Play interactive tour

Edit tour

Windows Analysis Report Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Overview

General Information

Sample Name:	Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Analysis ID:	540355
MD5:	72a345c95142aee60e7df54b570c2c6b
SHA1:	aa479735d39ced67594ff0b0d5f91679e506ac38
SHA256:	a7a0ada5969b3b343a5c2d17e1fe57f542a0f9cb94b98daf7a4922d8cdcd5e8d
Tags:	exeFormbookguloaderxloader
Infos:
Most interesting Screenshot:

Detection

GuLoader FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Generic Dropper

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Detected unpacking (changes PE section rights)

GuLoader behavior detected

Multi AV Scanner detection for domain / URL

Sigma detected: Suspect Svchost Activity

Yara detected GuLoader

Hides threads from debuggers

Maps a DLL or memory area into another process

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Sigma detected: Suspicious Svchost Process

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

PE file contains executable resources (Code or Archives)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Bank_Transfer_Receipt_Copy_Scan#342 (5).exe (PID: 4360 cmdline: "C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe" MD5: 72A345C95142AEE60E7DF54B570C2C6B)

nongrav.exe (PID: 6136 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe MD5: BEB33BD2BF3282F8C86081144236545D)

nongrav.exe (PID: 4520 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe MD5: BEB33BD2BF3282F8C86081144236545D)

explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

svchost.exe (PID: 6932 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)

cmd.exe (PID: 5168 cmdline: /c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

rundll32.exe (PID: 1096 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.thesocialmediacreator.com/i638/"], "decoy": ["serenitynailandspanj.com", "health-dodo.com", "agjordan.net", "retro-kids.com", "bobbygoldsports.com", "seitai-kuuto369.com", "sooga.club", "ezsweswrwy68.biz", "1006e.com", "libinyu.com", "prolinkdm.com", "pilysc.com", "blim.xyz", "eshop-dekorax.com", "timestretchmusic.com", "bs6351.com", "diamondmoodle.com", "antioxida.com", "sakugastudios.com", "metaverse-coaching.com", "motometics.com", "illumination-garage.com", "thelocalsproject.com", "erealestater.com", "frankenamazing.com", "arab-enterprises.com", "e15datadev.com", "bet365star.online", "bttextiles.com", "originaltradebot.icu", "test-testjisdnsec.net", "cloudwerx.digital", "gsjbd10.club", "joshuaearp.xyz", "tvaluehelp.com", "quietplaceintheforest.com", "refinanceforblue.com", "voiceoftour.com", "civicinfluence.com", "taxation-resources.com", "regeneration.land", "gogit.net", "spicynipples.com", "goldingravel.com", "selingoo.com", "aaryantech.com", "insight-j.com", "drivenbylight.net", "meipassion.com", "scuolapadelroma.store", "929671.com", "parkerdazzle.com", "yehudi-meshutaf.com", "johnsonforsheriff2022.com", "pointhunteracademy.com", "kyliiejenner.com", "tenlog066.xyz", "dobylife.com", "josemanueldelbusto.com", "vspfrme.com", "256571.com", "crossovertest.net", "fullcurlcnc.com", "theworldisheroyster.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.507414765.000000000067A000.00000040.00020000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000016.00000002.821885746.0000000003F37000.00000004.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x2f00:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000001.00000002.507792110.0000000002AA0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: nongrav.exe PID: 4520	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: svchost.exe PID: 6932	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Click to see the 21 entries

Sigma Overview

System Summary:

Sigma detected: Suspect Svchost Activity

Show sources

Source: Process started

Author: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6932

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6932

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6932

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.thesocialmediacreator.com/i638/"], "decoy": ["serenitynailandspanj.com", "health-dodo.com", "agjordan.net", "retro-kids.com", "bobbygoldsports.com", "seitai-kuuto369.com", "sooga.club", "ezsweswrwy68.biz", "1006e.com", "libinyu.com", "prolinkdm.com", "pilysc.com", "blim.xyz", "eshop-dekorax.com", "timestretchmusic.com", "bs6351.com", "diamondmoodle.com", "antioxida.com", "sakugastudios.com", "metaverse-coaching.com", "motometics.com", "illumination-garage.com", "thelocalsproject.com", "erealestater.com", "frankenamazing.com", "arab-enterprises.com", "e15datadev.com", "bet365star.online", "bttextiles.com", "originaltradebot.icu", "test-testjisdnsec.net", "cloudwerx.digital", "gsjbd10.club", "joshuaearp.xyz", "tvaluehelp.com", "quietplaceintheforest.com", "refinanceforblue.com", "voiceoftour.com", "civicinfluence.com", "taxation-resources.com", "regeneration.land", "gogit.net", "spicynipples.com", "goldingravel.com", "selingoo.com", "aaryantech.com", "insight-j.com", "drivenbylight.net", "meipassion.com", "scuolapadelroma.store", "929671.com", "parkerdazzle.com", "yehudi-meshutaf.com", "johnsonforsheriff2022.com", "pointhunteracademy.com", "kyliiejenner.com", "tenlog066.xyz", "dobylife.com", "josemanueldelbusto.com", "vspfrme.com", "256571.com", "crossovertest.net", "fullcurlcnc.com", "theworldisheroyster.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Metadefender: Detection: 14%			Perma Link
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	ReversingLabs: Detection: 26%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY

Multi AV Scanner detection for domain / URL

Show sources

Source: www.thesocialmediacreator.com/i638/

Virustotal: Detection: 5%

Perma Link

Machine Learning detection for sample

Show sources

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Joe Sandbox ML: detected

Source: 1.2.nongrav.exe.560000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 22.2.svchost.exe.3f3796c.4.unpack	Avira: Label: TR/Dropper.Gen
Source: 22.2.svchost.exe.3214020.1.unpack	Avira: Label: TR/Dropper.Gen

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F32DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown	HTTPS traffic detected: 172.217.168.46:443 -> 192.168.2.3:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.3:49838 version: TLS 1.2

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wextract.pdb source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source:	Binary string: wntdll.pdbUGP source: nongrav.exe, 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp, nongrav.exe, 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, svchost.exe, 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.788029496.0000000003800000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.786512054.0000000003600000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: nongrav.exe, nongrav.exe, 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp, nongrav.exe, 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, svchost.exe, svchost.exe, 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.788029496.0000000003800000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.786512054.0000000003600000.00000004.00000001.sdmp
Source:	Binary string: wextract.pdbPp source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source:	Binary string: svchost.pdb source: nongrav.exe, 0000000F.00000002.786712436.0000000000110000.00000040.00020000.sdmp, nongrav.exe, 0000000F.00000003.785460105.0000000000756000.00000004.00000001.sdmp
Source:	Binary string: svchost.pdbUGP source: nongrav.exe, 0000000F.00000002.786712436.0000000000110000.00000040.00020000.sdmp, nongrav.exe, 0000000F.00000003.785460105.0000000000756000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F321E7 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 4x nop then pop esi

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.thesocialmediacreator.com/i638/

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3t0pvfkcl5sqbkpotb7a08dnj393g/1639574025000/11789396277519397655/*/1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-ao-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837

Source: nongrav.exe, 0000000F.00000002.787076443.00000000028E0000.00000004.00000001.sdmp

String found in binary or memory: https://drive.google.com/uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3t0pvfkcl5sqbkpotb7a08dnj393g/1639574025000/11789396277519397655/*/1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-ao-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 172.217.168.46:443 -> 192.168.2.3:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.3:49838 version: TLS 1.2

Source: nongrav.exe, 00000001.00000002.507440632.00000000006BA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.821885746.0000000003F37000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.821885746.0000000003F37000.00000004.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F31DC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Code function: 0_2_00F35B88
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_004015E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AAD227
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA9248
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA8F8B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA969B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AAA67E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA8049
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AAB7B8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA01F8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AAC112
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_00408C6B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_00408C70
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB922AE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB92EF7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE6E30
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFEBB0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB91FF1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8DBD2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB92B28
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF20A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB920A8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADB090
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB928EC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD841F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81002
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF2581
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADD5E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB925DD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC0D20
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE4120
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACF900
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB92D07
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB91D55
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5EBB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A46E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A20D20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A44120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2F900
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF1D55
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A3B090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1002
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A3841F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D3D1FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D3C944
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D22FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D28C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D28C6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D22D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D22D87

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Code function: String function: 1EACB150 appears 35 times

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA9248 NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AACBBD NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_00418680 NtReadFile,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_004185D0 NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_004187B0 NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_0041867C NtCreateFile,NtReadFile,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_00418622 NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_004185CD NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_004187AA NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB096E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB097A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB098F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB099A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09A80 NtOpenDirectoryObject,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB096D0 NtCreateKey,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09A10 NtQuerySection,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09610 NtEnumerateValueKey,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09670 NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09650 NtQueryValueKey,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB0A3B0 NtGetContextThread,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09730 NtQueryVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB0A710 NtOpenProcessToken,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09B00 NtSetValueKey,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB0A770 NtOpenThread,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09770 NtSetInformationFile,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09760 NtOpenProcess,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB098A0 NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09820 NtEnumerateKey,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB0B040 NtSuspendThread,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB095F0 NtQueryInformationFile,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB099D0 NtCreateProcessEx,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB095D0 NtClose,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB0AD30 NtSetContextThread,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09520 NtWaitForSingleObject,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09560 NtWriteFile,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09950 NtQueueApcThread,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_005279BE LdrInitializeThunk,NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_00527AB1 Sleep,NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_005279B9 LdrInitializeThunk,NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_00527AE7 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A696E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A696D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A699A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A695D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A697A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A6A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A6A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69760 NtOpenProcess,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A6A770 NtOpenThread,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69A20 NtResumeThread,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69A10 NtQuerySection,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A695F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A699D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A6AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69560 NtWriteFile,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A698A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A698F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A6B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D38680 NtReadFile,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D387B0 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D38700 NtClose,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D385D0 NtCreateFile,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D3867C NtCreateFile,NtReadFile,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D38622 NtCreateFile,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D387AA NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D385CD NtCreateFile,

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, 61538 bytes, 1 file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Process Stats: CPU usage > 98%

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Binary or memory string: OriginalFilename vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe, 00000000.00000003.294702939.000000000343E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenongrav.exe vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe, 00000000.00000000.293866460.0000000000F3A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe, 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nongrav.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Metadefender: Detection: 14%
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	ReversingLabs: Detection: 26%

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: unknown	Process created: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe "C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe"
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe"

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F31DC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/1@2/2

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F35849 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F33E45 CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA,

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_01

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F34E80 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,#20,#22,#23,FreeResource,SendMessageA,

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Command line argument: Kernel32.dll

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source:	Binary string: wntdll.pdbUGP source: nongrav.exe, 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp, nongrav.exe, 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, svchost.exe, 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.788029496.0000000003800000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.786512054.0000000003600000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: nongrav.exe, nongrav.exe, 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp, nongrav.exe, 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, svchost.exe, svchost.exe, 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.788029496.0000000003800000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.786512054.0000000003600000.00000004.00000001.sdmp
Source:	Binary string: wextract.pdbPp source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source:	Binary string: svchost.pdb source: nongrav.exe, 0000000F.00000002.786712436.0000000000110000.00000040.00020000.sdmp, nongrav.exe, 0000000F.00000003.785460105.0000000000756000.00000004.00000001.sdmp
Source:	Binary string: svchost.pdbUGP source: nongrav.exe, 0000000F.00000002.786712436.0000000000110000.00000040.00020000.sdmp, nongrav.exe, 0000000F.00000003.785460105.0000000000756000.00000004.00000001.sdmp

Data Obfuscation:

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation: