Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.AIDetectNet.01.21425.740

Overview

General Information

Sample Name:SecuriteInfo.com.W32.AIDetectNet.01.21425.740 (renamed file extension from 740 to exe)
Analysis ID:626308
MD5:3da44c0f1ed72b72ccd424f5aa59d741
SHA1:0ee6faecf98ce05e6f135d80ac354382b48eb159
SHA256:69373d6ff7f903c56ae75d1a25800e1b161c9cfa9d5fed15eb36216937a24714
Tags:exeFormbook
Infos:

Detection

FormBook
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Uses 32bit PE files
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)

Classification

  • System is w10x64
  • cleanup
{"C2 list": ["www.fragrantneed.com/an49/"], "decoy": ["vfmcxfjaukmccjn.com", "visualdvledtechnology.com", "webfinder.online", "anhuizuche.com", "animalmusts.com", "seaspraylux.com", "paribusproductions.com", "veterinarydoctortiny.com", "valyhags.com", "qhdlvjx.com", "bagsboutique.online", "horibest.com", "niejernen.com", "trivantages.com", "webtesterpro.com", "806425.com", "maystonecounseling.com", "xzvsadt9.com", "lyypu.icu", "emagrecasaudavel.online", "eco2earn.com", "rg74.com", "qqbolazona.net", "consensuspayment.xyz", "organicsroyalty.com", "mysam.net", "tjsgyg.com", "jia-nong.com", "abpositive.life", "citla.net", "threesixtytools.com", "emailchant.com", "usedcarsdepotus.com", "weipaotu.com", "tourmovie.com", "jejelou.net", "treeleo.com", "sydneychaandraat.com", "aurethas.com", "hd1bw6fq7yobfu.xyz", "racetherattler.com", "blightbane.com", "darion.pro", "jayzerel.com", "canzip.online", "bodakelly.com", "movedigitalmedia.com", "reamofe.xyz", "panzoism.com", "crazyjs.xyz", "hu1b7mxq5intpd.xyz", "water168.xyz", "nabirgbroom.com", "nelagarments.com", "drailsashailer.com", "youngmusiad.net", "dadhowto.com", "monolocostore.com", "nichinansemento.com", "52apollo.com", "butlerinu.xyz", "setsnshop.com", "da3a8msr4xek5w.life", "cleburnewalkinshowers.com"]}
SourceRuleDescriptionAuthorStrings
00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000000.277584447.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000000.277584447.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 9 entries
      SourceRuleDescriptionAuthorStrings
      5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18849:$sqlite3step: 68 34 1C 7B E1
        • 0x1895c:$sqlite3step: 68 34 1C 7B E1
        • 0x18878:$sqlite3text: 68 38 2A 90 C5
        • 0x1899d:$sqlite3text: 68 38 2A 90 C5
        • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
        5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 22 entries
          No Sigma rule has matched
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.fragrantneed.com/an49/"], "decoy": ["vfmcxfjaukmccjn.com", "visualdvledtechnology.com", "webfinder.online", "anhuizuche.com", "animalmusts.com", "seaspraylux.com", "paribusproductions.com", "veterinarydoctortiny.com", "valyhags.com", "qhdlvjx.com", "bagsboutique.online", "horibest.com", "niejernen.com", "trivantages.com", "webtesterpro.com", "806425.com", "maystonecounseling.com", "xzvsadt9.com", "lyypu.icu", "emagrecasaudavel.online", "eco2earn.com", "rg74.com", "qqbolazona.net", "consensuspayment.xyz", "organicsroyalty.com", "mysam.net", "tjsgyg.com", "jia-nong.com", "abpositive.life", "citla.net", "threesixtytools.com", "emailchant.com", "usedcarsdepotus.com", "weipaotu.com", "tourmovie.com", "jejelou.net", "treeleo.com", "sydneychaandraat.com", "aurethas.com", "hd1bw6fq7yobfu.xyz", "racetherattler.com", "blightbane.com", "darion.pro", "jayzerel.com", "canzip.online", "bodakelly.com", "movedigitalmedia.com", "reamofe.xyz", "panzoism.com", "crazyjs.xyz", "hu1b7mxq5intpd.xyz", "water168.xyz", "nabirgbroom.com", "nelagarments.com", "drailsashailer.com", "youngmusiad.net", "dadhowto.com", "monolocostore.com", "nichinansemento.com", "52apollo.com", "butlerinu.xyz", "setsnshop.com", "da3a8msr4xek5w.life", "cleburnewalkinshowers.com"]}
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exeVirustotal: Detection: 36%Perma Link
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exeReversingLabs: Detection: 41%
          Source: Yara matchFile source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.453be20.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.44b7400.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.277584447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.278111506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.283123736.0000000004416000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exeJoe Sandbox ML: detected
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: CCMDiction.pdb source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
          Source: Binary string: CCMDiction.pdb(. source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
          Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000002.282869497.000000000196F000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000002.282332477.0000000001850000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000003.280338890.00000000016B2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000003.278588709.000000000151B000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000002.282869497.000000000196F000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000002.282332477.0000000001850000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000003.280338890.00000000016B2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000003.278588709.000000000151B000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 4x nop then pop ebx5_2_00407B1A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 4x nop then pop edi5_2_0040E46A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 4x nop then pop edi5_2_00417D8F

          Networking

          barindex
          Source: Malware configuration extractorURLs: www.fragrantneed.com/an49/
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.241129650.00000000061E8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.241159928.00000000061E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.279317844.00000000061D0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.285455437.00000000061D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.come.com
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.279317844.00000000061D0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.285455437.00000000061D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comion?
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.279317844.00000000061D0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.285455437.00000000061D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comoG
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.237762346.000000000620E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.239456169.000000000620E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.237595456.000000000620E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.237693500.000000000620E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.237609920.00000000061EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comn
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250763673.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250083360.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250279492.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250915630.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250460300.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250823827.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250185943.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250231636.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250517761.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250691015.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250566257.0000000006219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.251137378.00000000061E9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250309860.00000000061E8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250704397.00000000061E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud

          barindex
          Source: Yara matchFile source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.453be20.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.44b7400.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.277584447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.278111506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.283123736.0000000004416000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.453be20.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.453be20.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.44b7400.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.44b7400.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.277584447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.277584447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.278111506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.278111506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.283123736.0000000004416000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.283123736.0000000004416000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.453be20.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.453be20.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.44b7400.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.44b7400.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.277584447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.277584447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.278111506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.278111506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.283123736.0000000004416000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.283123736.0000000004416000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.287571934.0000000007C70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000000.232227017.0000000000F84000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCCMDiction.exe6 vs SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.283123736.0000000004416000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000000.276482809.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCCMDiction.exe6 vs SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000002.282869497.000000000196F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000002.283138098.0000000001AFF000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000003.278923764.0000000001631000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000003.280915296.00000000017D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exeBinary or memory string: OriginalFilenameCCMDiction.exe6 vs SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 0_2_016A43580_2_016A4358
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 0_2_016A40A90_2_016A40A9
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 0_2_016A40B80_2_016A40B8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 0_2_016A43480_2_016A4348
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 0_2_090C9CE80_2_090C9CE8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 0_2_090C76E80_2_090C76E8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 0_2_090C00270_2_090C0027
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_0041E03B5_2_0041E03B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_0041EB415_2_0041EB41
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_0041DBDC5_2_0041DBDC
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_0041E4F05_2_0041E4F0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_0041DCF35_2_0041DCF3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_00402D875_2_00402D87
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_0041D5A35_2_0041D5A3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_00409E5B5_2_00409E5B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_00409E605_2_00409E60
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_0041DF8D5_2_0041DF8D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_0041E7BF5_2_0041E7BF
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_0041A360 NtCreateFile,5_2_0041A360
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_0041A410 NtReadFile,5_2_0041A410
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_0041A490 NtClose,5_2_0041A490
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_0041A540 NtAllocateVirtualMemory,5_2_0041A540
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_0041A4BA NtClose,5_2_0041A4BA
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exeVirustotal: Detection: 36%
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exeReversingLabs: Detection: 41%
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe"
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeJump to behavior
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.240010352.000000000620D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 0s.slnt
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.logJump to behavior
          Source: classification engineClassification label: mal96.troj.evad.winEXE@3/1@0/0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: CCMDiction.pdb source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
          Source: Binary string: CCMDiction.pdb(. source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
          Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000002.282869497.000000000196F000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000002.282332477.0000000001850000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000003.280338890.00000000016B2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000003.278588709.000000000151B000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000002.282869497.000000000196F000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000002.282332477.0000000001850000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000003.280338890.00000000016B2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000003.278588709.000000000151B000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 0_2_090C3240 push ss; iretd 0_2_090C3241
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_00417987 push eax; ret 5_2_00417989
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_0040B419 push eax; ret 5_2_0040B41F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_0041D4B5 push eax; ret 5_2_0041D508
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_0041D56C push eax; ret 5_2_0041D572
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_00417D79 pushfd ; ret 5_2_00417D8C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_0041D502 push eax; ret 5_2_0041D508
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_0041D50B push eax; ret 5_2_0041D572
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_0041A5F7 push esp; ret 5_2_0041A5F8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_004165F6 push edx; iretd 5_2_00416602
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeCode function: 5_2_0041BE2B push FFFFFFC8h; retf 5_2_0041BE2D
          Source: initial sampleStatic PE information: section name: .text entropy: 7.74910295141
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion