Windows Analysis Report
600000sqm_pdf.exe

Overview

General Information

Sample Name: 600000sqm_pdf.exe
Analysis ID: 635260
MD5: 3e08fed24c7e27a75f6d9c52fc226376
SHA1: d00231c828b96ff0178ab59240e5ba53f7b0ce25
SHA256: 10c1f9eb418d31fb36efefe032ccd9a8a057728cd757dca4e47ed124e9e8d791
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
C2 URLs / IPs found in malware configuration
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000001.00000002.265512226.0000000001360000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.theayushtrivedi.xyz/m1e8/"], "decoy": ["balanceforpaws.com", "landseamed.com", "drayseavci.com", "tattydaddystattoos.com", "fzkj-qtq.com", "garagedoorrepairwestcovina.com", "mixmarkt.site", "mark-ebook2store.com", "vermeer-mi.com", "shopspliced.com", "alrafidane.net", "themaisonmargiela.com", "suncasacentral-vsip.net", "creatcard-mine.site", "studiopounce.com", "hao685.com", "ipanemashoesaustralia.com", "51898dy.com", "nfttoknow.com", "multiple-player.com", "npbtechteam.com", "cyptocred.com", "pradsley-portfolio.site", "stangerenterprises.com", "swz9.com", "m3mofficespace.com", "projectyoka.com", "magazini-kristi.com", "fortunekey-vt.com", "joshlortiz9.net", "joincfn.com", "amazttt.com", "jjewelryun.com", "basecampsolarkit.com", "klausstilling.com", "mendce.online", "projectextinguish.com", "voyagedecor.com", "caliaboriginal.com", "shelfdb.club", "asianshemalestube.com", "bestimonials.com", "narroyo.space", "zzbzjx.com", "ilamatrix.com", "reviewmymedication.com", "acurademo.com", "tllechateau.com", "nun.finance", "99onlinesports-18.xyz", "visitqrcode.com", "for-policy-ingame.xyz", "kurui800.com", "manugryson.net", "bottomboitatz.com", "creaactivos.com", "culionerosx.com", "satknight.com", "agpglassco.com", "freshmeneve.com", "realjoboptionalfreedoms.com", "mid-puzzle.com", "asop-shop.com", "3dnkf.com"]}
Multi AV Scanner detection for submitted file
Source: 600000sqm_pdf.exe ReversingLabs: Detection: 24%
Yara detected FormBook
Source: Yara match File source: 1.2.oampomo.exe.1360000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.oampomo.exe.1360000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.265512226.0000000001360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: www.theayushtrivedi.xyz/m1e8/ Avira URL Cloud: Label: phishing
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe ReversingLabs: Detection: 34%
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.oampomo.exe.1360000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Uses 32bit PE files
Source: 600000sqm_pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: C:\pjsyx\ecdmzv\soib\f8d22d90ac844b09bdb3de6c05ef8729\rjfwqq\mzlbtikj\Release\mzlbtikj.pdb source: 600000sqm_pdf.exe, 00000000.00000002.293681966.000000000040B000.00000004.00000001.01000000.00000003.sdmp, 600000sqm_pdf.exe, 00000000.00000002.294050571.00000000026EE000.00000004.00000800.00020000.00000000.sdmp, oampomo.exe, 00000001.00000000.258025111.000000000022B000.00000002.00000001.01000000.00000004.sdmp, oampomo.exe, 00000001.00000002.265372271.000000000022B000.00000002.00000001.01000000.00000004.sdmp, oampomo.exe, 00000002.00000000.263027610.000000000022B000.00000002.00000001.01000000.00000004.sdmp, oampomo.exe.0.dr, nsm7EC9.tmp.0.dr
Source: C:\Users\user\Desktop\600000sqm_pdf.exe Code function: 0_2_00405426 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405426
Source: C:\Users\user\Desktop\600000sqm_pdf.exe Code function: 0_2_00405D9C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose, 0_2_00405D9C
Source: C:\Users\user\Desktop\600000sqm_pdf.exe Code function: 0_2_004026A1 FindFirstFileA, 0_2_004026A1

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.theayushtrivedi.xyz/m1e8/
Creates a DirectInput object (often for capturing keystrokes)
Source: oampomo.exe, 00000001.00000002.265543322.00000000013DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\600000sqm_pdf.exe Code function: 0_2_00404FDD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404FDD

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.oampomo.exe.1360000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.oampomo.exe.1360000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.265512226.0000000001360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.oampomo.exe.1360000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.oampomo.exe.1360000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.oampomo.exe.1360000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.oampomo.exe.1360000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.265512226.0000000001360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.265512226.0000000001360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: 600000sqm_pdf.exe
Uses 32bit PE files
Source: 600000sqm_pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 1.2.oampomo.exe.1360000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.oampomo.exe.1360000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.oampomo.exe.1360000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.oampomo.exe.1360000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.265512226.0000000001360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.265512226.0000000001360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
PE file contains strange resources
Source: 600000sqm_pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\600000sqm_pdf.exe Code function: 0_2_004032FA EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004032FA
Detected potential crypto function
Source: C:\Users\user\Desktop\600000sqm_pdf.exe Code function: 0_2_004047EE 0_2_004047EE
Source: C:\Users\user\Desktop\600000sqm_pdf.exe Code function: 0_2_00406083 0_2_00406083
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_0021521D 1_2_0021521D
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_00226880 1_2_00226880
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_00226880 1_2_00226880
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_0022959D 1_2_0022959D
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_0022496E 1_2_0022496E
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_0022959D 1_2_0022959D
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_00226DF2 1_2_00226DF2
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_002285D1 1_2_002285D1
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_0022959D 1_2_0022959D
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_002167AA 1_2_002167AA
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_0021526B 1_2_0021526B
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_002285D1 1_2_002285D1
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_00227364 1_2_00227364
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_0022496E 1_2_0022496E
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_00DF0A25 1_2_00DF0A25
Source: 600000sqm_pdf.exe ReversingLabs: Detection: 24%
Source: C:\Users\user\Desktop\600000sqm_pdf.exe File read: C:\Users\user\Desktop\600000sqm_pdf.exe Jump to behavior
Source: 600000sqm_pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\600000sqm_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\600000sqm_pdf.exe "C:\Users\user\Desktop\600000sqm_pdf.exe"
Source: C:\Users\user\Desktop\600000sqm_pdf.exe Process created: C:\Users\user\AppData\Local\Temp\oampomo.exe C:\Users\user\AppData\Local\Temp\oampomo.exe C:\Users\user\AppData\Local\Temp\buziwssym
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Process created: C:\Users\user\AppData\Local\Temp\oampomo.exe C:\Users\user\AppData\Local\Temp\oampomo.exe C:\Users\user\AppData\Local\Temp\buziwssym
Source: C:\Users\user\Desktop\600000sqm_pdf.exe Process created: C:\Users\user\AppData\Local\Temp\oampomo.exe C:\Users\user\AppData\Local\Temp\oampomo.exe C:\Users\user\AppData\Local\Temp\buziwssym Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Process created: C:\Users\user\AppData\Local\Temp\oampomo.exe C:\Users\user\AppData\Local\Temp\oampomo.exe C:\Users\user\AppData\Local\Temp\buziwssym Jump to behavior
Source: C:\Users\user\Desktop\600000sqm_pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\600000sqm_pdf.exe File created: C:\Users\user\AppData\Local\Temp\nsm7EC8.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@5/4@0/0
Source: C:\Users\user\Desktop\600000sqm_pdf.exe Code function: 0_2_00402078 CoCreateInstance,MultiByteToWideChar, 0_2_00402078
Source: C:\Users\user\Desktop\600000sqm_pdf.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\600000sqm_pdf.exe Code function: 0_2_00404333 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404333
Source: Binary string: C:\pjsyx\ecdmzv\soib\f8d22d90ac844b09bdb3de6c05ef8729\rjfwqq\mzlbtikj\Release\mzlbtikj.pdb source: 600000sqm_pdf.exe, 00000000.00000002.293681966.000000000040B000.00000004.00000001.01000000.00000003.sdmp, 600000sqm_pdf.exe, 00000000.00000002.294050571.00000000026EE000.00000004.00000800.00020000.00000000.sdmp, oampomo.exe, 00000001.00000000.258025111.000000000022B000.00000002.00000001.01000000.00000004.sdmp, oampomo.exe, 00000001.00000002.265372271.000000000022B000.00000002.00000001.01000000.00000004.sdmp, oampomo.exe, 00000002.00000000.263027610.000000000022B000.00000002.00000001.01000000.00000004.sdmp, oampomo.exe.0.dr, nsm7EC9.tmp.0.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_0021F035 push ecx; ret 1_2_0021F048
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\600000sqm_pdf.exe Code function: 0_2_00405DDA GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405DDA
Drops PE files
Source: C:\Users\user\Desktop\600000sqm_pdf.exe File created: C:\Users\user\AppData\Local\Temp\oampomo.exe Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_0021521D RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0021521D
Source: C:\Users\user\Desktop\600000sqm_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\600000sqm_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\600000sqm_pdf.exe Code function: 0_2_00405426 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405426
Source: C:\Users\user\Desktop\600000sqm_pdf.exe Code function: 0_2_00405D9C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose, 0_2_00405D9C
Source: C:\Users\user\Desktop\600000sqm_pdf.exe Code function: 0_2_004026A1 FindFirstFileA, 0_2_004026A1
Source: C:\Users\user\Desktop\600000sqm_pdf.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_0021E891 _memset,IsDebuggerPresent, 1_2_0021E891
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_00DF06F7 mov eax, dword ptr fs:[00000030h] 1_2_00DF06F7
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_00DF061D mov eax, dword ptr fs:[00000030h] 1_2_00DF061D
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_00DF03F8 mov eax, dword ptr fs:[00000030h] 1_2_00DF03F8
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_00DF0772 mov eax, dword ptr fs:[00000030h] 1_2_00DF0772
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_00DF0736 mov eax, dword ptr fs:[00000030h] 1_2_00DF0736
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_00224395 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_00224395
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\600000sqm_pdf.exe Code function: 0_2_00405DDA GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405DDA
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_0022538A __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 1_2_0022538A
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_002214BB SetUnhandledExceptionFilter, 1_2_002214BB
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_002214EC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_002214EC
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Process created: C:\Users\user\AppData\Local\Temp\oampomo.exe C:\Users\user\AppData\Local\Temp\oampomo.exe C:\Users\user\AppData\Local\Temp\buziwssym Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_0021FE73 cpuid 1_2_0021FE73
Source: C:\Users\user\AppData\Local\Temp\oampomo.exe Code function: 1_2_00220FE8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_00220FE8

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.oampomo.exe.1360000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.oampomo.exe.1360000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.265512226.0000000001360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.oampomo.exe.1360000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.oampomo.exe.1360000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.265512226.0000000001360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 635260 Sample: 600000sqm_pdf.exe Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 17 Found malware configuration 2->17 19 Malicious sample detected (through community Yara rule) 2->19 21 Antivirus detection for URL or domain 2->21 23 4 other signatures 2->23 7 600000sqm_pdf.exe 19 2->7         started        process3 file4 15 C:\Users\user\AppData\Local\...\oampomo.exe, PE32 7->15 dropped 10 oampomo.exe 7->10         started        process5 signatures6 25 Multi AV Scanner detection for dropped file 10->25 27 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->27 13 oampomo.exe 10->13         started        process7
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.theayushtrivedi.xyz/m1e8/ true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: phishing
 low