Windows Analysis Report SecuriteInfo.com.Variant.Bulz.785643.17886.29229

Overview

General Information

Sample Name:	SecuriteInfo.com.Variant.Bulz.785643.17886.29229 (renamed file extension from 29229 to exe)
Analysis ID:	552971
MD5:	83ac585e99b527eeb278702f8f711568
SHA1:	a576a927b067c94cdbc1e7b353f60577f5b310f9
SHA256:	9e2502b3945f31482623e8e61dcb85b9ebb7d9a4244d9074fa289596c9da513e
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.topeasyip.company/i5nb/"], "decoy": ["integratedheartspsychology.com", "tappsis.land", "norfg.com", "1531700.win", "oneplusoneexperience.com", "circlessalaries.com", "tlcremodelingcompany.com", "susalud.info", "liyanghua.club", "pink-zemi.com", "orphe.biz", "themodelclarified.com", "candidate.tools", "morotrip.com", "d2dfms.com", "leisuresabah.com", "bjbwx114.com", "lz-fcaini1718-hw0917-bs.xyz", "at-commerce-co.net", "buymypolicy.net", "5151vip73.com", "rentglide.com", "louiecruzbeltran.info", "lanabasargina.com", "lakeforestparkapartments.com", "guangkaiyinwu.com", "bornthin.com", "restaurantkitchenbuilders.com", "ecommerceoptimise.com", "datahk99.com", "markfwalker.com", "granitowawarszawa.com", "theyouthwave.com", "iabg.xyz", "jholbrook.com", "bsc.promo", "xn--grlitzerseebhne-8sb7i.com", "cafeteriasula.com", "plushcrispies.com", "dedicatedvirtualassistance.com", "ventura-taxi.com", "thoethertb434-ocn.xyz", "ylhwcl.com", "bigsyncmusic.biz", "terapiaholisticaemformacao.com", "comidies.com", "171diproad.com", "07dgj.xyz", "vppaintllc.com", "thepatriottutor.com", "wxfive.com", "ceinpsico.com", "tuningelement.store", "asinment.com", "diafraz.xyz", "8crhnwh658ga.biz", "redwolf-tech.com", "ksherfan.com", "sensationalshroom.com", "buy-instagram-followers.net", "treeserviceconsulting.com", "vnln.space", "kate-films.com", "selfmeta.club"]}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Virustotal: Detection: 43%			Perma Link
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe	ReversingLabs: Detection: 43%

Yara detected FormBook

Source: Yara match	File source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, type: MEMORY

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Avira: detected

Antivirus detection for URL or domain

Source: www.topeasyip.company/i5nb/

Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302747431.0000000001A9F000.00000040.00000001.sdmp, SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302747431.0000000001A9F000.00000040.00000001.sdmp, SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302556621.0000000001980000.00000040.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 4x nop then pop esi		12_2_0041584D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 4x nop then pop edi		12_2_004162F6

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.topeasyip.company/i5nb/

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.305823260.00000000073E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302319122.00000000014EB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Uses 32bit PE files

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Yara signature match

Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.45332e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.44dc2c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.299984624.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.302341566.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.300583047.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 0_2_014D8122	0_2_014D8122
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 0_2_014D6A08	0_2_014D6A08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 0_2_014D6D2E	0_2_014D6D2E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 0_2_014D7E10	0_2_014D7E10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 0_2_014D6D72	0_2_014D6D72
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 0_2_014D7271	0_2_014D7271
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_00401030	12_2_00401030
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041C95A	12_2_0041C95A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041C96E	12_2_0041C96E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041D128	12_2_0041D128
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041C38D	12_2_0041C38D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041BB9E	12_2_0041BB9E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_00408C90	12_2_00408C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_00402D8A	12_2_00402D8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_00402D90	12_2_00402D90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041BF8B	12_2_0041BF8B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_00402FB0	12_2_00402FB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019BC1C0	12_2_019BC1C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C4120	12_2_019C4120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019BB090	12_2_019BB090
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A720A8	12_2_01A720A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D20A0	12_2_019D20A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A660F5	12_2_01A660F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D701D	12_2_019D701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A61002	12_2_01A61002
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D138B	12_2_019D138B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A523E3	12_2_01A523E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A603DA	12_2_01A603DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CA309	12_2_019CA309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6231B	12_2_01A6231B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C3360	12_2_019C3360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A722AE	12_2_01A722AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A732A9	12_2_01A732A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AC2C3	12_2_019AC2C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6E2C5	12_2_01A6E2C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB236	12_2_019CB236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D2581	12_2_019D2581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D65A0	12_2_019D65A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A725DD	12_2_01A725DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019BD5E0	12_2_019BD5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A64496	12_2_01A64496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B841F	12_2_019B841F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C2430	12_2_019C2430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6D466	12_2_01A6D466
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019CB477	12_2_019CB477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A667E2	12_2_01A667E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019D06C0	12_2_019D06C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C5600	12_2_019C5600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A6D616	12_2_01A6D616
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019A9660	12_2_019A9660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C2990	12_2_019C2990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019C99BF	12_2_019C99BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019B1915	12_2_019B1915
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019AF900	12_2_019AF900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_01A728EC	12_2_01A728EC

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: String function: 019AB150 appears 103 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: String function: 01A35720 appears 65 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: String function: 019FD08C appears 32 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_004185F0 NtCreateFile,	12_2_004185F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_004186A0 NtReadFile,	12_2_004186A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_00418720 NtClose,	12_2_00418720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_004187D0 NtAllocateVirtualMemory,	12_2_004187D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_00418642 NtCreateFile,	12_2_00418642
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041869D NtReadFile,	12_2_0041869D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041871A NtClose,	12_2_0041871A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_004187CB NtAllocateVirtualMemory,	12_2_004187CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E96E0 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_019E96E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9660 NtAllocateVirtualMemory,LdrInitializeThunk,	12_2_019E9660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9860 NtQuerySystemInformation,LdrInitializeThunk,	12_2_019E9860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019EB040 NtSuspendThread,	12_2_019EB040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019EA3B0 NtGetContextThread,	12_2_019EA3B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E95D0 NtClose,	12_2_019E95D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E95F0 NtQueryInformationFile,	12_2_019E95F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9520 NtWaitForSingleObject,	12_2_019E9520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9540 NtReadFile,	12_2_019E9540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9560 NtWriteFile,	12_2_019E9560
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9780 NtMapViewOfSection,	12_2_019E9780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E97A0 NtUnmapViewOfSection,	12_2_019E97A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9710 NtQueryInformationToken,	12_2_019E9710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019EA710 NtOpenProcessToken,	12_2_019EA710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9730 NtQueryVirtualMemory,	12_2_019E9730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019EA770 NtOpenThread,	12_2_019EA770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9770 NtSetInformationFile,	12_2_019E9770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9760 NtOpenProcess,	12_2_019E9760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E96D0 NtCreateKey,	12_2_019E96D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9610 NtEnumerateValueKey,	12_2_019E9610
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9650 NtQueryValueKey,	12_2_019E9650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9670 NtQueryInformationProcess,	12_2_019E9670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E99A0 NtCreateSection,	12_2_019E99A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E99D0 NtCreateProcessEx,	12_2_019E99D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9910 NtAdjustPrivilegesToken,	12_2_019E9910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E9950 NtQueueApcThread,	12_2_019E9950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E98A0 NtWriteVirtualMemory,	12_2_019E98A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019E98F0 NtReadVirtualMemory,	12_2_019E98F0

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302319122.00000000014EB000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000000.278924225.0000000000D62000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamegetDeviceClaimsd.exe8 vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.303196855.0000000004399000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.306336909.0000000007930000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.302747431.0000000001A9F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000000.298139804.0000000000F92000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamegetDeviceClaimsd.exe8 vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 0000000C.00000002.303018064.0000000001C2F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Binary or memory string: OriginalFilenamegetDeviceClaimsd.exe8 vs SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Virustotal: Detection: 43%
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe	ReversingLabs: Detection: 43%

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Jump to behavior

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.d60000.0.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.d60000.0.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.3.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.1.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.2.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.0.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.7.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.9.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.1.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.SecuriteInfo.com.Variant.Bulz.785643.17886.exe.f90000.5.unpack, u0005u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 0_2_00D6E0EF push esp; iretd	0_2_00D6E0F2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041B842 push eax; ret	12_2_0041B848
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041B84B push eax; ret	12_2_0041B8B2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_004188F2 push ds; ret	12_2_004188F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041B8AC push eax; ret	12_2_0041B8B2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_00416109 push cs; iretd	12_2_0041610A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_00415237 pushfd ; iretd	12_2_00415238
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_0041B7F5 push eax; ret	12_2_0041B848
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_00F9E0EF push esp; iretd	12_2_00F9E0F2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Code function: 12_2_019FD0D1 push ecx; ret	12_2_019FD0E4

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302962488.00000000033D3000.00000004.00000001.sdmp, SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302962488.00000000033D3000.00000004.00000001.sdmp, SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe TID: 7132	Thread sleep time: -37702s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe TID: 4784	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Thread delayed: delay time: 37702			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.785643.17886.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.Variant.Bulz.785643.17886.exe, 00000000.00000002.302905715.0000000003391000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

ID:	552971
Product:	CloudBasic
Start time:	00:16:43
Start date:	14.01.2022
Sample:	SecuriteInfo.com.Variant.Bulz.785643.17886.29229
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	83ac585e99b527eeb278702f8f711568
SHA1:	a576a927b067c94cdbc1e7b353f60577f5b310f9
SHA256:	9e2502b3945f31482623e8e61dcb85b9ebb7d9a4244d9074fa289596c9da513e
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report SecuriteInfo.com.Variant.Bulz.785643.17886.29229

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted URLs