853.0000000003300000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: TNT Documents.exe, 00000004.00000002.798924978.00000000012A0000.00000040.00000001.sdmp, TNT Documents.exe, 00000004.00000002.799089348.00000000013BF000.00000040.00000001.sdmp, msdt.exe, 0000000B.00000002.963153362.0000000004B40000.00000040.00000001.sdmp, msdt.exe, 0000000B.00000002.963364250.0000000004C5F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: TNT Documents.exe, TNT Documents.exe, 00000004.00000002.798924978.00000000012A0000.00000040.00000001.sdmp, TNT Documents.exe, 00000004.00000002.799089348.00000000013BF000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 0000000B.00000002.963153362.0000000004B40000.00000040.00000001.sdmp, msdt.exe, 0000000B.00000002.963364250.0000000004C5F000.00000040.00000001.sdmp
          Source: Binary string: msdt.pdb source: TNT Documents.exe, 00000004.00000002.800029853.0000000003300000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4x nop then pop edi4_2_0040C3AE
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4x nop then pop edi4_2_00415681
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi11_2_007AC3AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi11_2_007B5681

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.floridanratraining.com/how6/
          Source: explorer.exe, 00000016.00000003.917756477.0000000006088000.00000004.00000001.sdmp, explorer.exe, 00000016.00000002.953694318.0000000006088000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.919652524.0000000006088000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000016.00000002.949450560.0000000002AC2000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.897794439.0000000002AC2000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobp
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TNT Documents.exe.3fd4e40.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.798434648.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.962732138.0000000004670000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.960597354.00000000007A0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.962868450.0000000004800000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.698679096.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.756647993.000000000E4CE000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.799493056.00000000015D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.735741697.000000000E4CE000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.798798288.0000000000E30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.699262494.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.707439158.0000000003F39000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 4.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.TNT Documents.exe.3fd4e40.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.TNT Documents.exe.3fd4e40.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.798434648.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.798434648.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.962732138.0000000004670000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.962732138.0000000004670000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.960597354.00000000007A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.960597354.00000000007A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.962868450.0000000004800000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.962868450.0000000004800000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.698679096.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.698679096.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.756647993.000000000E4CE000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.756647993.000000000E4CE000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.799493056.00000000015D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.799493056.00000000015D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.735741697.000000000E4CE000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.735741697.000000000E4CE000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.798798288.0000000000E30000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.798798288.0000000000E30000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.699262494.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.699262494.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.707439158.0000000003F39000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.707439158.0000000003F39000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: explorer.exe PID: 3424, type: MEMORYSTRMatched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: TNT Documents.exe
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: TNT Documents.exeStatic file information: Suspicious name
          Source: TNT Documents.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 4.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.TNT Documents.exe.3fd4e40.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.TNT Documents.exe.3fd4e40.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.798434648.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.798434648.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.962732138.0000000004670000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.962732138.0000000004670000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.960597354.00000000007A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.960597354.00000000007A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.962868450.0000000004800000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.962868450.0000000004800000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.698679096.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.698679096.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.756647993.000000000E4CE000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.756647993.000000000E4CE000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.799493056.00000000015D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.799493056.00000000015D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.735741697.000000000E4CE000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.735741697.000000000E4CE000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.798798288.0000000000E30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.798798288.0000000000E30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.699262494.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.699262494.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.707439158.0000000003F39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.707439158.0000000003F39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: explorer.exe PID: 3424, type: MEMORYSTRMatched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_014ED7BC0_2_014ED7BC
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_014EE2100_2_014EE210
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_014EE2200_2_014EE220
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_014EBD540_2_014EBD54
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_014EFC910_2_014EFC91
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F0F780_2_075F0F78
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F17000_2_075F1700
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F9F300_2_075F9F30
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075FCF800_2_075FCF80
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075FA5E80_2_075FA5E8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F21180_2_075F2118
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F00400_2_075F0040
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F30100_2_075F3010
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F58000_2_075F5800
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F57FA0_2_075F57FA
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F2FEA0_2_075F2FEA
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075FD6500_2_075FD650
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F56080_2_075F5608
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F3ED80_2_075F3ED8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F3EC80_2_075F3EC8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F16F00_2_075F16F0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F96980_2_075F9698
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F55F80_2_075F55F8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F4D900_2_075F4D90
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F4D810_2_075F4D81
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F1C100_2_075F1C10
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F1C200_2_075F1C20
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075FCC800_2_075FCC80
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F63500_2_075F6350
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F634B0_2_075F634B
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075FA3C80_2_075FA3C8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F53990_2_075F5399
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F53A80_2_075F53A8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075FBAF00_2_075FBAF0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F4A900_2_075F4A90
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F4A810_2_075F4A81
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F21090_2_075F2109
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F51380_2_075F5138
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F51290_2_075F5129
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 0_2_075F00060_2_075F0006
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4_2_00408C8B4_2_00408C8B
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4_2_00408C904_2_00408C90
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4_2_00402D874_2_00402D87
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4_2_012E41204_2_012E4120
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4_2_012CF9004_2_012CF900
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4_2_0139E8244_2_0139E824
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4_2_013810024_2_01381002
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4_2_012F20A04_2_012F20A0
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4_2_013920A84_2_013920A8
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4_2_012DB0904_2_012DB090
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4_2_013928EC4_2_013928EC
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4_2_01392B284_2_01392B28
          Source: C:\Users\user\Desktop\TNT Documents.exeCode function: 4_2_012EAB404_2_012EAB40