Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
unpaid_invoices.exe

Overview

General Information

Sample Name:unpaid_invoices.exe
Analysis ID:626537
MD5:fa28e3d61ae49fda627abfc78ca84dea
SHA1:7ecf93e5d4a2873a10510d007b33b4c3460b29d5
SHA256:a7162eb3744c8a0629f9c3967700bf4e015e807340c4e1be3327011a637108c4
Tags:exeformbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

  • System is w10x64
  • unpaid_invoices.exe (PID: 6264 cmdline: "C:\Users\user\Desktop\unpaid_invoices.exe" MD5: FA28E3D61AE49FDA627ABFC78CA84DEA)
    • ronkhfyq.exe (PID: 6300 cmdline: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq MD5: 66039B0CB9E9C76FD4CFEA6E9D2B130C)
      • ronkhfyq.exe (PID: 6328 cmdline: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq MD5: 66039B0CB9E9C76FD4CFEA6E9D2B130C)
        • explorer.exe (PID: 3616 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • control.exe (PID: 260 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
            • cmd.exe (PID: 3840 cmdline: /c del "C:\Users\user\AppData\Local\Temp\ronkhfyq.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • explorer.exe (PID: 3080 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup
{"C2 list": ["www.beamaster.info/p0ip/"], "decoy": ["webberkerr.com", "lelezhuanshu.xyz", "weedformellc.com", "ikzoekeenbedrijfsruimte.com", "swahlove.com", "dubaidesertsafari.travel", "atozmedicalimages.com", "uniytriox.com", "clickyourcat.com", "shandun-safety.com", "pakmart.center", "roxxiesixx.com", "twistedtaqueriachicago.com", "studynursingaustralia.online", "wellnesstestinggroup.com", "justusebias.com", "yqvzs.com", "co1l7o8vy.com", "lightning.legal", "cardamagescanner.com", "megawatchinc.com", "sadebademli.com", "bcoky.com", "unleashingyou-lifecoaching.com", "epsubtitles.online", "susanpetersonrealty.com", "gdderui.com", "claris-studio.cloud", "cryptomnis.com", "1ens.domains", "localbusinessassets.com", "et9n7e4vf.com", "quoteypants.com", "bokepremaja18.biz", "xiangqinmao.com", "lilot-pland45.site", "exilings.com", "nft-id.net", "sport-outdoorpacks.com", "plnykosik.online", "cidesadelcentro.com", "stunning-black.xyz", "zoeyunker.com", "videogamesgroup.com", "autodnstest.com", "bookworms.store", "69817269.com", "one-session22-lp.com", "modelofindia.com", "kennnyshands.com", "otopenishop.net", "freegameswithoutdownload.online", "alaskanwave.net", "tjkt8.com", "abv.wiki", "protoncarsale.com", "zhipurc.com", "psicologamoderna.com", "hidinginplainsight.digital", "cuamini-trankien.xyz", "yustunning.com", "apeironpay.xyz", "allowdrops.xyz", "allyouneedstore.xyz"]}
SourceRuleDescriptionAuthorStrings
00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8f92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x16335:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15de1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x16437:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x165af:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x99aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1505c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa722:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ca8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18809:$sqlite3step: 68 34 1C 7B E1
    • 0x1891c:$sqlite3step: 68 34 1C 7B E1
    • 0x18838:$sqlite3text: 68 38 2A 90 C5
    • 0x1895d:$sqlite3text: 68 38 2A 90 C5
    • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x6335:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x5de1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x6437:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x65af:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x505c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb987:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xca8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries
      SourceRuleDescriptionAuthorStrings
      1.2.ronkhfyq.exe.d80000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.ronkhfyq.exe.d80000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7e08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8192:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15535:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14fe1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15637:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x157af:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x8baa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1425c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9922:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab87:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bc8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.ronkhfyq.exe.d80000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a09:$sqlite3step: 68 34 1C 7B E1
        • 0x17b1c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a38:$sqlite3text: 68 38 2A 90 C5
        • 0x17b5d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
        2.2.ronkhfyq.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.ronkhfyq.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8f92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x16335:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15de1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x16437:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x165af:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x99aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1505c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa722:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ca8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 22 entries
          No Sigma rule has matched
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.beamaster.info/p0ip/"], "decoy": ["webberkerr.com", "lelezhuanshu.xyz", "weedformellc.com", "ikzoekeenbedrijfsruimte.com", "swahlove.com", "dubaidesertsafari.travel", "atozmedicalimages.com", "uniytriox.com", "clickyourcat.com", "shandun-safety.com", "pakmart.center", "roxxiesixx.com", "twistedtaqueriachicago.com", "studynursingaustralia.online", "wellnesstestinggroup.com", "justusebias.com", "yqvzs.com", "co1l7o8vy.com", "lightning.legal", "cardamagescanner.com", "megawatchinc.com", "sadebademli.com", "bcoky.com", "unleashingyou-lifecoaching.com", "epsubtitles.online", "susanpetersonrealty.com", "gdderui.com", "claris-studio.cloud", "cryptomnis.com", "1ens.domains", "localbusinessassets.com", "et9n7e4vf.com", "quoteypants.com", "bokepremaja18.biz", "xiangqinmao.com", "lilot-pland45.site", "exilings.com", "nft-id.net", "sport-outdoorpacks.com", "plnykosik.online", "cidesadelcentro.com", "stunning-black.xyz", "zoeyunker.com", "videogamesgroup.com", "autodnstest.com", "bookworms.store", "69817269.com", "one-session22-lp.com", "modelofindia.com", "kennnyshands.com", "otopenishop.net", "freegameswithoutdownload.online", "alaskanwave.net", "tjkt8.com", "abv.wiki", "protoncarsale.com", "zhipurc.com", "psicologamoderna.com", "hidinginplainsight.digital", "cuamini-trankien.xyz", "yustunning.com", "apeironpay.xyz", "allowdrops.xyz", "allyouneedstore.xyz"]}
          Source: Yara matchFile source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: www.beamaster.info/p0ip/Avira URL Cloud: Label: malware
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeVirustotal: Detection: 34%Perma Link
          Source: unpaid_invoices.exeJoe Sandbox ML: detected
          Source: 1.2.ronkhfyq.exe.d80000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.ronkhfyq.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.ronkhfyq.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.ronkhfyq.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.ronkhfyq.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: unpaid_invoices.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: unpaid_invoices.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: ronkhfyq.exe, 00000001.00000003.234061206.000000001A710000.00000004.00001000.00020000.00000000.sdmp, ronkhfyq.exe, 00000001.00000003.237833298.000000001A8A0000.00000004.00001000.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000003.239686577.0000000000E36000.00000004.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303340292.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303914689.00000000010EF000.00000040.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000003.238238247.0000000000B9E000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000003.303050048.0000000003204000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000003.304479870.0000000004A09000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: control.pdb source: ronkhfyq.exe, 00000002.00000002.303244940.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303149130.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: ronkhfyq.exe, 00000001.00000003.234061206.000000001A710000.00000004.00001000.00020000.00000000.sdmp, ronkhfyq.exe, 00000001.00000003.237833298.000000001A8A0000.00000004.00001000.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000003.239686577.0000000000E36000.00000004.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303340292.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303914689.00000000010EF000.00000040.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000003.238238247.0000000000B9E000.00000004.00000800.00020000.00000000.sdmp, control.exe, control.exe, 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000003.303050048.0000000003204000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000003.304479870.0000000004A09000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: C:\yysuo\kzzcum\izya\0db06ea2233046af83ff72ba291e1f8f\exvtus\fxibtxmq\Release\fxibtxmq.pdb source: unpaid_invoices.exe, 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmp, ronkhfyq.exe, 00000001.00000000.229638861.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp, ronkhfyq.exe, 00000001.00000002.238525617.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp, ronkhfyq.exe, 00000002.00000000.235483979.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp, control.exe, 00000011.00000002.499584872.000000000311A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000011.00000002.500336053.00000000050D7000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.462569690.0000000007497000.00000004.80000000.00040000.00000000.sdmp, nss7D29.tmp.0.dr, ronkhfyq.exe.0.dr
          Source: Binary string: control.pdbUGP source: ronkhfyq.exe, 00000002.00000002.303244940.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303149130.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\unpaid_invoices.exeCode function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D7A
          Source: C:\Users\user\Desktop\unpaid_invoices.exeCode function: 0_2_004069A4 FindFirstFileW,FindClose,0_2_004069A4
          Source: C:\Users\user\Desktop\unpaid_invoices.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 4x nop then pop edi2_2_0040CA02
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 4x nop then pop ebx2_2_00406EA4
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi17_2_02EECA02
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop ebx17_2_02EE6EA5

          Networking

          barindex
          Source: Malware configuration extractorURLs: www.beamaster.info/p0ip/
          Source: explorer.exe, 0000001B.00000000.491457253.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.451885872.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.468009786.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.466224505.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.465809176.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.450166228.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.449810104.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.464512993.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.490550575.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.443910972.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.441840899.0000000009B83000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.488161679.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.491255412.0000000009B66000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.491310221.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.493308123.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.491580962.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.493220220.0000000009B66000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.450978989.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.488054487.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.464944706.0000000009B6A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.491957407.0000000009B80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 0000001B.00000003.441376750.0000000009BD0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.442769912.0000000009BD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
          Source: unpaid_invoices.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: C:\Users\user\Desktop\unpaid_invoices.exeCode function: 0_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040580F

          E-Banking Fraud

          barindex
          Source: Yara matchFile source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: initial sampleStatic PE information: Filename: unpaid_invoices.exe
          Source: unpaid_invoices.exeStatic file information: Suspicious name
          Source: unpaid_invoices.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = inter