Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Jaik.72878.26055.480

Overview

General Information

Sample Name:	SecuriteInfo.com.Variant.Jaik.72878.26055.480 (renamed file extension from 480 to exe)
Analysis ID:	626277
MD5:	029bbe98a216416eb698ca543a5c0830
SHA1:	a24173f1daf45d7444e3c698c3ae09a540a818dd
SHA256:	e73b7de772353638addd480041e90a67f27d8d5b087bf222b1c6649c54b9cc57
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Machine Learning detection for sample

Injects a PE file into a foreign processes

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Uses a Windows Living Off The Land Binaries (LOL bins)

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

AV process strings found (often used to terminate AV products)

Found inlined nop instructions (likely shell or obfuscated code)

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Variant.Jaik.72878.26055.exe (PID: 7156 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe" MD5: 029BBE98A216416EB698CA543A5C0830)

idcqz.exe (PID: 5444 cmdline: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab MD5: 51F62DEF6DC686B87CC0BAFC31685546)

idcqz.exe (PID: 5408 cmdline: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab MD5: 51F62DEF6DC686B87CC0BAFC31685546)

explorer.exe (PID: 3688 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cmstp.exe (PID: 6488 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)

cmd.exe (PID: 3252 cmdline: /c del "C:\Users\user\AppData\Local\Temp\idcqz.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

explorer.exe (PID: 6668 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.cortesdisenosroutercnc.com/itq4/"], "decoy": ["worklocalcortland.com", "hostydom.tech", "ittakegenius.com", "clarisfixion.com", "totalzerosband.com", "shop-for-432.club", "exploremytruth.com", "skarpaknivar.com", "teknikunsur.net", "shoppingclick.online", "808gang.net", "solobookings.com", "mikunandina.com", "insumedkap.com", "kingdomcell.com", "qabetalive838475.com", "foxyreal.website", "filmweltruhr.com", "pokibar.com", "girassolpresentes.com", "rprent.com", "klatch22.com", "qam3.com", "bbuur.com", "grandmino.com", "windowcontractor.info", "myownstack.com", "suprebahia.com", "amaliebeac.space", "rugggedclassicvinyl.com", "thevillagetour.com", "obsoletely.xyz", "fintell.online", "mychianfts.net", "skillingyousoftly.com", "mejicat.com", "tntpowerspeedagility.com", "richardklewis.store", "yourdmvhometeam.com", "citestaccnt1631545392.com", "weddingbyneus.com", "mbkjewelry.com", "shubhamsports.com", "bountyhub.xyz", "heritage.solar", "vitalorganicbarsoap.com", "cloandjoe.com", "royalluxextensions.com", "lbrzandvoort.com", "knowmust.xyz", "okpu.top", "balanz.kitchen", "buggy4t.com", "gownstevensond.com", "f4w6.claims", "workingfromgarden.com", "foryourtinyhuman.com", "preventbiotech.com", "happyklikshop.com", "tuyenxanh.com", "lift2.cloud", "skazhiraku.net", "purpleatticexperiment.com", "freebtc.pro"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.idcqz.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.idcqz.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.idcqz.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
4.0.idcqz.exe.400000.8.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.0.idcqz.exe.400000.8.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.0.idcqz.exe.400000.8.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
4.0.idcqz.exe.400000.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.0.idcqz.exe.400000.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.0.idcqz.exe.400000.6.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
4.0.idcqz.exe.400000.6.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.0.idcqz.exe.400000.6.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.0.idcqz.exe.400000.6.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
3.2.idcqz.exe.1870000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.idcqz.exe.1870000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.idcqz.exe.1870000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
4.0.idcqz.exe.400000.8.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.0.idcqz.exe.400000.8.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.0.idcqz.exe.400000.8.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
4.0.idcqz.exe.400000.4.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.0.idcqz.exe.400000.4.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.0.idcqz.exe.400000.4.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
4.2.idcqz.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.idcqz.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.idcqz.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
3.2.idcqz.exe.1870000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.idcqz.exe.1870000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.idcqz.exe.1870000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 22 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.cortesdisenosroutercnc.com/itq4/"], "decoy": ["worklocalcortland.com", "hostydom.tech", "ittakegenius.com", "clarisfixion.com", "totalzerosband.com", "shop-for-432.club", "exploremytruth.com", "skarpaknivar.com", "teknikunsur.net", "shoppingclick.online", "808gang.net", "solobookings.com", "mikunandina.com", "insumedkap.com", "kingdomcell.com", "qabetalive838475.com", "foxyreal.website", "filmweltruhr.com", "pokibar.com", "girassolpresentes.com", "rprent.com", "klatch22.com", "qam3.com", "bbuur.com", "grandmino.com", "windowcontractor.info", "myownstack.com", "suprebahia.com", "amaliebeac.space", "rugggedclassicvinyl.com", "thevillagetour.com", "obsoletely.xyz", "fintell.online", "mychianfts.net", "skillingyousoftly.com", "mejicat.com", "tntpowerspeedagility.com", "richardklewis.store", "yourdmvhometeam.com", "citestaccnt1631545392.com", "weddingbyneus.com", "mbkjewelry.com", "shubhamsports.com", "bountyhub.xyz", "heritage.solar", "vitalorganicbarsoap.com", "cloandjoe.com", "royalluxextensions.com", "lbrzandvoort.com", "knowmust.xyz", "okpu.top", "balanz.kitchen", "buggy4t.com", "gownstevensond.com", "f4w6.claims", "workingfromgarden.com", "foryourtinyhuman.com", "preventbiotech.com", "happyklikshop.com", "tuyenxanh.com", "lift2.cloud", "skazhiraku.net", "purpleatticexperiment.com", "freebtc.pro"]}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exe	Virustotal: Detection: 49%			Perma Link
Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exe	ReversingLabs: Detection: 51%

Yara detected FormBook

Source: Yara match	File source: 4.2.idcqz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.idcqz.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.idcqz.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.idcqz.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.idcqz.exe.1870000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.idcqz.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.idcqz.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.idcqz.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.idcqz.exe.1870000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: www.cortesdisenosroutercnc.com/itq4/

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: www.cortesdisenosroutercnc.com/itq4/

Virustotal: Detection: 9%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Virustotal: Detection: 14%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	ReversingLabs: Detection: 21%

Machine Learning detection for sample

Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exe

Joe Sandbox ML: detected

Source: 4.2.idcqz.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.idcqz.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.2.idcqz.exe.1870000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.idcqz.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.idcqz.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cmstp.pdbGCTL source: idcqz.exe, 00000004.00000002.468367240.0000000003340000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: idcqz.exe, 00000003.00000003.380042603.000000001AEA0000.00000004.00001000.00020000.00000000.sdmp, idcqz.exe, 00000003.00000003.379722541.000000001AD10000.00000004.00001000.00020000.00000000.sdmp, idcqz.exe, 00000004.00000003.384802429.0000000001151000.00000004.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000003.387064387.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000002.465859407.0000000001480000.00000040.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000002.466270888.000000000159F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000003.465569389.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000003.467369844.000000000426A000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000002.656523935.000000000451F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000002.651910210.0000000004400000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\hkxhi\tnjelr\oppx\aef3432ff76843aeb030a76c099018f6\zhseks\qyypcejy\Release\qyypcejy.pdb source: SecuriteInfo.com.Variant.Jaik.72878.26055.exe, 00000000.00000002.399346921.0000000000788000.00000004.00000001.01000000.00000003.sdmp, idcqz.exe, 00000003.00000002.384977536.0000000000A7E000.00000002.00000001.01000000.00000006.sdmp, idcqz.exe, 00000003.00000000.375241960.0000000000A7E000.00000002.00000001.01000000.00000006.sdmp, idcqz.exe, 00000004.00000002.465593311.0000000000A7E000.00000002.00000001.01000000.00000006.sdmp, cmstp.exe, 0000000C.00000002.658449919.0000000004937000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 0000000C.00000002.650828701.000000000072B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000000.640009311.00000000072C7000.00000004.80000000.00040000.00000000.sdmp, nsrF91A.tmp.0.dr, idcqz.exe.0.dr
Source:	Binary string: wntdll.pdb source: idcqz.exe, idcqz.exe, 00000004.00000003.384802429.0000000001151000.00000004.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000003.387064387.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000002.465859407.0000000001480000.00000040.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000002.466270888.000000000159F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 0000000C.00000003.465569389.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000003.467369844.000000000426A000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000002.656523935.000000000451F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000002.651910210.0000000004400000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: idcqz.exe, 00000004.00000002.468367240.0000000003340000.00000040.10000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe	Code function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D7A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe	Code function: 0_2_004069A4 FindFirstFileW,FindClose,	0_2_004069A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4x nop then pop edi		4_2_0040C400
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop edi		12_2_0041C400

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.cortesdisenosroutercnc.com/itq4/

Source: explorer.exe, 00000017.00000003.623277440.0000000005CD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.627859968.0000000005D19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.616313206.0000000005D19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000000.618394184.0000000005D19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.624564118.0000000005D19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.618207201.0000000005CD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.617363811.0000000005D1B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.614448427.0000000005CD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000000.638582873.0000000005D1B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.615626690.0000000005D19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.614959896.0000000005CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe

Code function: 0_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040580F

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 4.2.idcqz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.idcqz.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.idcqz.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.idcqz.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.idcqz.exe.1870000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.idcqz.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.idcqz.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.idcqz.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.idcqz.exe.1870000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.idcqz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.idcqz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.idcqz.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.idcqz.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.idcqz.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.idcqz.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.idcqz.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.idcqz.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.idcqz.exe.1870000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.idcqz.exe.1870000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.idcqz.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.idcqz.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.idcqz.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.idcqz.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.idcqz.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.idcqz.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.idcqz.exe.1870000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.idcqz.exe.1870000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe

Source: 4.2.idcqz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.idcqz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.idcqz.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.idcqz.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.idcqz.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.idcqz.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.idcqz.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.idcqz.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.idcqz.exe.1870000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.idcqz.exe.1870000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.idcqz.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.idcqz.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.idcqz.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.idcqz.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.idcqz.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.idcqz.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.idcqz.exe.1870000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.idcqz.exe.1870000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe

Code function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403646

Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 3_2_00A71890	3_2_00A71890
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 3_2_00A796A0	3_2_00A796A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 3_2_00A77E88	3_2_00A77E88
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 3_2_00A79C12	3_2_00A79C12
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 3_2_00A7C3BD	3_2_00A7C3BD
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 3_2_00A7A184	3_2_00A7A184
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 3_2_00A7B3F1	3_2_00A7B3F1
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 3_2_01860A56	3_2_01860A56
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_00401026	4_2_00401026
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_0041BA41	4_2_0041BA41
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_0041D345	4_2_0041D345
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_00408C7B	4_2_00408C7B
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_0041C405	4_2_0041C405
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_00408C80	4_2_00408C80
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_00402D88	4_2_00402D88
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_0041CFD5	4_2_0041CFD5
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_00A71890	4_2_00A71890
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_00A7A184	4_2_00A7A184
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_00A7C3BD	4_2_00A7C3BD
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_00A7B3F1	4_2_00A7B3F1
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_00A79C12	4_2_00A79C12
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_00A796A0	4_2_00A796A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_00A77E88	4_2_00A77E88
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014AF900	4_2_014AF900
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014C4120	4_2_014C4120
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_01561002	4_2_01561002
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_0157E824	4_2_0157E824
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014CA830	4_2_014CA830
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_015728EC	4_2_015728EC
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014BB090	4_2_014BB090
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014D20A0	4_2_014D20A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_015720A8	4_2_015720A8
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014CAB40	4_2_014CAB40
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_01572B28	4_2_01572B28
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_0156DBD2	4_2_0156DBD2
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_015603DA	4_2_015603DA
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014DEBB0	4_2_014DEBB0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_0155FA2B	4_2_0155FA2B
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_015722AE	4_2_015722AE
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_01571D55	4_2_01571D55
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_01572D07	4_2_01572D07
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014A0D20	4_2_014A0D20
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_015725DD	4_2_015725DD
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014BD5E0	4_2_014BD5E0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014D2581	4_2_014D2581
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_0156D466	4_2_0156D466
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014B841F	4_2_014B841F
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_0157DFCE	4_2_0157DFCE
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_01571FF1	4_2_01571FF1
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_0156D616	4_2_0156D616
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014C6E30	4_2_014C6E30
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_01572EF7	4_2_01572EF7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044ED466	12_2_044ED466
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0443841F	12_2_0443841F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044F1D55	12_2_044F1D55
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044F2D07	12_2_044F2D07
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04420D20	12_2_04420D20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044F25DD	12_2_044F25DD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0443D5E0	12_2_0443D5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04452581	12_2_04452581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044ED616	12_2_044ED616
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04446E30	12_2_04446E30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044F2EF7	12_2_044F2EF7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044FDFCE	12_2_044FDFCE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044F1FF1	12_2_044F1FF1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044E1002	12_2_044E1002
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044FE824	12_2_044FE824
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0444A830	12_2_0444A830
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044F28EC	12_2_044F28EC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0443B090	12_2_0443B090
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044520A0	12_2_044520A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044F20A8	12_2_044F20A8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0442F900	12_2_0442F900
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04444120	12_2_04444120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044DFA2B	12_2_044DFA2B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044F22AE	12_2_044F22AE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0444AB40	12_2_0444AB40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044F2B28	12_2_044F2B28
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044E03DA	12_2_044E03DA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044EDBD2	12_2_044EDBD2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0445EBB0	12_2_0445EBB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0042BA41	12_2_0042BA41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0042D345	12_2_0042D345
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_00418C7B	12_2_00418C7B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0042C405	12_2_0042C405
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_00418C80	12_2_00418C80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_00412D88	12_2_00412D88
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_00412D90	12_2_00412D90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0042CFD5	12_2_0042CFD5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_00412FB0	12_2_00412FB0

Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: String function: 00A74599 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: String function: 00A72400 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: String function: 014AB150 appears 54 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 0442B150 appears 54 times

Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_004185E0 NtCreateFile,	4_2_004185E0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_00418690 NtReadFile,	4_2_00418690
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_00418710 NtClose,	4_2_00418710
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_004187C0 NtAllocateVirtualMemory,	4_2_004187C0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_004185DA NtCreateFile,	4_2_004185DA
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_0041868A NtReadFile,	4_2_0041868A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_0041870A NtClose,	4_2_0041870A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_014E9910
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E99A0 NtCreateSection,LdrInitializeThunk,	4_2_014E99A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9840 NtDelayExecution,LdrInitializeThunk,	4_2_014E9840
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9860 NtQuerySystemInformation,LdrInitializeThunk,	4_2_014E9860
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E98F0 NtReadVirtualMemory,LdrInitializeThunk,	4_2_014E98F0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9A50 NtCreateFile,LdrInitializeThunk,	4_2_014E9A50
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9A00 NtProtectVirtualMemory,LdrInitializeThunk,	4_2_014E9A00
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9A20 NtResumeThread,LdrInitializeThunk,	4_2_014E9A20
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9540 NtReadFile,LdrInitializeThunk,	4_2_014E9540
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E95D0 NtClose,LdrInitializeThunk,	4_2_014E95D0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9710 NtQueryInformationToken,LdrInitializeThunk,	4_2_014E9710
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9FE0 NtCreateMutant,LdrInitializeThunk,	4_2_014E9FE0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9780 NtMapViewOfSection,LdrInitializeThunk,	4_2_014E9780
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E97A0 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_014E97A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9660 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_014E9660
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E96E0 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_014E96E0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9950 NtQueueApcThread,	4_2_014E9950
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E99D0 NtCreateProcessEx,	4_2_014E99D0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014EB040 NtSuspendThread,	4_2_014EB040
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9820 NtEnumerateKey,	4_2_014E9820
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E98A0 NtWriteVirtualMemory,	4_2_014E98A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9B00 NtSetValueKey,	4_2_014E9B00
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014EA3B0 NtGetContextThread,	4_2_014EA3B0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9A10 NtQuerySection,	4_2_014E9A10
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9A80 NtOpenDirectoryObject,	4_2_014E9A80
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9560 NtWriteFile,	4_2_014E9560
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9520 NtWaitForSingleObject,	4_2_014E9520
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014EAD30 NtSetContextThread,	4_2_014EAD30
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E95F0 NtQueryInformationFile,	4_2_014E95F0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9760 NtOpenProcess,	4_2_014E9760
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014EA770 NtOpenThread,	4_2_014EA770
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9770 NtSetInformationFile,	4_2_014E9770
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014EA710 NtOpenProcessToken,	4_2_014EA710
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9730 NtQueryVirtualMemory,	4_2_014E9730
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9650 NtQueryValueKey,	4_2_014E9650
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9670 NtQueryInformationProcess,	4_2_014E9670
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E9610 NtEnumerateValueKey,	4_2_014E9610
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 4_2_014E96D0 NtCreateKey,	4_2_014E96D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469540 NtReadFile,LdrInitializeThunk,	12_2_04469540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044695D0 NtClose,LdrInitializeThunk,	12_2_044695D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469650 NtQueryValueKey,LdrInitializeThunk,	12_2_04469650
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469660 NtAllocateVirtualMemory,LdrInitializeThunk,	12_2_04469660
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044696D0 NtCreateKey,LdrInitializeThunk,	12_2_044696D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044696E0 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_044696E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469710 NtQueryInformationToken,LdrInitializeThunk,	12_2_04469710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469FE0 NtCreateMutant,LdrInitializeThunk,	12_2_04469FE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469780 NtMapViewOfSection,LdrInitializeThunk,	12_2_04469780
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469840 NtDelayExecution,LdrInitializeThunk,	12_2_04469840
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469860 NtQuerySystemInformation,LdrInitializeThunk,	12_2_04469860
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469910 NtAdjustPrivilegesToken,LdrInitializeThunk,	12_2_04469910
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044699A0 NtCreateSection,LdrInitializeThunk,	12_2_044699A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469A50 NtCreateFile,LdrInitializeThunk,	12_2_04469A50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469560 NtWriteFile,	12_2_04469560
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469520 NtWaitForSingleObject,	12_2_04469520
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0446AD30 NtSetContextThread,	12_2_0446AD30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044695F0 NtQueryInformationFile,	12_2_044695F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469670 NtQueryInformationProcess,	12_2_04469670
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469610 NtEnumerateValueKey,	12_2_04469610
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469760 NtOpenProcess,	12_2_04469760
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0446A770 NtOpenThread,	12_2_0446A770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469770 NtSetInformationFile,	12_2_04469770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0446A710 NtOpenProcessToken,	12_2_0446A710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469730 NtQueryVirtualMemory,	12_2_04469730
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044697A0 NtUnmapViewOfSection,	12_2_044697A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0446B040 NtSuspendThread,	12_2_0446B040
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469820 NtEnumerateKey,	12_2_04469820
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044698F0 NtReadVirtualMemory,	12_2_044698F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044698A0 NtWriteVirtualMemory,	12_2_044698A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469950 NtQueueApcThread,	12_2_04469950
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_044699D0 NtCreateProcessEx,	12_2_044699D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469A00 NtProtectVirtualMemory,	12_2_04469A00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469A10 NtQuerySection,	12_2_04469A10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469A20 NtResumeThread,	12_2_04469A20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469A80 NtOpenDirectoryObject,	12_2_04469A80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_04469B00 NtSetValueKey,	12_2_04469B00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0446A3B0 NtGetContextThread,	12_2_0446A3B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_004285E0 NtCreateFile,	12_2_004285E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_00428690 NtReadFile,	12_2_00428690
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_00428710 NtClose,	12_2_00428710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_004287C0 NtAllocateVirtualMemory,	12_2_004287C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_004285DA NtCreateFile,	12_2_004285DA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0042868A NtReadFile,	12_2_0042868A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0042870A NtClos<

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
SecuriteInfo.com.Variant.Jaik.72878.26055.480

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Variant.Jaik.72878.26055.480

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Windows Analysis Report
SecuriteInfo.com.Variant.Jaik.72878.26055.480