Loading ...

Play interactive tourEdit tour

Windows Analysis Report Nova narudzba u prilogu.exe

Overview

General Information

Sample Name:Nova narudzba u prilogu.exe
Analysis ID:553139
MD5:97d7bf836142b0ebb1ebfc1a4173dc9d
SHA1:dc734d5d74bee644fb1028ede0adcd34be3f98f8
SHA256:feb40c343aa65f5f5c0a32443535effa22652067c576416857e4d7280ce85e11
Tags:exeFormbookgeoHRV
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Nova narudzba u prilogu.exe (PID: 7148 cmdline: "C:\Users\user\Desktop\Nova narudzba u prilogu.exe" MD5: 97D7BF836142B0EBB1EBFC1A4173DC9D)
    • DpiScaling.exe (PID: 6104 cmdline: C:\Windows\System32\DpiScaling.exe MD5: 302B1BBDBF4D96BEE99C6B45680CEB5E)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • Ajshkennyc.exe (PID: 6912 cmdline: "C:\Users\user\Contacts\Ajshkennyc.exe" MD5: 97D7BF836142B0EBB1EBFC1A4173DC9D)
          • DpiScaling.exe (PID: 2240 cmdline: C:\Windows\System32\DpiScaling.exe MD5: 302B1BBDBF4D96BEE99C6B45680CEB5E)
        • Ajshkennyc.exe (PID: 6980 cmdline: "C:\Users\user\Contacts\Ajshkennyc.exe" MD5: 97D7BF836142B0EBB1EBFC1A4173DC9D)
          • logagent.exe (PID: 5752 cmdline: C:\Windows\System32\logagent.exe MD5: E2036AC444AB4AD91EECC1A80FF7212F)
        • colorcpl.exe (PID: 5364 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
          • cmd.exe (PID: 5028 cmdline: /c del "C:\Windows\SysWOW64\DpiScaling.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • explorer.exe (PID: 6744 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 1836 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.finetipster.com/pvxz/"], "decoy": ["imt-token.club", "abravewayocen.online", "shcloudcar.com", "mshoppingworld.online", "ncgf08.xyz", "stuinfo.xyz", "wesavetheplanetofficial.com", "tourbox.xyz", "believeinyourselftraining.com", "jsboyat.com", "aaeconomy.info", "9etmorea.info", "purosepeti7.com", "goticketly.com", "pinkmemorypt.com", "mylifewellnesscentre.com", "iridina.online", "petrestore.online", "neema.xyz", "novelfooditalia.com", "enterprisedaas.computer", "tzkaxh.com", "brainfarter.com", "youniquegal.com", "piiqrio.com", "mdaszb.com", "boldmale.com", "era636.com", "castleinsuranceco.com", "woodennickelmusicfortwayne.com", "customer-servis-kredivo.com", "high-clicks.com", "greetwithgadgets.com", "hfsd1.com", "insureagainstearthquakes.net", "ultimatejump.rest", "parivartanyogeshstore.com", "handmanagementblog.com", "meishangtianhua.com", "michaelscottinsurance.net", "kershoes.com", "atomiccharmworks.com", "conciergecompare.com", "zeal-hashima.com", "coachianscott.com", "hwkm.net", "019skz.xyz", "jardingenesis.com", "sumikkoremon.com", "tjpengyun.com", "sectionpor.xyz", "46t.xyz", "sa-pontianak.com", "localproperty.team", "dotexposed.com", "cis136-tgarza.com", "eiestilo.com", "youknowhowtolive.com", "phalcosnusa.com", "qaticv93iy.com", "hbjngs.com", "ocean-nettoyage.com", "jenuwinclothes.net", "anadoluatvoffroad.com"]}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Contacts\cynnekhsjA.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x58:$hotkey: \x0AHotKey=2
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\Contacts\cynnekhsjA.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000000.810820140.0000000072480000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000F.00000000.810820140.0000000072480000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000F.00000000.810820140.0000000072480000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ab9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bcc:$sqlite3step: 68 34 1C 7B E1
    • 0x16ae8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c0d:$sqlite3text: 68 38 2A 90 C5
    • 0x16afb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c23:$sqlite3blob: 68 53 D8 7F 8C
    00000010.00000002.980408969.0000000002C60000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000010.00000002.980408969.0000000002C60000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 70 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      15.0.DpiScaling.exe.72480000.2.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        15.0.DpiScaling.exe.72480000.2.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        15.0.DpiScaling.exe.72480000.2.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ab9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bcc:$sqlite3step: 68 34 1C 7B E1
        • 0x16ae8:$sqlite3text: 68 38 2A 90 C5
        • 0x16c0d:$sqlite3text: 68 38 2A 90 C5
        • 0x16afb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c23:$sqlite3blob: 68 53 D8 7F 8C
        5.0.DpiScaling.exe.72480000.3.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.0.DpiScaling.exe.72480000.3.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d87:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 85 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3424, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 1836

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000F.00000000.810820140.0000000072480000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.finetipster.com/pvxz/"], "decoy": ["imt-token.club", "abravewayocen.online", "shcloudcar.com", "mshoppingworld.online", "ncgf08.xyz", "stuinfo.xyz", "wesavetheplanetofficial.com", "tourbox.xyz", "believeinyourselftraining.com", "jsboyat.com", "aaeconomy.info", "9etmorea.info", "purosepeti7.com", "goticketly.com", "pinkmemorypt.com", "mylifewellnesscentre.com", "iridina.online", "petrestore.online", "neema.xyz", "novelfooditalia.com", "enterprisedaas.computer", "tzkaxh.com", "brainfarter.com", "youniquegal.com", "piiqrio.com", "mdaszb.com", "boldmale.com", "era636.com", "castleinsuranceco.com", "woodennickelmusicfortwayne.com", "customer-servis-kredivo.com", "high-clicks.com", "greetwithgadgets.com", "hfsd1.com", "insureagainstearthquakes.net", "ultimatejump.rest", "parivartanyogeshstore.com", "handmanagementblog.com", "meishangtianhua.com", "michaelscottinsurance.net", "kershoes.com", "atomiccharmworks.com", "conciergecompare.com", "zeal-hashima.com", "coachianscott.com", "hwkm.net", "019skz.xyz", "jardingenesis.com", "sumikkoremon.com", "tjpengyun.com", "sectionpor.xyz", "46t.xyz", "sa-pontianak.com", "localproperty.team", "dotexposed.com", "cis136-tgarza.com", "eiestilo.com", "youknowhowtolive.com", "phalcosnusa.com", "qaticv93iy.com", "hbjngs.com", "ocean-nettoyage.com", "jenuwinclothes.net", "anadoluatvoffroad.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Nova narudzba u prilogu.exeReversingLabs: Detection: 32%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 15.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.DpiScaling.exe.72480000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.DpiScaling.exe.72480000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000000.810820140.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.980408969.0000000002C60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.826394913.0000000004B90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.772008503.000000000E9DF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.714097353.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.979059154.0000000000800000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.749509351.000000000E9DF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000000.836253520.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.860879140.0000000000E90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.810315428.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.864516356.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.811363392.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.714755943.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.860188435.0000000000E60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.844946988.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.714442633.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.980367511.0000000002C30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.811926457.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.713760138.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.826540547.0000000004BF0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.830080872.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000000.835723366.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.863247728.0000000003280000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000000.836796283.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000000.837305764.0000000072480000.00000040.00000001.sdmp, type: MEMORY
          Multi AV Scanner detection for domain / URLShow sources
          Source: www.finetipster.com/pvxz/Virustotal: Detection: 5%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\Contacts\Ajshkennyc.exeVirustotal: Detection: 27%Perma Link
          Source: C:\Users\user\Contacts\Ajshkennyc.exeReversingLabs: Detection: 32%
          Machine Learning detection for sampleShow sources
          Source: Nova narudzba u prilogu.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\Contacts\Ajshkennyc.exeJoe Sandbox ML: detected
          Source: 26.2.explorer.exe.bc3796c.1.unpackAvira: Label: TR/Patched.Ren.Gen8
          Source: 15.0.DpiScaling.exe.72480000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 15.0.DpiScaling.exe.72480000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.DpiScaling.exe.72480000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 20.0.logagent.exe.72480000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 16.2.colorcpl.exe.2a94670.1.unpackAvira: Label: TR/Patched.Ren.Gen8
          Source: 20.0.logagent.exe.72480000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 15.0.DpiScaling.exe.72480000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.DpiScaling.exe.72480000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.DpiScaling.exe.72480000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 26.0.explorer.exe.bc3796c.1.unpackAvira: Label: TR/Patched.Ren.Gen8
          Source: 20.0.logagent.exe.72480000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 16.2.colorcpl.exe.4ce796c.4.unpackAvira: Label: TR/Patched.Ren.Gen8
          Source: 20.0.logagent.exe.72480000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 15.0.DpiScaling.exe.72480000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.DpiScaling.exe.72480000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 15.2.DpiScaling.exe.72480000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 20.2.logagent.exe.72480000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.DpiScaling.exe.72480000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Nova narudzba u prilogu.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
          Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.4:49774 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.4:49778 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49779 version: TLS 1.2
          Source: Binary string: colorcpl.pdbGCTL source: DpiScaling.exe, 00000005.00000002.829989653.00000000053A0000.00000040.00020000.sdmp
          Source: Binary string: colorcpl.pdb source: DpiScaling.exe, 00000005.00000002.829989653.00000000053A0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: DpiScaling.exe, 00000005.00000002.827879975.000000000504F000.00000040.00000001.sdmp, DpiScaling.exe, 00000005.00000002.827366166.0000000004F30000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: DpiScaling.exe

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.finetipster.com/pvxz/
          Source: Joe Sandbox ViewIP Address: 162.159.135.233 162.159.135.233
          Source: Joe Sandbox ViewIP Address: 162.159.135.233 162.159.135.233
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
          Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
          Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
          Source: global trafficHTTP traffic detected: GET /attachments/909752051695775778/931434691809124392/Ajshkennychvrlvyqvxklxbhfqfzgvr HTTP/1.1User-Agent: lValiHost: cdn.discordapp.com
          Source: global trafficHTTP traffic detected: GET /attachments/909752051695775778/931434691809124392/Ajshkennychvrlvyqvxklxbhfqfzgvr HTTP/1.1User-Agent: 88Host: cdn.discordapp.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /attachments/909752051695775778/931434691809124392/Ajshkennychvrlvyqvxklxbhfqfzgvr HTTP/1.1User-Agent: 42Host: cdn.discordapp.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /attachments/909752051695775778/931434691809124392/Ajshkennychvrlvyqvxklxbhfqfzgvr HTTP/1.1User-Agent: 60Host: cdn.discordapp.comCache-Control: no-cache
          Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.4:49774 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.4:49778 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49779 version: TLS 1.2

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          <
          Source: Yara matchFile source: 15.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.DpiScaling.exe.72480000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara match