Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe
Analysis ID:	755894
MD5:	2c37cb553314943214dc79d2d5cd95d2
SHA1:	8d729ace154aae255cc7d20e0038889c1a16b30b
SHA256:	5cfdb9f856907336025bbd526f7383ae8edbce669348b8e330251dfe21072c8f
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Antivirus detection for URL or domain

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Injects a PE file into a foreign processes

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe (PID: 5272 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe MD5: 2C37CB553314943214DC79D2D5CD95D2)

SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe (PID: 5208 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe MD5: 2C37CB553314943214DC79D2D5CD95D2)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.2635westkaylaneprescott.com/ndgi/"], "decoy": ["vuicotvxrejp3il.xyz", "w3fa6.net", "sappuno02.com", "konstruksirumah.xyz", "usalifehealth.com", "and1f.xyz", "atenmentfstinfdow.beauty", "primepipe.net", "roundhouseny.com", "alexandermcqueen.icu", "transporteavalos.com", "spankmetaverse.xyz", "jhccowholesale.com", "bielefeldgebaeudereinigung.com", "saintraphaelschool.com", "larifaa.online", "dejabrew.info", "izabelaeraphael.com", "granniestoneet.com", "greensourceseed.com", "jawaahirulhikmah.com", "2lipcolours.com", "ginzou.com", "vestradgivning.online", "atlasdublinresidence.com", "bfine.xyz", "decision-art.com", "nicebayloans.com", "pendingissue.biz", "troiancircular.com", "raftingtennesssee.com", "autistal.xyz", "purposeinplans.com", "socofm.com", "dafuweng0471.com", "transformcoach.info", "vugz.info", "isabellesroom.com", "kasdawerf.xyz", "angelicindia.com", "jmakerpumploc.com", "departmen.store", "kalpataruplotsariaplots.net", "mosqueenarbonne.com", "tititinews.com", "santeoglobal.com", "cornharvestdirect.com", "chickensoesco.com", "softelbow30.com", "fuxeonfire.com", "soospeter.com", "lastikfiyatlari.online", "northlandproshop.com", "youbelongstojoy.com", "asfalt-podrezkovo.store", "servequin.com", "heti.ink", "gulfingroupinvest.com", "gastries.info", "spunklane.com", "acompanhanteslux.com", "bbti.world", "juiceofjoy.com", "tlaaccounting.net"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.268979891.0000000003549000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000000.262712520.0000000000401000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000000.262712520.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x99bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x148a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000000.262712520.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x958a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000000.262712520.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17809:$sqlite3step: 68 34 1C 7B E1 0x1791c:$sqlite3step: 68 34 1C 7B E1 0x17838:$sqlite3text: 68 38 2A 90 C5 0x1795d:$sqlite3text: 68 38 2A 90 C5 0x1784b:$sqlite3blob: 68 53 D8 7F 8C 0x17973:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.270529665.00000000044AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.270529665.00000000044AE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x109c21:$a1: 3C 30 50 4F 53 54 74 09 40 0x138041:$a1: 3C 30 50 4F 53 54 74 09 40 0x165461:$a1: 3C 30 50 4F 53 54 74 09 40 0x120550:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x14e970:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x10e38f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x13c7af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x169bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x119277:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x147697:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x174ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.270529665.00000000044AE000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x10d2d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x10d542:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13b6f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13b962:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x168b18:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x168d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x119075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x147495:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1748b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x118b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x146f81:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1743a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x119177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x147597:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1749b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1192ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x14770f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x174b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x10df5a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x13c37a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x16979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.270529665.00000000044AE000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x11c1d9:$sqlite3step: 68 34 1C 7B E1 0x11c2ec:$sqlite3step: 68 34 1C 7B E1 0x14a5f9:$sqlite3step: 68 34 1C 7B E1 0x14a70c:$sqlite3step: 68 34 1C 7B E1 0x177a19:$sqlite3step: 68 34 1C 7B E1 0x177b2c:$sqlite3step: 68 34 1C 7B E1 0x11c208:$sqlite3text: 68 38 2A 90 C5 0x11c32d:$sqlite3text: 68 38 2A 90 C5 0x14a628:$sqlite3text: 68 38 2A 90 C5 0x14a74d:$sqlite3text: 68 38 2A 90 C5 0x177a48:$sqlite3text: 68 38 2A 90 C5 0x177b6d:$sqlite3text: 68 38 2A 90 C5 0x11c21b:$sqlite3blob: 68 53 D8 7F 8C 0x11c343:$sqlite3blob: 68 53 D8 7F 8C 0x14a63b:$sqlite3blob: 68 53 D8 7F 8C 0x14a763:$sqlite3blob: 68 53 D8 7F 8C 0x177a5b:$sqlite3blob: 68 53 D8 7F 8C 0x177b83:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.266387939.0000000003261000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe PID: 5272	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe PID: 5272	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x4ba97:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe PID: 5208	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x11a107:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.0.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
1.0.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.0.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.3282f54.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.3282f54.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x2a7fa:$v1: SbieDll.dll 0x2a814:$v2: USER 0x2a820:$v3: SANDBOX 0x2a832:$v4: VIRUS 0x2a882:$v4: VIRUS 0x2a840:$v5: MALWARE 0x2a852:$v6: SCHMIDTI 0x2a866:$v7: CURRENTUSER
0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.32a0724.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.32a0724.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xd02a:$v1: SbieDll.dll 0xd044:$v2: USER 0xd050:$v3: SANDBOX 0xd062:$v4: VIRUS 0xd0b2:$v4: VIRUS 0xd070:$v5: MALWARE 0xd082:$v6: SCHMIDTI 0xd096:$v7: CURRENTUSER
0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.44aef60.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.44aef60.6.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x108cc1:$a1: 3C 30 50 4F 53 54 74 09 40 0x1370e1:$a1: 3C 30 50 4F 53 54 74 09 40 0x164501:$a1: 3C 30 50 4F 53 54 74 09 40 0x11f5f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x14da10:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17ae30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x10d42f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x13b84f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x168c6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x118317:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x146737:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x173b57:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.44aef60.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x10c378:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x10c5e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13a798:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13aa02:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x167bb8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x167e22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x118115:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x146535:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x173955:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x117c01:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x146021:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x173441:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x118217:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x146637:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x173a57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x11838f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1467af:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x173bcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x10cffa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x13b41a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x16883a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.44aef60.6.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x11b279:$sqlite3step: 68 34 1C 7B E1 0x11b38c:$sqlite3step: 68 34 1C 7B E1 0x149699:$sqlite3step: 68 34 1C 7B E1 0x1497ac:$sqlite3step: 68 34 1C 7B E1 0x176ab9:$sqlite3step: 68 34 1C 7B E1 0x176bcc:$sqlite3step: 68 34 1C 7B E1 0x11b2a8:$sqlite3text: 68 38 2A 90 C5 0x11b3cd:$sqlite3text: 68 38 2A 90 C5 0x1496c8:$sqlite3text: 68 38 2A 90 C5 0x1497ed:$sqlite3text: 68 38 2A 90 C5 0x176ae8:$sqlite3text: 68 38 2A 90 C5 0x176c0d:$sqlite3text: 68 38 2A 90 C5 0x11b2bb:$sqlite3blob: 68 53 D8 7F 8C 0x11b3e3:$sqlite3blob: 68 53 D8 7F 8C 0x1496db:$sqlite3blob: 68 53 D8 7F 8C 0x149803:$sqlite3blob: 68 53 D8 7F 8C 0x176afb:$sqlite3blob: 68 53 D8 7F 8C 0x176c23:$sqlite3blob: 68 53 D8 7F 8C
0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.45233b0.5.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.45233b0.5.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x94871:$a1: 3C 30 50 4F 53 54 74 09 40 0xc2c91:$a1: 3C 30 50 4F 53 54 74 09 40 0xf00b1:$a1: 3C 30 50 4F 53 54 74 09 40 0xab1a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xd95c0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1069e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x98fdf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xc73ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xf481f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xa3ec7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xd22e7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xff707:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.45233b0.5.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x97f28:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x98192:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc6348:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc65b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf3768:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf39d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa3cc5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xd20e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xff505:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xa37b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xd1bd1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xfeff1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xa3dc7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xd21e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xff607:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xa3f3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xd235f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xff77f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x98baa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xc6fca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xf43ea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.45233b0.5.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xa6e29:$sqlite3step: 68 34 1C 7B E1 0xa6f3c:$sqlite3step: 68 34 1C 7B E1 0xd5249:$sqlite3step: 68 34 1C 7B E1 0xd535c:$sqlite3step: 68 34 1C 7B E1 0x102669:$sqlite3step: 68 34 1C 7B E1 0x10277c:$sqlite3step: 68 34 1C 7B E1 0xa6e58:$sqlite3text: 68 38 2A 90 C5 0xa6f7d:$sqlite3text: 68 38 2A 90 C5 0xd5278:$sqlite3text: 68 38 2A 90 C5 0xd539d:$sqlite3text: 68 38 2A 90 C5 0x102698:$sqlite3text: 68 38 2A 90 C5 0x1027bd:$sqlite3text: 68 38 2A 90 C5 0xa6e6b:$sqlite3blob: 68 53 D8 7F 8C 0xa6f93:$sqlite3blob: 68 53 D8 7F 8C 0xd528b:$sqlite3blob: 68 53 D8 7F 8C 0xd53b3:$sqlite3blob: 68 53 D8 7F 8C 0x1026ab:$sqlite3blob: 68 53 D8 7F 8C 0x1027d3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 11 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe

ReversingLabs: Detection: 29%

Yara detected FormBook

Source: Yara match	File source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.44aef60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.45233b0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.262712520.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.270529665.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: www.2635westkaylaneprescott.com/ndgi/

Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe

Joe Sandbox ML: detected

Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00000000.00000002.270529665.00000000044AE000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.2635westkaylaneprescott.com/ndgi/"], "decoy": ["vuicotvxrejp3il.xyz", "w3fa6.net", "sappuno02.com", "konstruksirumah.xyz", "usalifehealth.com", "and1f.xyz", "atenmentfstinfdow.beauty", "primepipe.net", "roundhouseny.com", "alexandermcqueen.icu", "transporteavalos.com", "spankmetaverse.xyz", "jhccowholesale.com", "bielefeldgebaeudereinigung.com", "saintraphaelschool.com", "larifaa.online", "dejabrew.info", "izabelaeraphael.com", "granniestoneet.com", "greensourceseed.com", "jawaahirulhikmah.com", "2lipcolours.com", "ginzou.com", "vestradgivning.online", "atlasdublinresidence.com", "bfine.xyz", "decision-art.com", "nicebayloans.com", "pendingissue.biz", "troiancircular.com", "raftingtennesssee.com", "autistal.xyz", "purposeinplans.com", "socofm.com", "dafuweng0471.com", "transformcoach.info", "vugz.info", "isabellesroom.com", "kasdawerf.xyz", "angelicindia.com", "jmakerpumploc.com", "departmen.store", "kalpataruplotsariaplots.net", "mosqueenarbonne.com", "tititinews.com", "santeoglobal.com", "cornharvestdirect.com", "chickensoesco.com", "softelbow30.com", "fuxeonfire.com", "soospeter.com", "lastikfiyatlari.online", "northlandproshop.com", "youbelongstojoy.com", "asfalt-podrezkovo.store", "servequin.com", "heti.ink", "gulfingroupinvest.com", "gastries.info", "spunklane.com", "acompanhanteslux.com", "bbti.world", "juiceofjoy.com", "tlaaccounting.net"]}

Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000001.00000002.267578947.0000000001510000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000001.00000003.265561008.0000000001371000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000001.00000003.263133405.00000000011D4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000001.00000002.267578947.0000000001510000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000001.00000003.265561008.0000000001371000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000001.00000003.263133405.00000000011D4000.00000004.00000800.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.2635westkaylaneprescott.com/ndgi/

Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.272505714.0000000007232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.264008229.000000000147B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.44aef60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.45233b0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.262712520.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.270529665.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.3282f54.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.32a0724.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.44aef60.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.44aef60.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.44aef60.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.45233b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.45233b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.45233b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.262712520.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000000.262712520.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.262712520.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.270529665.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.270529665.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.270529665.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe PID: 5272, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe PID: 5208, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.3282f54.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.32a0724.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.44aef60.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.44aef60.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.44aef60.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.45233b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.45233b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.45233b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.262712520.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000000.262712520.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.262712520.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.270529665.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.270529665.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.270529665.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe PID: 5272, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe PID: 5208, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 0_2_0171C164	0_2_0171C164
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 0_2_0171E5B0	0_2_0171E5B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 0_2_0171E5A1	0_2_0171E5A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 0_2_056F06E8	0_2_056F06E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 0_2_056F2868	0_2_056F2868
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 0_2_056F6660	0_2_056F6660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 0_2_056F6650	0_2_056F6650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 0_2_056F06D9	0_2_056F06D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 0_2_056F2320	0_2_056F2320
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 0_2_056F2330	0_2_056F2330
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 0_2_056F22FA	0_2_056F22FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0153F900	1_2_0153F900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01554120	1_2_01554120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0154C1C0	1_2_0154C1C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01552990	1_2_01552990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015599BF	1_2_015599BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0160E824	1_2_0160E824
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0156701D	1_2_0156701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01536800	1_2_01536800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015F1002	1_2_015F1002
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0155A830	1_2_0155A830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_016028EC	1_2_016028EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015F60F5	1_2_015F60F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0154B090	1_2_0154B090
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_016020A8	1_2_016020A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015620A0	1_2_015620A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015DCB4F	1_2_015DCB4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0155AB40	1_2_0155AB40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0151337D	1_2_0151337D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01553360	1_2_01553360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015F231B	1_2_015F231B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01602B28	1_2_01602B28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0155A309	1_2_0155A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015F03DA	1_2_015F03DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015FDBD2	1_2_015FDBD2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0156ABD8	1_2_0156ABD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01588BE8	1_2_01588BE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015E23E3	1_2_015E23E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0155EB9A	1_2_0155EB9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01513382	1_2_01513382
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015DEB8A	1_2_015DEB8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0156138B	1_2_0156138B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0156EBB0	1_2_0156EBB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0151225E	1_2_0151225E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015F5A4F	1_2_015F5A4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0155B236	1_2_0155B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015EFA2B	1_2_015EFA2B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015FE2C5	1_2_015FE2C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015F4AEF	1_2_015F4AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_016032A9	1_2_016032A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_016022AE	1_2_016022AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01552D50	1_2_01552D50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01601D55	1_2_01601D55
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01602D07	1_2_01602D07
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01530D20	1_2_01530D20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0154D5E0	1_2_0154D5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_016025DD	1_2_016025DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01562581	1_2_01562581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015F2D82	1_2_015F2D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015665A0	1_2_015665A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0155B477	1_2_0155B477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015FD466	1_2_015FD466
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0154841F	1_2_0154841F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01552430	1_2_01552430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01564CD4	1_2_01564CD4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015F4496	1_2_015F4496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015194B8	1_2_015194B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01601FF1	1_2_01601FF1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0160DFCE	1_2_0160DFCE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015F67E2	1_2_015F67E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015BAE60	1_2_015BAE60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015FD616	1_2_015FD616
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01555600	1_2_01555600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01556E30	1_2_01556E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01602EF7	1_2_01602EF7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015E1EB6	1_2_015E1EB6

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: String function: 0158D08C appears 47 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: String function: 0153B150 appears 159 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: String function: 015C5720 appears 81 times

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_01579860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_01579660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015796E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_015796E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579950 NtQueueApcThread,	1_2_01579950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579910 NtAdjustPrivilegesToken,	1_2_01579910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015799D0 NtCreateProcessEx,	1_2_015799D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015799A0 NtCreateSection,	1_2_015799A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579840 NtDelayExecution,	1_2_01579840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0157B040 NtSuspendThread,	1_2_0157B040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579820 NtEnumerateKey,	1_2_01579820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015798F0 NtReadVirtualMemory,	1_2_015798F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015798A0 NtWriteVirtualMemory,	1_2_015798A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579B00 NtSetValueKey,	1_2_01579B00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0157A3B0 NtGetContextThread,	1_2_0157A3B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579A50 NtCreateFile,	1_2_01579A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579A10 NtQuerySection,	1_2_01579A10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579A00 NtProtectVirtualMemory,	1_2_01579A00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579A20 NtResumeThread,	1_2_01579A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579A80 NtOpenDirectoryObject,	1_2_01579A80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579540 NtReadFile,	1_2_01579540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579560 NtWriteFile,	1_2_01579560
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0157AD30 NtSetContextThread,	1_2_0157AD30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579520 NtWaitForSingleObject,	1_2_01579520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015795D0 NtClose,	1_2_015795D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015795F0 NtQueryInformationFile,	1_2_015795F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0157A770 NtOpenThread,	1_2_0157A770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579770 NtSetInformationFile,	1_2_01579770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579760 NtOpenProcess,	1_2_01579760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0157A710 NtOpenProcessToken,	1_2_0157A710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579710 NtQueryInformationToken,	1_2_01579710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579730 NtQueryVirtualMemory,	1_2_01579730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579FE0 NtCreateMutant,	1_2_01579FE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579780 NtMapViewOfSection,	1_2_01579780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015797A0 NtUnmapViewOfSection,	1_2_015797A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579650 NtQueryValueKey,	1_2_01579650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579670 NtQueryInformationProcess,	1_2_01579670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01579610 NtEnumerateValueKey,	1_2_01579610
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_015796D0 NtCreateKey,	1_2_015796D0

Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000000.243748362.0000000000D84000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameyFcW.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.264008229.000000000147B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.275549628.0000000007990000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.270529665.00000000044AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.266387939.0000000003261000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000002.266387939.0000000003261000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000001.00000003.266489821.0000000001490000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000001.00000003.263873744.00000000012EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000001.00000002.268632378.000000000162F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Binary or memory string: OriginalFilenameyFcW.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe

Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe

ReversingLabs: Detection: 29%

Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/1@0/0

Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000000.243588948.0000000000CA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: insert into User_Transportation(UserID,TransportationID) values (@UserID,@TransID);
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000000.243588948.0000000000CA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: insert into TourPlace(Name,Location,TicketPrice) values (@name,@location,@ticket);
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000000.00000000.243588948.0000000000CA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: insert into User_TourPlace(UserID,TourPlaceID) values (@UserID,@TourplaceID);

Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	String found in binary or memory: AddUserButton'AddUserPhoneTextbox'AdduserEmailtextbox-Adduserpasswordtextbox
Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	String found in binary or memory: Username:-AddusertextBoxUsernameCash

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000001.00000002.267578947.0000000001510000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000001.00000003.265561008.0000000001371000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000001.00000003.263133405.00000000011D4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000001.00000002.267578947.0000000001510000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000001.00000003.265561008.0000000001371000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe, 00000001.00000003.263133405.00000000011D4000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 0_2_0171F978 pushad ; iretd	0_2_0171F979
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 0_2_01717AFF push eax; retf	0_2_01717B8D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0151191C pushfd ; iretd	1_2_01511939
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0158D0D1 push ecx; ret	1_2_0158D0E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0151225E push eax; retf	1_2_0151321C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01519271 push es; iretd	1_2_01519278
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0151427E pushad ; retf 000Dh	1_2_0151427F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0151322C push eax; retf	1_2_0151321C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01514288 pushad ; retf	1_2_01514289
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_0151A7C0 push es; iretd	1_2_0151A7C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Code function: 1_2_01513F9F pushad ; ret	1_2_01513FA0

Source: initial sample

Static PE information: section name: .text entropy: 7.649413315465482

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe	Process information set: NOOPENFILEERRORBOX

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.16304.13478.exe