Windows Analysis Report
HSBC Bank Swift Copy.pdf.exe

Overview

General Information

Sample Name:	HSBC Bank Swift Copy.pdf.exe
Analysis ID:	562044
MD5:	76b0f4441930d3f2f480830681c426e7
SHA1:	0b28664196cd55adcc7b82647602db984dd49f61
SHA256:	3cc59342fdbb5aa332f7d99216ac3f1ede121e0752e5aaff260e16432c23908d
Tags:	exeFormbookHSBC
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: Suspicious Double Extension

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Antivirus detection for URL or domain

Sigma detected: Suspect Svchost Activity

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Self deletion via cmd delete

.NET source code contains potential unpacker

Sigma detected: Suspicious Svchost Process

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses an obfuscated file name to hide its real file extension (double extension)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Found malware configuration

Source: 0000000C.00000002.378377402.0000000000E50000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.loj-kits.xyz/rexd/"], "decoy": ["xn--2es77o3w1bruk.mobi", "cotesaintetienne.com", "newlifefoursquaremcpherson.com", "solutions-consulting.biz", "chsico.com", "demeet.xyz", "eiruhguijire.store", "realestatemoda.com", "amr-fire.net", "99v.one", "altdaita.com", "showerbeast.com", "nsfone.com", "doanhnhanvietnam.info", "xn--transfpanou-39a.com", "invitiz.com", "chifaebio.xyz", "footprint-farm.com", "onlinenurseprograms.com", "tigeratlspa.com", "troublewatermelon.space", "juvesti.com", "hunnii.one", "collective4choice.com", "casino-mate1.com", "hairandspa-aimer-kadsume.com", "pointconstructionservices.com", "savagereviews.xyz", "zhuangmengmeng.com", "gicaredocs.com", "victori-jaya.com", "purifilt.net", "live9words.com", "x-teknoloji.com", "thelocalworkers.com", "nalainteriores.com", "dream-mart.tech", "maretta.info", "empowermindbodystudios.com", "creativenft.xyz", "remembertheabbeygate.com", "whistlergardencenter.com", "jbmfg.net", "tangerinecave.com", "60thstreetdesserts.com", "mxcpgj.com", "nguoidantocvungcao.xyz", "snowjamproductiosmedia.com", "schencklab.com", "sousouhenansheng.com", "quirkysoul39.com", "digitaleclipsegames.com", "hayesvalleycondo409.com", "ceremonydesigncompany.com", "essaispsoriasisenfants-ca.com", "borhanmarket.com", "aerbounce.com", "primebradescocadastro.com", "bupis44.info", "optmsg.com", "khukhuanphongkham.com", "bunnymoorellc.com", "tminus-10.com", "mytechmadesimple.com"]}

Multi AV Scanner detection for submitted file

Source: HSBC Bank Swift Copy.pdf.exe	Virustotal: Detection: 31%			Perma Link
Source: HSBC Bank Swift Copy.pdf.exe	ReversingLabs: Detection: 48%

Yara detected FormBook

Source: Yara match	File source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HSBC Bank Swift Copy.pdf.exe.4355240.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HSBC Bank Swift Copy.pdf.exe.42fac20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.378377402.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.378466176.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.531069292.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.304686882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.304254698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.377961712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.528571201.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.339842712.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.532271564.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.356870466.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.308628609.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.doanhnhanvietnam.info/rexd/	Avira URL Cloud: Label: malware
Source: http://www.hairandspa-aimer-kadsume.com/rexd/	Avira URL Cloud: Label: malware
Source: http://www.bupis44.info/rexd/www.solutions-consulting.biz	Avira URL Cloud: Label: malware
Source: www.loj-kits.xyz/rexd/	Avira URL Cloud: Label: malware
Source: http://www.collective4choice.com/rexd/www.bupis44.info	Avira URL Cloud: Label: malware
Source: http://www.collective4choice.com/rexd/	Avira URL Cloud: Label: malware
Source: http://www.loj-kits.xyz/rexd/www.chifaebio.xyz	Avira URL Cloud: Label: malware
Source: http://www.doanhnhanvietnam.info/rexd/www.invitiz.com	Avira URL Cloud: Label: malware
Source: http://www.bupis44.info/rexd/	Avira URL Cloud: Label: malware
Source: http://www.loj-kits.xyz/rexd/	Avira URL Cloud: Label: malware
Source: http://www.hairandspa-aimer-kadsume.com/rexd/www.tminus-10.com	Avira URL Cloud: Label: malware
Source: http://www.bupis44.info	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: HSBC Bank Swift Copy.pdf.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance

Uses 32bit PE files

Source: HSBC Bank Swift Copy.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: HSBC Bank Swift Copy.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 0000001D.00000002.544532140.00007FFF94751000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 0000001D.00000002.544532140.00007FFF94751000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: wntdll.pdbUGP source: HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.378821180.00000000013AF000.00000040.00000800.00020000.00000000.sdmp, HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.378603886.0000000001290000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.379797360.0000000003300000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.378166081.0000000001000000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.534695085.000000000361F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.533914214.0000000003500000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.378821180.00000000013AF000.00000040.00000800.00020000.00000000.sdmp, HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.378603886.0000000001290000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000011.00000003.379797360.0000000003300000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.378166081.0000000001000000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.534695085.000000000361F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.533914214.0000000003500000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: eex.pdb source: explorer.exe, 0000001D.00000002.544532140.00007FFF94751000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: svchost.pdb source: HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.378549777.0000000001270000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.378549777.0000000001270000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\SRnftbxSiX\src\obj\Debug\RuntimePropertyIn.pdb source: HSBC Bank Swift Copy.pdf.exe

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.loj-kits.xyz/rexd/

Source: HSBC Bank Swift Copy.pdf.exe	String found in binary or memory: http://blog.iandreev.com
Source: HSBC Bank Swift Copy.pdf.exe	String found in binary or memory: http://blog.iandreev.com/
Source: HSBC Bank Swift Copy.pdf.exe	String found in binary or memory: http://blog.iandreev.com/AClick
Source: explorer.exe, 0000001D.00000002.545811581.00007FFF94839000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov
Source: explorer.exe, 0000001D.00000002.545811581.00007FFF94839000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro
Source: explorer.exe, 0000001D.00000002.537943170.0000000007442000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.503821116.00000000074A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.502282504.00000000074A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.513074181.0000000009817000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.539699054.0000000009817000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.512012339.00000000074A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000001D.00000000.506321945.0000000009A2B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.502118090.0000000009A06000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.502938145.0000000009A2A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.500906015.0000000009A06000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.505028040.0000000009A2A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.504397605.0000000009A2A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.503803391.0000000009A08000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.513670120.0000000009A2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.verisign.6
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.amr-fire.net
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.amr-fire.net/rexd/
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.amr-fire.net/rexd/www.collective4choice.com
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.amr-fire.netReferer:
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000000E.00000000.351270316.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.335111009.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.418985985.0000000006870000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.314141640.0000000006840000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bupis44.info
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bupis44.info/rexd/
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bupis44.info/rexd/www.solutions-consulting.biz
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bupis44.infoReferer:
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chifaebio.xyz
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chifaebio.xyz/rexd/
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chifaebio.xyz/rexd/www.mxcpgj.com
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chifaebio.xyzReferer:
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.collective4choice.com
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.collective4choice.com/rexd/
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.collective4choice.com/rexd/www.bupis44.info
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.collective4choice.comReferer:
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.doanhnhanvietnam.info
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.doanhnhanvietnam.info/rexd/
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.doanhnhanvietnam.info/rexd/www.invitiz.com
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.doanhnhanvietnam.infoReferer:
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.essaispsoriasisenfants-ca.com
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.essaispsoriasisenfants-ca.com/rexd/
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.essaispsoriasisenfants-ca.com/rexd/www.doanhnhanvietnam.info
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.essaispsoriasisenfants-ca.comReferer:
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.307291346.0000000001997000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdiao
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.307291346.0000000001997000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comrsiva
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hairandspa-aimer-kadsume.com
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hairandspa-aimer-kadsume.com/rexd/
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hairandspa-aimer-kadsume.com/rexd/www.tminus-10.com
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hairandspa-aimer-kadsume.comReferer:
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.invitiz.com
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.invitiz.com/rexd/
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.invitiz.com/rexd/www.primebradescocadastro.com
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.invitiz.comReferer:
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.live9words.com
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.live9words.com/rexd/
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.live9words.comReferer:
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.loj-kits.xyz
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.loj-kits.xyz/rexd/
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.loj-kits.xyz/rexd/www.chifaebio.xyz
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.loj-kits.xyzReferer:
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mxcpgj.com
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mxcpgj.com/rexd/
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mxcpgj.com/rexd/www.nalainteriores.com
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mxcpgj.comReferer:
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nalainteriores.com
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nalainteriores.com/rexd/
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nalainteriores.com/rexd/www.essaispsoriasisenfants-ca.com
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nalainteriores.comReferer:
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pointconstructionservices.com
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pointconstructionservices.com/rexd/
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pointconstructionservices.com/rexd/www.amr-fire.net
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pointconstructionservices.comReferer:
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.primebradescocadastro.com
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.primebradescocadastro.com/rexd/
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.primebradescocadastro.com/rexd/www.live9words.com
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.primebradescocadastro.comReferer:
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.solutions-consulting.biz
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.solutions-consulting.biz/rexd/
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.solutions-consulting.biz/rexd/www.hairandspa-aimer-kadsume.com
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.solutions-consulting.bizReferer:
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp, HSBC Bank Swift Copy.pdf.exe, 00000000.00000003.264704646.000000000199C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tminus-10.com
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tminus-10.com/rexd/
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tminus-10.com/rexd/www.loj-kits.xyz
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tminus-10.comReferer:
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: www.pointconstructionservices.com

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HSBC Bank Swift Copy.pdf.exe.4355240.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HSBC Bank Swift Copy.pdf.exe.42fac20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.378377402.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.378466176.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.531069292.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.304686882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.304254698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.377961712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.528571201.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.339842712.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.532271564.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.356870466.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.308628609.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.HSBC Bank Swift Copy.pdf.exe.4355240.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.HSBC Bank Swift Copy.pdf.exe.4355240.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.HSBC Bank Swift Copy.pdf.exe.42fac20.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.HSBC Bank Swift Copy.pdf.exe.42fac20.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.378377402.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.378377402.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.378466176.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.378466176.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.531069292.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.531069292.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.304686882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.304686882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.304254698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.304254698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.377961712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.377961712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.528571201.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.528571201.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000000.339842712.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000000.339842712.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.532271564.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.532271564.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000000.356870466.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000000.356870466.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.308628609.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.308628609.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: HSBC Bank Swift Copy.pdf.exe

Uses 32bit PE files

Source: HSBC Bank Swift Copy.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.HSBC Bank Swift Copy.pdf.exe.4355240.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.HSBC Bank Swift Copy.pdf.exe.4355240.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.HSBC Bank Swift Copy.pdf.exe.42fac20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.HSBC Bank Swift Copy.pdf.exe.42fac20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.378377402.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.378377402.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.378466176.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.378466176.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.531069292.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.531069292.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.304686882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.304686882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.304254698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.304254698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.377961712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.377961712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.528571201.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.528571201.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000000.339842712.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000000.339842712.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.532271564.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.532271564.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000000.356870466.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000000.356870466.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.308628609.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.308628609.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 0_2_0303D3B4	0_2_0303D3B4
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_00401030	12_2_00401030
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_0041B903	12_2_0041B903
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_0041CC4E	12_2_0041CC4E
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_00408C70	12_2_00408C70
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_00402D87	12_2_00402D87
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_00402D90	12_2_00402D90
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_0041C6A8	12_2_0041C6A8
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_0041CFD2	12_2_0041CFD2
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_00402FB0	12_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0355EBB0	17_2_0355EBB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03546E30	17_2_03546E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_035F1D55	17_2_035F1D55
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0352F900	17_2_0352F900
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03520D20	17_2_03520D20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03544120	17_2_03544120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0353D5E0	17_2_0353D5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03552581	17_2_03552581
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0353841F	17_2_0353841F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_035E1002	17_2_035E1002
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0353B090	17_2_0353B090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_035520A0	17_2_035520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0090CC4E	17_2_0090CC4E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_008F8C70	17_2_008F8C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_008F2D87	17_2_008F2D87
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_008F2D90	17_2_008F2D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0090C6A8	17_2_0090C6A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_008F2FB0	17_2_008F2FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0090CFD2	17_2_0090CFD2

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\svchost.exe

Code function: String function: 0352B150 appears 35 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_004185D0 NtCreateFile,	12_2_004185D0
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_00418680 NtReadFile,	12_2_00418680
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_00418700 NtClose,	12_2_00418700
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_004187B0 NtAllocateVirtualMemory,	12_2_004187B0
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_00418622 NtReadFile,	12_2_00418622
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569710 NtQueryInformationToken,LdrInitializeThunk,	17_2_03569710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569FE0 NtCreateMutant,LdrInitializeThunk,	17_2_03569FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569780 NtMapViewOfSection,LdrInitializeThunk,	17_2_03569780
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569650 NtQueryValueKey,LdrInitializeThunk,	17_2_03569650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569A50 NtCreateFile,LdrInitializeThunk,	17_2_03569A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569660 NtAllocateVirtualMemory,LdrInitializeThunk,	17_2_03569660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_035696D0 NtCreateKey,LdrInitializeThunk,	17_2_035696D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_035696E0 NtFreeVirtualMemory,LdrInitializeThunk,	17_2_035696E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569540 NtReadFile,LdrInitializeThunk,	17_2_03569540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569910 NtAdjustPrivilegesToken,LdrInitializeThunk,	17_2_03569910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_035695D0 NtClose,LdrInitializeThunk,	17_2_035695D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_035699A0 NtCreateSection,LdrInitializeThunk,	17_2_035699A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569840 NtDelayExecution,LdrInitializeThunk,	17_2_03569840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569860 NtQuerySystemInformation,LdrInitializeThunk,	17_2_03569860
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569770 NtSetInformationFile,	17_2_03569770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0356A770 NtOpenThread,	17_2_0356A770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569760 NtOpenProcess,	17_2_03569760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0356A710 NtOpenProcessToken,	17_2_0356A710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569B00 NtSetValueKey,	17_2_03569B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569730 NtQueryVirtualMemory,	17_2_03569730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0356A3B0 NtGetContextThread,	17_2_0356A3B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_035697A0 NtUnmapViewOfSection,	17_2_035697A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569670 NtQueryInformationProcess,	17_2_03569670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569610 NtEnumerateValueKey,	17_2_03569610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569A10 NtQuerySection,	17_2_03569A10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569A00 NtProtectVirtualMemory,	17_2_03569A00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569A20 NtResumeThread,	17_2_03569A20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569A80 NtOpenDirectoryObject,	17_2_03569A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569950 NtQueueApcThread,	17_2_03569950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569560 NtWriteFile,	17_2_03569560
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0356AD30 NtSetContextThread,	17_2_0356AD30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569520 NtWaitForSingleObject,	17_2_03569520
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_035699D0 NtCreateProcessEx,	17_2_035699D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_035695F0 NtQueryInformationFile,	17_2_035695F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0356B040 NtSuspendThread,	17_2_0356B040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_03569820 NtEnumerateKey,	17_2_03569820
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_035698F0 NtReadVirtualMemory,	17_2_035698F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_035698A0 NtWriteVirtualMemory,	17_2_035698A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_009085D0 NtCreateFile,	17_2_009085D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00908680 NtReadFile,	17_2_00908680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_009087B0 NtAllocateVirtualMemory,	17_2_009087B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00908700 NtClose,	17_2_00908700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00908622 NtReadFile,	17_2_00908622

Sample file is different than original file name gathered from version info

Source: HSBC Bank Swift Copy.pdf.exe	Binary or memory string: OriginalFilename vs HSBC Bank Swift Copy.pdf.exe
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.308215845.0000000003258000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs HSBC Bank Swift Copy.pdf.exe
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.308047232.00000000031FC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRuntimePropertyIn.exe4 vs HSBC Bank Swift Copy.pdf.exe
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.308047232.00000000031FC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs HSBC Bank Swift Copy.pdf.exe
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.308047232.00000000031FC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: m,\\StringFileInfo\\000004B0\\OriginalFilename vs HSBC Bank Swift Copy.pdf.exe
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.311397572.0000000008210000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs HSBC Bank Swift Copy.pdf.exe
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.307751069.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs HSBC Bank Swift Copy.pdf.exe
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.307751069.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs HSBC Bank Swift Copy.pdf.exe
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.308628609.00000000041A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs HSBC Bank Swift Copy.pdf.exe
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.311069408.0000000007F80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs HSBC Bank Swift Copy.pdf.exe
Source: HSBC Bank Swift Copy.pdf.exe	Binary or memory string: OriginalFilename vs HSBC Bank Swift Copy.pdf.exe
Source: HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.378821180.00000000013AF000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs HSBC Bank Swift Copy.pdf.exe
Source: HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.379431942.000000000153F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs HSBC Bank Swift Copy.pdf.exe
Source: HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.378583898.000000000127B000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs HSBC Bank Swift Copy.pdf.exe
Source: HSBC Bank Swift Copy.pdf.exe	Binary or memory string: OriginalFilenameRuntimePropertyIn.exe4 vs HSBC Bank Swift Copy.pdf.exe

Source: HSBC Bank Swift Copy.pdf.exe	Virustotal: Detection: 31%
Source: HSBC Bank Swift Copy.pdf.exe	ReversingLabs: Detection: 48%

Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe

File read: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe:Zone.Identifier

Source: unknown	Process created: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe "C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe"
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process created: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process created: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe"	Jump to behavior

Source: HSBC Bank Swift Copy.pdf.exe, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.HSBC Bank Swift Copy.pdf.exe.e60000.0.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.HSBC Bank Swift Copy.pdf.exe.e60000.0.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.810000.9.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.810000.7.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.2.HSBC Bank Swift Copy.pdf.exe.810000.1.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.810000.3.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.810000.0.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.810000.2.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.810000.5.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.HSBC Bank Swift Copy.pdf.exe.810000.1.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 0_2_00E6667D push es; retf 0007h	0_2_00E667B4
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 0_2_00E66691 push es; retf 0007h	0_2_00E667B4
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_00415058 pushfd ; ret	12_2_00415059
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_0041B87C push eax; ret	12_2_0041B882
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_0041B812 push eax; ret	12_2_0041B818
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_0041B81B push eax; ret	12_2_0041B882
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_0041516A push esi; retf	12_2_00415185
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_0040C3AC push es; iretd	12_2_0040C3AD
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_00414DFF push ebx; retf	12_2_00414E00
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_0041B7C5 push eax; ret	12_2_0041B818
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_00816691 push es; retf 0007h	12_2_008167B4
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Code function: 12_2_0081667D push es; retf 0007h	12_2_008167B4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0357D0D1 push ecx; ret	17_2_0357D0E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0090B812 push eax; ret	17_2_0090B818
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0090B81B push eax; ret	17_2_0090B882
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00905058 pushfd ; ret	17_2_00905059
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0090B87C push eax; ret	17_2_0090B882
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0090516A push esi; retf	17_2_00905185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_008FC3AC push es; iretd	17_2_008FC3AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_00904DFF push ebx; retf	17_2_00904E00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0090BD6F push ecx; ret	17_2_0090BD74
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 17_2_0090B7C5 push eax; ret	17_2_0090B818

Source: C:\Windows\SysWOW64\svchost.exe	Process created: /c del "C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: /c del "C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe"			Jump to behavior

Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.308215845.0000000003258000.00000004.00000800.00020000.00000000.sdmp, HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.307751069.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.308215845.0000000003258000.00000004.00000800.00020000.00000000.sdmp, HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.307751069.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 00000000008F8604 second address: 00000000008F860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 00000000008F898E second address: 00000000008F8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe TID: 4000	Thread sleep time: -39813s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe TID: 5428	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Thread delayed: delay time: 39813			Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.307751069.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 0000000E.00000000.338683531.0000000008A32000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000000E.00000000.338683531.0000000008A32000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000001D.00000000.513716413.0000000009A43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&
Source: explorer.exe, 0000001D.00000003.501324592.0000000009A81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001D.00000003.507940526.00000000099F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00
Source: explorer.exe, 0000001D.00000003.505130040.0000000009A43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ,h\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}O0M0K
Source: explorer.exe, 0000001D.00000000.477720516.00000000074BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.307751069.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000001D.00000003.501551888.0000000009936000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}f
Source: explorer.exe, 0000000E.00000000.355788907.0000000008C73000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S""
Source: explorer.exe, 0000000E.00000000.355307217.0000000008B88000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 0000001D.00000003.501717975.00000000099F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00$
Source: explorer.exe, 0000001D.00000003.501509475.0000000009913000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000:
Source: explorer.exe, 0000001D.00000000.506378037.0000000009A69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}!
Source: explorer.exe, 0000001D.00000000.506378037.0000000009A69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000001D.00000003.500774605.00000000099B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_
Source: explorer.exe, 0000000E.00000000.355147226.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000001D.00000000.502730509.00000000073CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00ta
Source: explorer.exe, 0000001D.00000000.460008601.00000000005A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AASCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000&09F6E&0&00A8AUTHORITY\SYSTEMP
Source: explorer.exe, 0000001D.00000000.511352280.00000000073CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}K
Source: explorer.exe, 0000001D.00000002.540226124.00000000099F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.307751069.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000001D.00000003.500774605.00000000099B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATA(P
Source: explorer.exe, 0000001D.00000000.506076169.00000000098B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00#
Source: explorer.exe, 0000001D.00000002.540333961.0000000009A43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: om&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&
Source: explorer.exe, 0000001D.00000000.506378037.0000000009A69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.307751069.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000001D.00000000.506378037.0000000009A69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001D.00000000.506076169.00000000098B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000001D.00000000.460008601.00000000005A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000000.355147226.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 0000000E.00000000.355307217.0000000008B88000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 0000001D.00000000.460008601.00000000005A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000's
Source: explorer.exe, 0000001D.00000003.505130040.0000000009A43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000f
Source: explorer.exe, 0000000E.00000000.351546776.00000000069DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD002
Source: explorer.exe, 0000001D.00000000.511352280.00000000073CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}2
Source: explorer.exe, 0000001D.00000000.512012339.00000000074A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}h
Source: explorer.exe, 0000001D.00000003.501509475.0000000009913000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe	Thread register set: target process: 3292	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 3292	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 4524	Jump to behavior

Source: explorer.exe, 0000000E.00000000.330983528.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.309774426.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.413808591.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.346663673.0000000001400000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: uProgram Manager
Source: explorer.exe, 0000000E.00000000.314124995.0000000005F40000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.330983528.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.309774426.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.413808591.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.346663673.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.476334037.00000000060F1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.477072596.00000000061A0000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.468133229.00000000060F1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.535978081.00000000061A0000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.535583862.00000000060F1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.510518709.00000000060F1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.510678631.00000000061A0000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.501563088.00000000060F1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.461471102.00000000044E8000.00000004.00000010.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.502198515.00000000061A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000000.330983528.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.309774426.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.413808591.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.346663673.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.485552747.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.473223264.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.460008601.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.501476505.00000000060B7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.476195476.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.535454990.00000000060B7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.468100591.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.477072596.00000000061A0000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.535978081.00000000061A0000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.510678631.00000000061A0000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.507621751.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.510357758.00000000060B7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.529597108.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.502198515.00000000061A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000000.346283837.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.330693683.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.413334676.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.309431737.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanX
Source: explorer.exe, 0000000E.00000000.330983528.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.309774426.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.413808591.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.346663673.0000000001400000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000E.00000000.321946931.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.338770667.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.355147226.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndAj

Name	IP	Active
pointconstructionservices.com	34.102.136.180	true
d1g9pg5cncourf.cloudfront.net	13.225.39.103	true
www.amr-fire.net	unknown	unknown
www.pointconstructionservices.com	unknown	unknown
www.collective4choice.com	unknown	unknown

ID:	562044
Product:	CloudBasic
Start time:	10:55:25
Start date:	28.01.2022
Sample:	HSBC Bank Swift Copy.pdf.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	76b0f4441930d3f2f480830681c426e7
SHA1:	0b28664196cd55adcc7b82647602db984dd49f61
SHA256:	3cc59342fdbb5aa332f7d99216ac3f1ede121e0752e5aaff260e16432c23908d
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report HSBC Bank Swift Copy.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
HSBC Bank Swift Copy.pdf.exe