Edit tour

Windows Analysis Report
iuvRyl9i7D

Overview

General Information

Sample Name:	iuvRyl9i7D (renamed file extension from none to exe)
Analysis ID:	626605
MD5:	f7ecd12d134aaf3541396c78337ce672
SHA1:	bb41a84d4f5eef537e41cf4bde375c99bff86a04
SHA256:	ec2f5710fdf33c7b843829ebd9f088b15141b643b4354dd92d39b6e290ceca70
Tags:	32exetrojan
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains method to dynamically call methods (often used by packers)

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

iuvRyl9i7D.exe (PID: 4928 cmdline: "C:\Users\user\Desktop\iuvRyl9i7D.exe" MD5: F7ECD12D134AAF3541396C78337CE672)

powershell.exe (PID: 6568 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6640 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dDqpEdJEtzi" /XML "C:\Users\user\AppData\Local\Temp\tmp280F.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

iuvRyl9i7D.exe (PID: 6804 cmdline: C:\Users\user\Desktop\iuvRyl9i7D.exe MD5: F7ECD12D134AAF3541396C78337CE672)

iuvRyl9i7D.exe (PID: 6932 cmdline: C:\Users\user\Desktop\iuvRyl9i7D.exe MD5: F7ECD12D134AAF3541396C78337CE672)

explorer.exe (PID: 3616 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

control.exe (PID: 6628 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)

cmd.exe (PID: 3984 cmdline: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.admincost.com/n6g4/"], "decoy": ["bw589jumpb.xyz", "lojas-marias.com", "gadgersvip.com", "zeavd.com", "moment4miracles.com", "wildcanetours.com", "executivetravelandlogistics.com", "uspplongee.com", "schilova.online", "smoothie-optics.com", "masterima.net", "kickball.site", "theastralark.com", "nick-sylvestro.com", "properscooter.com", "wave-thermodynamics.com", "bitcollide.com", "xed5555.com", "tsue-sangyo.com", "lucianaejoaoalberto.com", "6084pinelake.info", "plentyhearty.com", "findmylostphone.me", "cliffpassphotographyllc.com", "goddessboi.com", "vulkan-platinum-online.info", "jumpn-giveaway.online", "linymar.xyz", "topgir.site", "oifreunion.com", "lewks.beauty", "servellobody.com", "eagle-five.com", "agelessfish.com", "daulat-kantorbahasamalut.com", "zombarias.com", "chimneyrepairbiloxi.com", "starline-pools.com", "financeenovationinc.com", "sakvoyge.online", "46458.pet", "babyminer.xyz", "alcosto.club", "aeroyogabrasil.com", "cellphstudy.com", "bldh45.xyz", "sguoffcampusrentals.com", "nehalooks.com", "employeebnsf.com", "duniacuan.online", "running-diary.site", "o-taguro.com", "iacli.run", "cariniclinicalconsulting.com", "btcspay.xyz", "funaoka-watanabedent.com", "jamesreadtanusa.com", "dems-clicks.com", "dowsuserc.top", "joseikinmadoguchi.com", "hulizb6.com", "luxurybathshowers.com", "kapamilla.com", "duowb.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.296276978.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x6345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x5df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x6447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x65bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x8809:$sqlite3step: 68 34 1C 7B E1 0x891c:$sqlite3step: 68 34 1C 7B E1 0x8838:$sqlite3text: 68 38 2A 90 C5 0x895d:$sqlite3text: 68 38 2A 90 C5 0x884b:$sqlite3blob: 68 53 D8 7F 8C 0x8973:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x6345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x5df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x6447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x65bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x8809:$sqlite3step: 68 34 1C 7B E1 0x891c:$sqlite3step: 68 34 1C 7B E1 0x8838:$sqlite3text: 68 38 2A 90 C5 0x895d:$sqlite3text: 68 38 2A 90 C5 0x884b:$sqlite3blob: 68 53 D8 7F 8C 0x8973:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.296852767.0000000002E29000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xd82d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd8672:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1030f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x103492:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12cf18:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12d2b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe5a15:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x110835:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13a655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xe54c1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1102e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13a101:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xe5b17:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x110937:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13a757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xe5c8f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x110aaf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13a8cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xd908a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x103eaa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dcca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xe7ed9:$sqlite3step: 68 34 1C 7B E1 0xe7fec:$sqlite3step: 68 34 1C 7B E1 0x112cf9:$sqlite3step: 68 34 1C 7B E1 0x112e0c:$sqlite3step: 68 34 1C 7B E1 0x13cb19:$sqlite3step: 68 34 1C 7B E1 0x13cc2c:$sqlite3step: 68 34 1C 7B E1 0xe7f08:$sqlite3text: 68 38 2A 90 C5 0xe802d:$sqlite3text: 68 38 2A 90 C5 0x112d28:$sqlite3text: 68 38 2A 90 C5 0x112e4d:$sqlite3text: 68 38 2A 90 C5 0x13cb48:$sqlite3text: 68 38 2A 90 C5 0x13cc6d:$sqlite3text: 68 38 2A 90 C5 0xe7f1b:$sqlite3blob: 68 53 D8 7F 8C 0xe8043:$sqlite3blob: 68 53 D8 7F 8C 0x112d3b:$sqlite3blob: 68 53 D8 7F 8C 0x112e63:$sqlite3blob: 68 53 D8 7F 8C 0x13cb5b:$sqlite3blob: 68 53 D8 7F 8C 0x13cc83:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: iuvRyl9i7D.exe PID: 4928	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.0.iuvRyl9i7D.exe.400000.8.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.0.iuvRyl9i7D.exe.400000.8.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7e08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x81a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15545:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14ff1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15647:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x157bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8bba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1426c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9932:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bc9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.0.iuvRyl9i7D.exe.400000.8.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
12.0.iuvRyl9i7D.exe.400000.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.0.iuvRyl9i7D.exe.400000.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.0.iuvRyl9i7D.exe.400000.6.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
12.0.iuvRyl9i7D.exe.400000.4.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.0.iuvRyl9i7D.exe.400000.4.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7e08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x81a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15545:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14ff1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15647:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x157bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8bba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1426c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9932:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bc9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.0.iuvRyl9i7D.exe.400000.4.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
12.0.iuvRyl9i7D.exe.400000.8.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.0.iuvRyl9i7D.exe.400000.8.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.0.iuvRyl9i7D.exe.400000.8.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
12.2.iuvRyl9i7D.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.2.iuvRyl9i7D.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.2.iuvRyl9i7D.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
12.0.iuvRyl9i7D.exe.400000.6.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.0.iuvRyl9i7D.exe.400000.6.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7e08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x81a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15545:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14ff1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15647:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x157bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8bba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1426c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9932:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bc9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.0.iuvRyl9i7D.exe.400000.6.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
12.2.iuvRyl9i7D.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.2.iuvRyl9i7D.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7e08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x81a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15545:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14ff1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15647:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x157bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8bba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1426c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9932:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bc9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.2.iuvRyl9i7D.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
0.2.iuvRyl9i7D.exe.3e937b8.8.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.iuvRyl9i7D.exe.3e937b8.8.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xd7b20:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd7eba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x102940:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x102cda:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12c760:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12cafa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe525d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x11007d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x139e9d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xe4d09:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x10fb29:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139949:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xe535f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x11017f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x139f9f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xe54d7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1102f7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13a117:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xd88d2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1036f2:$sequence_5: 0F B

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
iuvRyl9i7D

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report iuvRyl9i7D

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Windows Analysis Report
iuvRyl9i7D