Loading ...

Play interactive tourEdit tour

Windows Analysis Report HSBC ... Wire Transfer Copy.exe

Overview

General Information

Sample Name:HSBC ... Wire Transfer Copy.exe
Analysis ID:528773
MD5:99b154970d15748d1df9025f675ecc76
SHA1:75503611daf18643a401c2020ae9e045111b7f1f
SHA256:13af03cd2db9c68bc397fd81f101287df005f27bc806737ffad390324a068d4c
Tags:exeFormbookHSBC
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses ipconfig to lookup or modify the Windows network settings
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • HSBC ... Wire Transfer Copy.exe (PID: 6892 cmdline: "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe" MD5: 99B154970D15748D1DF9025F675ECC76)
    • HSBC ... Wire Transfer Copy.exe (PID: 7164 cmdline: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe MD5: 99B154970D15748D1DF9025F675ECC76)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 6536 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 6672 cmdline: /c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.atlantiscompania.com/m4n8/"], "decoy": ["loganvineyard.com", "seanna-charters.com", "ironbandfitness.com", "centuriesandsleuthsreviews.com", "saminicky2022.com", "oscarlorenzo.online", "donaldlittlelaw.com", "internetbook.net", "dailyhealthyfood.com", "kostarelosdair.com", "baodingtangyang.com", "cumberlndfarms.com", "dylanmellor.xyz", "investwithelsa.com", "dermaaesthetika.com", "shoelife864.com", "nightcosex.biz", "greauxbooks.com", "artwithnumber.com", "hyggestudio.store", "vektor-pro.com", "bookextraevents.com", "poweredsky.store", "carver150.com", "greenfleetshippingco.com", "raise-ryokwpl.xyz", "lobbiru.com", "tilcep.xyz", "frist-universe.com", "thehumanityleague.com", "zz4321.com", "rightpowereletricalservices.com", "alainasdesigns.com", "getcardanocoin.com", "wattnow.biz", "nitromaxfmx.com", "rty161578.top", "danielthan.com", "devjmccormick.com", "clearwaterwaverunners.com", "onlineames.com", "pureproducts.xyz", "yoothdirect.info", "tryprovo.com", "mkuu88888.xyz", "fibers2you.com", "urdnauha.xyz", "andfme.com", "shopkoman.com", "civico46bcn.com", "top-online-fashion-24.com", "lakshimechatronicssystems.com", "cortezphoto.com", "samallondemolitonyorkshire.com", "uang.exchange", "gonderipaylasim.net", "piramsgprodiet.store", "parasmountplus.com", "sifangav.net", "gramaltinrafineri.com", "kvb5676.com", "atomhome.xyz", "catproductreviews.com", "frenchieaday.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a49:$sqlite3step: 68 34 1C 7B E1
        • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a78:$sqlite3text: 68 38 2A 90 C5
        • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
        6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 18 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.atlantiscompania.com/m4n8/"], "decoy": ["loganvineyard.com", "seanna-charters.com", "ironbandfitness.com", "centuriesandsleuthsreviews.com", "saminicky2022.com", "oscarlorenzo.online", "donaldlittlelaw.com", "internetbook.net", "dailyhealthyfood.com", "kostarelosdair.com", "baodingtangyang.com", "cumberlndfarms.com", "dylanmellor.xyz", "investwithelsa.com", "dermaaesthetika.com", "shoelife864.com", "nightcosex.biz", "greauxbooks.com", "artwithnumber.com", "hyggestudio.store", "vektor-pro.com", "bookextraevents.com", "poweredsky.store", "carver150.com", "greenfleetshippingco.com", "raise-ryokwpl.xyz", "lobbiru.com", "tilcep.xyz", "frist-universe.com", "thehumanityleague.com", "zz4321.com", "rightpowereletricalservices.com", "alainasdesigns.com", "getcardanocoin.com", "wattnow.biz", "nitromaxfmx.com", "rty161578.top", "danielthan.com", "devjmccormick.com", "clearwaterwaverunners.com", "onlineames.com", "pureproducts.xyz", "yoothdirect.info", "tryprovo.com", "mkuu88888.xyz", "fibers2you.com", "urdnauha.xyz", "andfme.com", "shopkoman.com", "civico46bcn.com", "top-online-fashion-24.com", "lakshimechatronicssystems.com", "cortezphoto.com", "samallondemolitonyorkshire.com", "uang.exchange", "gonderipaylasim.net", "piramsgprodiet.store", "parasmountplus.com", "sifangav.net", "gramaltinrafineri.com", "kvb5676.com", "atomhome.xyz", "catproductreviews.com", "frenchieaday.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: HSBC ... Wire Transfer Copy.exeVirustotal: Detection: 16%Perma Link
          Source: HSBC ... Wire Transfer Copy.exeReversingLabs: Detection: 40%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORY
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: ipconfig.pdb source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346858842.0000000001990000.00000040.00020000.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346858842.0000000001990000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: HSBC ... Wire Transfer Copy.exe, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, ipconfig.exe, ipconfig.exe, 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 172.217.168.83 80
          Source: C:\Windows\explorer.exeDomain query: www.gramaltinrafineri.com
          Source: C:\Windows\explorer.exeDomain query: www.catproductreviews.com
          Source: C:\Windows\explorer.exeDomain query: www.piramsgprodiet.store
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.atlantiscompania.com/m4n8/
          Source: global trafficHTTP traffic detected: GET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNHyAaYYkpUFqoPlzKT8wvvxP2/AQv7fSiFC9KSL+ HTTP/1.1Host: www.piramsgprodiet.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m4n8/?5jblCF=6FC/YAdxArGDbOG0ZU8ranLB3olQ8/HIU17UMwKJ54PfoS0z6/xA4+VoDBKhLnDEQ6+k&l0G=-Zrd9J1pqHLdHPo HTTP/1.1Host: www.gramaltinrafineri.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=fqwcloTwW+H6Usea82LuZckhsM6vXxH+7LRp9WPFBQLwjEJmVheIZ7PCXY+dS9vifeb6 HTTP/1.1Host: www.catproductreviews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 17:58:23 GMTContent-Type: text/htmlContent-Length: 275ETag: "61973ffe-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 17:58:43 GMTContent-Type: text/htmlContent-Length: 275ETag: "61973ffe-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: ipconfig.exe, 00000010.00000002.551598331.000000000403F000.00000004.00020000.sdmpString found in binary or memory: https://www.piramsgprodiet.store/m4n8/?l0G=-Zrd9J1pqHLdHPo&amp;5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNH
          Source: unknownDNS traffic detected: queries for: www.piramsgprodiet.store
          Source: global trafficHTTP traffic detected: GET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=tUrd37IHNwUNrKy1BA5QR6EUYG6BNHyAaYYkpUFqoPlzKT8wvvxP2/AQv7fSiFC9KSL+ HTTP/1.1Host: www.piramsgprodiet.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m4n8/?5jblCF=6FC/YAdxArGDbOG0ZU8ranLB3olQ8/HIU17UMwKJ54PfoS0z6/xA4+VoDBKhLnDEQ6+k&l0G=-Zrd9J1pqHLdHPo HTTP/1.1Host: www.gramaltinrafineri.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m4n8/?l0G=-Zrd9J1pqHLdHPo&5jblCF=fqwcloTwW+H6Usea82LuZckhsM6vXxH+7LRp9WPFBQLwjEJmVheIZ7PCXY+dS9vifeb6 HTTP/1.1Host: www.catproductreviews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.HSBC ... Wire Transfer Copy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.287427300.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.547820066.0000000003380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.346806023.0000000001930000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.547165223.0000000002C60000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.345755031.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.346832554.0000000001960000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.290604348.0000000003AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000000.322367188.000000000FC1F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.287940636.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.547580773.0000000002DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 0_2_00C68250
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 0_2_00C6D2F8
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00401030
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041E30C
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041DB36
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00402D90
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00409E5F
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00409E60
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041D6AE
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00402FB0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_00C05C24
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01644120
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0162F900
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016499BF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016FE824
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A830
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E1002
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F28EC
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016520A0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F20A8
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163B090
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164AB40
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F2B28
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0164A309
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016D23E3
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E03DA
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016EDBD2
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165ABD8
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0165EBB0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016DFA2B
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4AEF
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F22AE
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F1D55
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01620D20
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F2D07
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163D5E0
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F25DD
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01652581
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E2D82
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016ED466
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0163841F
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016E4496
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F1FF1
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016FDFCE
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01646E30
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016ED616
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016F2EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366AB40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03712B28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370DBD2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037003DA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0367EBB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036FFA2B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037122AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03664120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0364F900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036699BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0371E824
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0366A830
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03701002
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037128EC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036720A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037120A8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365B090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03711FF1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0371DFCE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03666E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370D616
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03712EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03711D55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03640D20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03712D07
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365D5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_037125DD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03672581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0370D466
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0365841F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7D6AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C69E5F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C69E60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C62FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C62D90
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: String function: 0162B150 appears 133 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 0364B150 appears 72 times
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A360 NtCreateFile,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A410 NtReadFile,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A490 NtClose,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A540 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A35A NtCreateFile,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0041A3B2 NtCreateFile,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016698F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016695D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016697A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016699D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0166B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016698A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0166A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669A10 NtQuerySection,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669560 NtWriteFile,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0166AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016695F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669760 NtOpenProcess,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0166A770 NtOpenThread,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_0166A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_01669610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeCode function: 6_2_016696D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036899A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036896E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036896D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036895D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0368A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036899D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0368B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036898F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036898A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0368A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0368A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036897A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689660 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689560 NtWriteFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_03689520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_0368AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_036895F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7A360 NtCreateFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7A490 NtClose,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7A410 NtReadFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7A3B2 NtCreateFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 16_2_02C7A35A NtCreateFile,
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000000.278790638.0000000000456000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameISectionEnt.exe. vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.293103917.0000000005CD0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.289914483.00000000028A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.292767031.0000000005850000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290051006.000000000296B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000000.00000002.290259549.00000000038AD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000006.00000000.286928086.0000000000C76000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameISectionEnt.exe. vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346749422.00000000018AF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346869714.0000000001997000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exeBinary or memory string: OriginalFilenameISectionEnt.exe. vs HSBC ... Wire Transfer Copy.exe
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: HSBC ... Wire Transfer Copy.exeVirustotal: Detection: 16%
          Source: HSBC ... Wire Transfer Copy.exeReversingLabs: Detection: 40%
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeFile read: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe:Zone.IdentifierJump to behavior
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess created: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeProcess created: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exe"
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HSBC ... Wire Transfer Copy.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@3/2
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6888:120:WilError_01
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: /ISectionEnt;component/views/addbook.xaml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: views/addbook.baml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: views/addcustomer.baml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: /ISectionEnt;component/views/addcustomer.xaml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: /ISectionEnt;component/views/addbook.xaml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: views/addcustomer.baml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: views/addbook.baml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: /ISectionEnt;component/views/addcustomer.xaml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: S/ISectionEnt;component/views/addbook.xamli/ISectionEnt;component/views/borrowfrombookview.xaml_/ISectionEnt;component/views/borrowingview.xamlY/ISectionEnt;component/views/changebook.xamla/ISectionEnt;component/views/changecustomer.xaml]/ISectionEnt;component/views/customerview.xamla/ISectionEnt;component/views/deletecustomer.xamlW/ISectionEnt;component/views/errorview.xaml[/ISectionEnt;component/views/smallextras.xaml[/ISectionEnt;component/views/addcustomer.xaml
          Source: HSBC ... Wire Transfer Copy.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\HSBC ... Wire Transfer Copy.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: HSBC ... Wire Transfer Copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: ipconfig.pdb source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346858842.0000000001990000.00000040.00020000.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346858842.0000000001990000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: HSBC ... Wire Transfer Copy.exe, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346567819.000000000171F000.00000040.00000001.sdmp, HSBC ... Wire Transfer Copy.exe, 00000006.00000002.346329666.0000000001600000.00000040.00000001.sdmp, ipconfig.exe, ipconfig.exe, 00000010.00000002.548146108.0000000003620000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.549823291.000000000373F000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: HSBC ... Wire Transfer Copy.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.HSBC ... Wire Transfer Copy.exe.3e0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.HSBC ... Wire Transfer Copy.exe.3e0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.HSBC ... Wire Transfer Copy.exe.c00000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: Objec