Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report IMG-000284794.exe

Overview

General Information

Sample Name:IMG-000284794.exe
Analysis ID:553254
MD5:abd28466f7cb80d6da36fed9f3e6bef4
SHA1:fb2911028f32b2b3c07004a21e84773e3efd1519
SHA256:5686f840b9b2834952367cd9c37ec4c8385bcc90348dd3a92e488c0faebed85a
Tags:exexloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Writes to foreign memory regions
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
AV process strings found (often used to terminate AV products)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Sample execution stops while process was sleeping (likely an evasion)
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • IMG-000284794.exe (PID: 964 cmdline: "C:\Users\user\Desktop\IMG-000284794.exe" MD5: ABD28466F7CB80D6DA36FED9F3E6BEF4)
    • conhost.exe (PID: 4908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • aspnet_regbrowsers.exe (PID: 6112 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe MD5: B490A24A9328FD89155F075FA26C0DEC)
      • WerFault.exe (PID: 5516 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.129qihu.com/c6si/"], "decoy": ["tristateinc.construction", "americanscaregroundstexas.com", "kanimisoshiru.com", "wihling.com", "fishcheekstosa.com", "parentsfuid.com", "greenstandmarket.com", "fc8fla8kzq.com", "gametwist-83.club", "jobsncvs.com", "directrealtysells.com", "avida2015.com", "conceptasite.net", "arkaneattire.com", "indev-mobility.info", "2160centurypark412.com", "valefloor.com", "septembership.com", "stackflix.com", "jimc0sales.net", "socialviralup.com", "lastra41.com", "juliaepaulovaocasar.com", "jurisagora.com", "drawandgrow.online", "rebekahlouise.com", "herport-fr.com", "iphone13.webcam", "appz-one.net", "inpost-pl.net", "promocion360fitness.com", "global-forbes.biz", "diamondtrade.net", "albertcantos.com", "gtgits.com", "travel-ai.online", "busipe6.com", "mualikesubvn.com", "niftyhandy.com", "docprops.com", "lido88.bet", "baywoodphotography.com", "cargosouq.info", "newsnowlive.online", "floridafishingoverboard.com", "missnikissalsa.net", "walletvalidate.space", "kissimmeeinternationalcup.com", "charterhome.school", "gurujupiter.com", "entertainmentwitchy.com", "jokeaou.com", "sugarmountainfirearms.com", "iss-sa.com", "smittyssierra.com", "freedomoff.com", "giftoin.com", "realitystararmwrestling.com", "salsalunch-equallyage.com", "ladouba.com", "thepropertygoat.com", "bestofmerrick.guide", "4the.top", "regioinversiones.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x7608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x7992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x136a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x137a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1391f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x83aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1240c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x18b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x19c3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 10 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      16.0.aspnet_regbrowsers.exe.600000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        16.0.aspnet_regbrowsers.exe.600000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        16.0.aspnet_regbrowsers.exe.600000.2.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cc9:$sqlite3step: 68 34 1C 7B E1
        • 0x15ddc:$sqlite3step: 68 34 1C 7B E1
        • 0x15cf8:$sqlite3text: 68 38 2A 90 C5
        • 0x15e1d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
        16.0.aspnet_regbrowsers.exe.600000.2.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          16.0.aspnet_regbrowsers.exe.600000.2.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 19 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.129qihu.com/c6si/"], "decoy": ["tristateinc.construction", "americanscaregroundstexas.com", "kanimisoshiru.com", "wihling.com", "fishcheekstosa.com", "parentsfuid.com", "greenstandmarket.com", "fc8fla8kzq.com", "gametwist-83.club", "jobsncvs.com", "directrealtysells.com", "avida2015.com", "conceptasite.net", "arkaneattire.com", "indev-mobility.info", "2160centurypark412.com", "valefloor.com", "septembership.com", "stackflix.com", "jimc0sales.net", "socialviralup.com", "lastra41.com", "juliaepaulovaocasar.com", "jurisagora.com", "drawandgrow.online", "rebekahlouise.com", "herport-fr.com", "iphone13.webcam", "appz-one.net", "inpost-pl.net", "promocion360fitness.com", "global-forbes.biz", "diamondtrade.net", "albertcantos.com", "gtgits.com", "travel-ai.online", "busipe6.com", "mualikesubvn.com", "niftyhandy.com", "docprops.com", "lido88.bet", "baywoodphotography.com", "cargosouq.info", "newsnowlive.online", "floridafishingoverboard.com", "missnikissalsa.net", "walletvalidate.space", "kissimmeeinternationalcup.com", "charterhome.school", "gurujupiter.com", "entertainmentwitchy.com", "jokeaou.com", "sugarmountainfirearms.com", "iss-sa.com", "smittyssierra.com", "freedomoff.com", "giftoin.com", "realitystararmwrestling.com", "salsalunch-equallyage.com", "ladouba.com", "thepropertygoat.com", "bestofmerrick.guide", "4the.top", "regioinversiones.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: IMG-000284794.exeVirustotal: Detection: 34%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: IMG-000284794.exeJoe Sandbox ML: detected
          Source: 16.0.aspnet_regbrowsers.exe.600000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 16.0.aspnet_regbrowsers.exe.600000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 16.0.aspnet_regbrowsers.exe.600000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 16.0.aspnet_regbrowsers.exe.600000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 16.0.aspnet_regbrowsers.exe.600000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 16.2.aspnet_regbrowsers.exe.600000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: IMG-000284794.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.370158072.0000000004E11000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.370158072.0000000004E11000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.370158072.0000000004E11000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Builder\stub\1530308638\un_priv\bonkersV2\obj\Release\bonkersV2.pdb source: IMG-000284794.exe
          Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000013.00000003.370158072.0000000004E11000.00000004.00000001.sdmp

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.129qihu.com/c6si/
          Source: Amcache.hve.19.drString found in binary or memory: http://upx.sf.net

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large array initializationsShow sources
          Source: IMG-000284794.exe, bonkers/Program.csLarge array initialization: .cctor: array initializer size 77824
          Source: IMG-000284794.exe, bonkers/Program.csLarge array initialization: .cctor: array initializer size 223232
          Source: 0.0.IMG-000284794.exe.760000.0.unpack, bonkers/Program.csLarge array initialization: .cctor: array initializer size 77824
          Source: 0.0.IMG-000284794.exe.760000.0.unpack, bonkers/Program.csLarge array initialization: .cctor: array initializer size 223232
          Source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: IMG-000284794.exe, 00000000.00000000.235385293.0000000000762000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamebonkersV2.exe4 vs IMG-000284794.exe
          Source: IMG-000284794.exeBinary or memory string: OriginalFilenamebonkersV2.exe4 vs IMG-000284794.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 176
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess Stats: CPU usage > 98%
          Source: IMG-000284794.exeVirustotal: Detection: 34%
          Source: IMG-000284794.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\IMG-000284794.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\Desktop\IMG-000284794.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: unknownProcess created: C:\Users\user\Desktop\IMG-000284794.exe "C:\Users\user\Desktop\IMG-000284794.exe"
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 176
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6112
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_01
          Source: C:\Users\user\Desktop\IMG-000284794.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IMG-000284794.exe.logJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER52C0.tmpJump to behavior
          Source: classification engineClassification label: mal96.troj.evad.winEXE@5/7@0/0
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: IMG-000284794.exeStatic file information: File size 1211392 > 1048576
          Source: IMG-000284794.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: IMG-000284794.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: IMG-000284794.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x127200
          Source: IMG-000284794.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: IMG-000284794.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.370158072.0000000004E11000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.370158072.0000000004E11000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.370158072.0000000004E11000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Builder\stub\1530308638\un_priv\bonkersV2\obj\Release\bonkersV2.pdb source: IMG-000284794.exe
          Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000013.00000003.370158072.0000000004E11000.00000004.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: IMG-000284794.exe, bonkers/Program.cs.Net Code: hselector System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.IMG-000284794.exe.760000.0.unpack, bonkers/Program.cs.Net Code: hselector System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: IMG-000284794.exeStatic PE information: 0xE045D3C7 [Sat Mar 26 10:49:43 2089 UTC]
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\IMG-000284794.exe TID: 4344Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\IMG-000284794.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\IMG-000284794.exeThread delayed: delay time: 922337203685477
          Source: Amcache.hve.19.drBinary or memory string: VMware
          Source: Amcache.hve.19.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
          Source: Amcache.hve.19.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
          Source: Amcache.hve.19.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.19.drBinary or memory string: VMware, Inc.
          Source: Amcache.hve.19.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
          Source: Amcache.hve.19.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.19.drBinary or memory string: VMware7,1
          Source: Amcache.hve.19.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.19.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.19.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: Amcache.hve.19.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.19.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.19.drBinary or memory string: VMware, Inc.me
          Source: Amcache.hve.19.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
          Source: Amcache.hve.19.drBinary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
          Source: Amcache.hve.19.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\IMG-000284794.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\IMG-000284794.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 600000
          Source: C:\Users\user\Desktop\IMG-000284794.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 601000
          Source: C:\Users\user\Desktop\IMG-000284794.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 410008
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\IMG-000284794.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 600000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
          Source: C:\Users\user\Desktop\IMG-000284794.exeQueries volume information: C:\Users\user\Desktop\IMG-000284794.exe VolumeInformation
          Source: C:\Users\user\Desktop\IMG-000284794.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: Amcache.hve.19.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.19.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection211Masquerading1OS Credential DumpingSecurity Software Discovery21Remote ServicesData from Local SystemExfiltration Over Other Network MediumApplication Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion31Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerSystem Information Discovery11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing11NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection211LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 553254 Sample: IMG-000284794.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 96 19 Found malware configuration 2->19 21 Malicious sample detected (through community Yara rule) 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 5 other signatures 2->25 7 IMG-000284794.exe 2 2->7         started        process3 file4 17 C:\Users\user\...\IMG-000284794.exe.log, ASCII 7->17 dropped 27 Writes to foreign memory regions 7->27 29 Injects a PE file into a foreign processes 7->29 11 aspnet_regbrowsers.exe 7->11         started        13 conhost.exe 7->13         started        signatures5 process6 process7 15 WerFault.exe 23 9 11->15         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          IMG-000284794.exe35%VirustotalBrowse
          IMG-000284794.exe11%MetadefenderBrowse
          IMG-000284794.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          16.0.aspnet_regbrowsers.exe.600000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          16.0.aspnet_regbrowsers.exe.600000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          16.0.aspnet_regbrowsers.exe.600000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          16.0.aspnet_regbrowsers.exe.600000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          16.0.aspnet_regbrowsers.exe.600000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          16.2.aspnet_regbrowsers.exe.600000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.129qihu.com/c6si/0%VirustotalBrowse
          www.129qihu.com/c6si/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          www.129qihu.com/c6si/true
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		low

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://upx.sf.netAmcache.hve.19.drfalse
            		high

            Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:34.0.0 Boulder Opal
            Analysis ID:553254
            Start date:14.01.2022
            Start time:15:06:26
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 6m 1s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:IMG-000284794.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:22
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal96.troj.evad.winEXE@5/7@0/0
            EGA Information:Failed
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, HxTsr.exe, WerFault.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.189.173.20
            • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, tile-service.weather.microsoft.com, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            15:08:33API Interceptor1x Sleep call for process: WerFault.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aspnet_regbrowse_f95c31a2fdc9c125db8ce65728fe31536eece7ae_029cb4bf_1487ecfd\Report.wer
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
            Category:dropped
            Size (bytes):65536
            Entropy (8bit):0.6509921914164435
            Encrypted:false
            SSDEEP:96:5XF4wjjVZ4qboI7Rm6tpXIQcQvc6QcEDMcw3DSUN+HbHsZAXGng5FMTPSkvPkpX5:ZtjjVXHBUZMXojl/u7skS274ItER
            MD5:5EFCD7407CCB68F5E1600CA700B71B7B
            SHA1:9E23AF958536F4686D7E2E7137AADFEA33808E72
            SHA-256:08067088893A6E1F716B87FFED7D5F8678293802C5B5C36602BAD2AD0B584CAE
            SHA-512:E8AB39C39E29B7E057AE2DAC6B668823A9748CCF5DDF5E114C85D5BF4868C8367A1108EC0C1273E0A079F8E41DB11B559DDF7254166FA923EDE608A2FF230C51
            Malicious:false
            Reputation:low
            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.6.7.5.3.0.4.1.5.7.5.9.1.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.6.6.7.5.3.1.2.1.1.0.7.2.0.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.3.9.3.b.9.7.-.a.6.c.9.-.4.d.2.4.-.b.b.d.5.-.a.9.a.d.a.7.0.5.c.b.9.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.d.7.2.7.e.2.e.-.b.c.b.3.-.4.e.4.6.-.b.c.e.6.-.d.9.8.f.8.0.d.7.8.c.a.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.s.p.n.e.t._.r.e.g.b.r.o.w.s.e.r.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.s.p.n.e.t._.r.e.g.b.r.o.w.s.e.r.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.e.0.-.0.0.0.1.-.0.0.1.6.-.3.d.1.3.-.d.1.9.e.9.b.0.9.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.f.6.2.e.c.c.c.d.c.d.8.b.8.9.1.7.7.a.6.a.d.
            C:\ProgramData\Microsoft\Windows\WER\Temp\WER52C0.tmp.dmp
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Mini DuMP crash report, 14 streams, Fri Jan 14 23:08:24 2022, 0x1205a4 type
            Category:dropped
            Size (bytes):18530
            Entropy (8bit):2.065770230992707
            Encrypted:false
            SSDEEP:96:5T8E8//48ihXZi7wG+4Nq52fnlruzqPpUlWInWIHOIx0+TL:qf48ihXZOG52fnlC2pUx0
            MD5:976AB1615F5656EF1055D4657F8E0A4D
            SHA1:3BF1FBE0A826781DB73CCE8691859300D7A6A192
            SHA-256:182DFD5996EF301F00E42D7F6EECE00542CD533F7E6469F4D74884A13E0CCB85
            SHA-512:04C9FD520A6D3225FB0A559BBD75F938DB451025A17BEA89C4B4CAEE236FE86C47355D1219DCDA053CA09C575630F58EE2AB9EBB21E56CD301320286568ADF1D
            Malicious:false
            Reputation:low
            Preview: MDMP....... .......h..a............4...............<.......D...............T.......8...........T...........h....@...........................................................................................U...........B......t.......GenuineIntelW...........T...........c..a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\ProgramData\Microsoft\Windows\WER\Temp\WER56D8.tmp.WERInternalMetadata.xml
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
            Category:dropped
            Size (bytes):8388
            Entropy (8bit):3.6918681097319936
            Encrypted:false
            SSDEEP:192:Rrl7r3GLNiof686Yx46V/gmfnScCprm89bq6rsfyum:RrlsNiA686Y+6V/gmfnSLq6wfS
            MD5:41619F79F56F0C337AB8AC0BF82C97B0
            SHA1:F364E1838497D9579435AFA7B3DBE2A654BB766F
            SHA-256:534FD25188DDD54DBDFB47C1E2455949DCF00ECEBB760142343D5B6AA7E4BC10
            SHA-512:0FC0B4A1FED28C11E7DE8E95C28EE6DC25FC883C0175B04C0941F5545CE12D567613C956EB1F1ECD3348E07FD75811EDC53DB5A3C3E03FE67DBC3875729F4634
            Malicious:false
            Reputation:low
            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.1.2.<./.P.i.d.>.......
            C:\ProgramData\Microsoft\Windows\WER\Temp\WER5AC1.tmp.xml
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4827
            Entropy (8bit):4.488511864546086
            Encrypted:false
            SSDEEP:48:cvIwSD8zsHJgtWI9d5WSC8Bds8fm8M4J3NjMFwZ+q8vfNjKIZDX0d:uITfp6ISN9J3BhKfBKIVX0d
            MD5:98A255139FE144A352AAB322A336A659
            SHA1:8EE696116C940258519C8E79B0054266776B32C8
            SHA-256:ABAEA5F01D9AAE87CB7B4B472DA35D2B6A4F8D2FA51334E3E6FD12F74C7E4845
            SHA-512:7A12D3C5F8061593D71E390341D9261621C8BAEFBFF387197BF3E52081A2DB6F7E54BFBB9C8A93C4AFA0BFB43D19A50B6558BD2E27A572F4D61B46DAF7F5BA71
            Malicious:false
            Reputation:low
            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1342579" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IMG-000284794.exe.log
            Process:C:\Users\user\Desktop\IMG-000284794.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):522
            Entropy (8bit):5.348034597186669
            Encrypted:false
            SSDEEP:12:Q3La/KDLI4MWuPk21t92n4M9XKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2f84qXKDE4KhK3VZ9pKhk
            MD5:2BB2F12BA5748B56A733B09151565321
            SHA1:3D3EC51320B4BD72C20E5472FBA4675B5BD7E550
            SHA-256:4114743647967ADE8811D6824ABC4C9ABD4EF0177A0082BACEBFC70C53EE3B16
            SHA-512:84B7D2949FC3E4900A2F74E63C314CC331528BC3010F7867462B8C78AC530075F01C6B7576AE0ACAD909DA200AC28F8BD312F77E0013A73E1D81918CD513DE3F
            Malicious:true
            Reputation:moderate, very likely benign file
            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
            C:\Windows\appcompat\Programs\Amcache.hve
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:MS Windows registry file, NT/2000 or above
            Category:dropped
            Size (bytes):1572864
            Entropy (8bit):4.265899431057205
            Encrypted:false
            SSDEEP:12288:d5n+5OEen+S6rGx2pTp4xCqie6kZSGf3Peg+Qkpr98fuTTLY//DhLbEt:nn+5OEen+S6rGx2Msf7t
            MD5:6DE45ECD67182A11CEBC37E1CA1949C7
            SHA1:9438D2EB075E20FDE0989078476933DBCD36D2CD
            SHA-256:A5F2C6D80C50CF7558D993C7B5E73370ACB7729CBF0AB09946229A8AF5584022
            SHA-512:75D425E646133670FEA1013FF3663772998387437B47DA0541D9980081001FE0CC4F396D155FAD3A28493B0057233303E4C39A2C16D659BB8955345CA06D8AC3
            Malicious:false
            Reputation:low
            Preview: regfQ...Q...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.0.................................................................................................................................................................................................................................................................................................................................................!...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Windows\appcompat\Programs\Amcache.hve.LOG1
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:MS Windows registry file, NT/2000 or above
            Category:dropped
            Size (bytes):24576
            Entropy (8bit):3.8443472902958162
            Encrypted:false
            SSDEEP:384:H4p5tZrdvdX95bQp8fXQnxOf2oTPmxwp+5GjZmG3BDTTez5N5FneHe//:Y3XrrX9uplgf2oyxwpiWmG3pTe9N5de+
            MD5:4137D35BA1E9CECBDDADC65887522682
            SHA1:A15E11804FB79DCA2F6578269E8853E22E4D3AFF
            SHA-256:6E930F69803F0CD00BC5997FFCCDEB773FBB661B9A0E3822E1B0B57BA782F4D4
            SHA-512:C3DE9587C3E8CAF2573F0A982029A7427F05CFA08F1B7EC21AFBE93372FE59B1B73C7EDE3D39E803D69D62D1CD31088EB65E05C1EC6C0A7C7EA8D6258661A83B
            Malicious:false
            Reputation:low
            Preview: regfP...P...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.0.................................................................................................................................................................................................................................................................................................................................................'...HvLE.^......P.............pV.]..p@bS............................... ..hbin................p.\..,..........nk,..0..................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..0......... ...........P............... .......Z.......................Root........lf......Root....nk ..0......................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

            Static File Info

            General

            File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):2.8202817542758174
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            • Win32 Executable (generic) a (10002005/4) 49.78%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Generic Win/DOS Executable (2004/3) 0.01%
            • DOS Executable Generic (2002/1) 0.01%
            File name:IMG-000284794.exe
            File size:1211392
            MD5:abd28466f7cb80d6da36fed9f3e6bef4
            SHA1:fb2911028f32b2b3c07004a21e84773e3efd1519
            SHA256:5686f840b9b2834952367cd9c37ec4c8385bcc90348dd3a92e488c0faebed85a
            SHA512:0c6aa40cc0797ae3e59bf863bce36c1bb4a96760aa2897b8b03706da83e24a9009fbda569a243c890c7013d4f6e1514e73349757b16c0b318407019ad1e51586
            SSDEEP:6144:jfdz156S1GVaDMtNo7AudqtXwKc95TYY8DZW4aQgUDWEkbp+Y0X5uu8SN7FuuH57:j1NyEqJHEB20uZ6T+YLHEwsL
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....E..........."...0..r...........1... ........@.. ....................................`................................

            File Icon

            Icon Hash:00828e8e8686b000

            Static PE Info

            General

            Entrypoint:0x4031ca
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows cui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Time Stamp:0xE045D3C7 [Sat Mar 26 10:49:43 2089 UTC]
            TLS Callbacks:
            CLR (.Net) Version:v4.0.30319
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            cmp al, 00h
            add byte ptr [eax], al
            xor eax, 1B000000h
            add byte ptr [eax], al
            add byte ptr [ebx], dl
            add byte ptr [eax], al
            add byte ptr [eax+00h], dh
            add byte ptr [eax], al
            jnbe 00007F3F68B7AED2h
            add byte ptr [eax], al
            cmp eax, 14000000h
            add byte ptr [eax], al
            add byte ptr [edx], bl
            add byte ptr [eax], al
            add byte ptr [eax], bh
            add byte ptr [eax], al
            add byte ptr [ecx], al
            add byte ptr [eax], al
            add byte ptr [edx], cl
            add byte ptr [eax], al
            add byte ptr [ebp+00h], dh
            add byte ptr [eax], al
            js 00007F3F68B7AED2h
            add byte ptr [eax], al
            push cs
            add byte ptr [eax], al
            add byte ptr [eax+eax], bh
            add byte ptr [eax], al
            push edi
            add byte ptr [eax], al
            add byte ptr [eax+eax+00h], bl
            add byte ptr [edx+00h], al
            add byte ptr [eax], al
            adc eax, dword ptr [eax]
            add byte ptr [eax], al
            pushad
            add byte ptr [eax], al
            add byte ptr [edx+00h], ch
            add byte ptr [eax], al
            pop es
            add byte ptr [eax], al
            add byte ptr [eax+eax], al
            add byte ptr [eax], al
            or al, byte ptr [eax]
            add byte ptr [eax], al
            sub byte ptr [eax], al
            add byte ptr [eax], al
            adc dword ptr [eax], eax
            add byte ptr [eax], al
            push ds
            add byte ptr [eax], al
            add byte ptr [ebp+00h], ah
            add byte ptr [eax], al
            push 1E000000h
            add byte ptr [eax], al
            add byte ptr [eax+eax], ch
            add byte ptr [eax], al
            sbb dword ptr [eax], eax
            add byte ptr [eax], al
            add al, byte ptr [eax]
            add byte ptr [eax], al
            or eax, dword ptr [eax]
            add byte ptr [eax], al
            and eax, dword ptr [eax]
            add byte ptr [eax], al
            push eax
            add byte ptr [eax], al
            add byte ptr [edi+00h], dl
            add byte ptr [eax], al
            adc dword ptr [eax], eax
            add byte ptr [eax], al
            xor al, 00h
            add byte ptr [eax], al
            cmp al, byte ptr [eax]
            add byte ptr [eax], al
            sbb byte ptr [eax], al
            add byte ptr [eax], al
            and dword ptr [eax], eax
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [ebp+00h], dl
            add byte ptr [eax], al
            pop eax
            add byte ptr [eax], al
            add byte ptr [esi], ch
            add byte ptr [eax], al
            add byte ptr [eax+eax], bl
            add byte ptr [eax], al
            sbb dword ptr [eax], eax

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x31770x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x12a0000x5d4.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x12c0000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x30c40x38.text
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x1271d00x127200False0.373518404543data2.81710734526IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rsrc0x12a0000x5d40x600False0.432942708333data4.19198536242IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x12c0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_VERSION0x12a0900x342data
            RT_MANIFEST0x12a3e40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Version Infos

            DescriptionData
            Translation0x0000 0x04b0
            LegalCopyrightCopyright 2022
            Assembly Version9.12.3.0
            InternalNamebonkersV2.exe
            FileVersion9.12.3.0
            CompanyNameMelvinCapital
            LegalTrademarksMC
            Comments
            ProductNamebonkersV2
            ProductVersion9.12.3.0
            FileDescriptionbonkersV2
            OriginalFilenamebonkersV2.exe

            Network Behavior

            No network behavior found

            Code Manipulations

            Statistics

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: IMG-000284794.exe PID: 964 Parent PID: 3560

            General

            Start time:15:07:21
            Start date:14/01/2022
            Path:C:\Users\user\Desktop\IMG-000284794.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\IMG-000284794.exe"
            Imagebase:0x760000
            File size:1211392 bytes
            MD5 hash:ABD28466F7CB80D6DA36FED9F3E6BEF4
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Reputation:low

            Analysis Process: conhost.exe PID: 4908 Parent PID: 964

            General

            Start time:15:07:22
            Start date:14/01/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7ecfc0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: aspnet_regbrowsers.exe PID: 6112 Parent PID: 964

            General

            Start time:15:08:19
            Start date:14/01/2022
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
            Imagebase:0x220000
            File size:45160 bytes
            MD5 hash:B490A24A9328FD89155F075FA26C0DEC
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:moderate

            Analysis Process: WerFault.exe PID: 5516 Parent PID: 6112

            General

            Start time:15:08:22
            Start date:14/01/2022
            Path:C:\Windows\SysWOW64\WerFault.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 176
            Imagebase:0x1350000
            File size:434592 bytes
            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Disassembly

            Code Analysis

            Reset < >