Windows Analysis Report
2022-571-GLS.exe

Overview

General Information

Sample Name: 2022-571-GLS.exe
Analysis ID: 755996
MD5: 6cc14805bbf5e6bfb4daae5c8a61af7e
SHA1: 34836f2aa6a4e97705352a50d2a7147c857fea94
SHA256: 029d4fe47cb21a8f4e1dbe1863cf43cba6ac777e008b9675d381fda82986196b
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Uses netsh to modify the Windows network and firewall settings
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to read the clipboard data
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 2022-571-GLS.exe ReversingLabs: Detection: 30%
Yara detected FormBook
Source: Yara match File source: 1.2.jsqqecy.exe.1090000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.jsqqecy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.jsqqecy.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.jsqqecy.exe.1090000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.jsqqecy.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.jsqqecy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.cdlcapitolsolutions.com/b31b/?8pq=gR42Xd1117OgJS+Outh2bFri+uyQrgf7E7TvWkJgQJ6aRmKfoh8EdM/DtT372TknNdyW&q0DDzX=YreDi Avira URL Cloud: Label: malware
Source: www.cdlcapitolsolutions.com/b31b/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe ReversingLabs: Detection: 19%
Machine Learning detection for sample
Source: 2022-571-GLS.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.jsqqecy.exe.1090000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.jsqqecy.exe.400000.5.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.jsqqecy.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.cdlcapitolsolutions.com/b31b/"], "decoy": ["deltafxtrading.com", "alisonangl.com", "cdfqs.com", "easyentry.vip", "dentalinfodomain.com", "hiphoppianyc.com", "pools-62911.com", "supportteam26589.site", "delldaypa.one", "szanody.com", "diaper-basket.art", "ffscollab.com", "freediverconnect.com", "namesbrun.com", "theprimone.top", "lenzolab.com", "cikmas.com", "genyuei-no.space", "hellofstyle.com", "lamagall.com", "hallmarktb.com", "hifebou7.info", "sex5a.finance", "printrynner.com", "powerrestorationllc.com", "hirefiz.com", "uninvitedempire.com", "alpinemaintenance.online", "ppcadshub.com", "looking4.tours", "dirtyhandsmedia.com", "capishe.website", "cachorrospitbull.com", "mythic-authentication.online", "nordingcave.online", "gremep.online", "tryufabetcasino.com", "premiumciso.com", "powerful70s.com", "myminecraftrealm.com", "bssurgery.com", "steel-pcint.com", "iokailyjewelry.com", "barmanon5.pro", "kcrsw.com", "9393xx38.app", "kochen-mit-induktion.com", "indtradors.store", "giaxevn.info", "trungtambaohanhariston.com", "fulili.com", "crgabions.com", "matomekoubou.com", "duaidapduapjdp.site", "invissiblefriends.com", "cy3.space", "idqoft.com", "jamal53153.com", "lemagnetix.com", "anthroaction.com", "uspcff.top", "supplierdir.com", "counterpoint.online", "zarl.tech"]}
Uses 32bit PE files
Source: 2022-571-GLS.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: netsh.pdb source: jsqqecy.exe, 00000002.00000002.381171915.0000000001119000.00000004.00000020.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.383264606.0000000003200000.00000040.10000000.00040000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.381214615.0000000001131000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: jsqqecy.exe, 00000001.00000003.299119725.00000000029C0000.00000004.00001000.00020000.00000000.sdmp, jsqqecy.exe, 00000001.00000003.299523428.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000003.303967054.0000000001217000.00000004.00000800.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.381584152.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.382622757.00000000014CF000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.382550493.0000000003384000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.380856964.00000000031ED000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.563303711.0000000003520000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.563833806.000000000363F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: netsh.pdbGCTL source: jsqqecy.exe, 00000002.00000002.381171915.0000000001119000.00000004.00000020.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.383264606.0000000003200000.00000040.10000000.00040000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.381214615.0000000001131000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: jsqqecy.exe, 00000001.00000003.299119725.00000000029C0000.00000004.00001000.00020000.00000000.sdmp, jsqqecy.exe, 00000001.00000003.299523428.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000003.303967054.0000000001217000.00000004.00000800.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.381584152.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.382622757.00000000014CF000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.382550493.0000000003384000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.380856964.00000000031ED000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.563303711.0000000003520000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.563833806.000000000363F000.00000040.00000800.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\2022-571-GLS.exe Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405620
Source: C:\Users\user\Desktop\2022-571-GLS.exe Code function: 0_2_00405FF6 FindFirstFileA,FindClose, 0_2_00405FF6
Source: C:\Users\user\Desktop\2022-571-GLS.exe Code function: 0_2_00402654 FindFirstFileA, 0_2_00402654
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 1_2_00BD52F3 FindFirstFileExW, 1_2_00BD52F3
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 1_2_00BD53A7 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 1_2_00BD53A7
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00BD52F3 FindFirstFileExW, 2_2_00BD52F3
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00BD53A7 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 2_2_00BD53A7
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 4x nop then pop esi 2_2_0041732C
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 4x nop then pop edi 2_2_0040E47D

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.easyentry.vip
Source: C:\Windows\explorer.exe Network Connect: 34.117.168.233 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.221.114.43 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.cdlcapitolsolutions.com
Source: C:\Windows\explorer.exe Network Connect: 75.2.81.221 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.fulili.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.cdlcapitolsolutions.com/b31b/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: sun-asnSC sun-asnSC
Source: Joe Sandbox View ASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /b31b/?8pq=gR42Xd1117OgJS+Outh2bFri+uyQrgf7E7TvWkJgQJ6aRmKfoh8EdM/DtT372TknNdyW&q0DDzX=YreDi HTTP/1.1Host: www.cdlcapitolsolutions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b31b/?8pq=kQFV/3Ti5731GiKzPcF+l7m9iVSkkn86bXlgwK5ZhVk2Z3fCEdzJJK3qVV3FyS9CSUee&q0DDzX=YreDi HTTP/1.1Host: www.easyentry.vipConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b31b/?8pq=tdO7S/Z/VqUa/I2xC15i+El5qu+HGrTkpc7PSFUM9PDChnmIJTvvTeLkqdaOGaksChda&q0DDzX=YreDi HTTP/1.1Host: www.fulili.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.168.233 34.117.168.233
Source: Joe Sandbox View IP Address: 34.117.168.233 34.117.168.233
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 29 Nov 2022 12:17:37 GMTContent-Type: text/htmlContent-Length: 146Connection: closeServer: nginxVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/7.5X-Powered-By: ASP.NETDate: Tue, 29 Nov 2022 12:17:56 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f
Source: 2022-571-GLS.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 2022-571-GLS.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000003.00000000.364781909.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.317290516.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.347986981.0000000008260000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: unknown DNS traffic detected: queries for: www.cdlcapitolsolutions.com
Source: global traffic HTTP traffic detected: GET /b31b/?8pq=gR42Xd1117OgJS+Outh2bFri+uyQrgf7E7TvWkJgQJ6aRmKfoh8EdM/DtT372TknNdyW&q0DDzX=YreDi HTTP/1.1Host: www.cdlcapitolsolutions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b31b/?8pq=kQFV/3Ti5731GiKzPcF+l7m9iVSkkn86bXlgwK5ZhVk2Z3fCEdzJJK3qVV3FyS9CSUee&q0DDzX=YreDi HTTP/1.1Host: www.easyentry.vipConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b31b/?8pq=tdO7S/Z/VqUa/I2xC15i+El5qu+HGrTkpc7PSFUM9PDChnmIJTvvTeLkqdaOGaksChda&q0DDzX=YreDi HTTP/1.1Host: www.fulili.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 1_2_00BCAD00 OpenClipboard,GetClipboardData,GlobalLock,GlobalSize,VkKeyScanW,MapVirtualKeyW,GlobalUnlock,CloseClipboard, 1_2_00BCAD00
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 1_2_00BCB890 GetKeyboardState, 1_2_00BCB890
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\2022-571-GLS.exe Code function: 0_2_00405125 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405125

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.jsqqecy.exe.1090000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.jsqqecy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.jsqqecy.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.jsqqecy.exe.1090000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.jsqqecy.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.jsqqecy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.jsqqecy.exe.1090000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.jsqqecy.exe.1090000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.jsqqecy.exe.1090000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.jsqqecy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.jsqqecy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.jsqqecy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.jsqqecy.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.0.jsqqecy.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.jsqqecy.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.jsqqecy.exe.1090000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.jsqqecy.exe.1090000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.jsqqecy.exe.1090000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.jsqqecy.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.0.jsqqecy.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.jsqqecy.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.jsqqecy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.jsqqecy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.jsqqecy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: jsqqecy.exe PID: 1236, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: jsqqecy.exe PID: 1224, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: netsh.exe PID: 6140, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Uses 32bit PE files
Source: 2022-571-GLS.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 1.2.jsqqecy.exe.1090000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.jsqqecy.exe.1090000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.jsqqecy.exe.1090000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.jsqqecy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.jsqqecy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.jsqqecy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.jsqqecy.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.0.jsqqecy.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.jsqqecy.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.jsqqecy.exe.1090000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.jsqqecy.exe.1090000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.jsqqecy.exe.1090000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.jsqqecy.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.0.jsqqecy.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.jsqqecy.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.jsqqecy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.jsqqecy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.jsqqecy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: jsqqecy.exe PID: 1236, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: jsqqecy.exe PID: 1224, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: netsh.exe PID: 6140, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\2022-571-GLS.exe Code function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040324F
Detected potential crypto function
Source: C:\Users\user\Desktop\2022-571-GLS.exe Code function: 0_2_00406333 0_2_00406333
Source: C:\Users\user\Desktop\2022-571-GLS.exe Code function: 0_2_00404936 0_2_00404936
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 1_2_00BC18D0 1_2_00BC18D0
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 1_2_00BDAA0A 1_2_00BDAA0A
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 1_2_00BCC520 1_2_00BCC520
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 1_2_00BC3540 1_2_00BC3540
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 1_2_00BC8ED0 1_2_00BC8ED0
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_0041F007 2_2_0041F007
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00401208 2_2_00401208
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_0041DC7B 2_2_0041DC7B
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_0041ED47 2_2_0041ED47
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00402D88 2_2_00402D88
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00409E5C 2_2_00409E5C
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00409E60 2_2_00409E60
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_0041EE6F 2_2_0041EE6F
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_0041D6F5 2_2_0041D6F5
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_0041DFEF 2_2_0041DFEF
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00BC18D0 2_2_00BC18D0
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00BDAA0A 2_2_00BDAA0A
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00BCC520 2_2_00BCC520
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00BC3540 2_2_00BC3540
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00BC8ED0 2_2_00BC8ED0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: String function: 00BCD960 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: String function: 00BD25D4 appears 36 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_0041A360 NtCreateFile, 2_2_0041A360
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_0041A410 NtReadFile, 2_2_0041A410
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_0041A490 NtClose, 2_2_0041A490
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_0041A540 NtAllocateVirtualMemory, 2_2_0041A540
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_0041A35A NtCreateFile, 2_2_0041A35A
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_0041A40A NtReadFile, 2_2_0041A40A
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_0041A48C NtClose, 2_2_0041A48C
Source: 2022-571-GLS.exe ReversingLabs: Detection: 30%
Source: C:\Users\user\Desktop\2022-571-GLS.exe File read: C:\Users\user\Desktop\2022-571-GLS.exe Jump to behavior
Source: 2022-571-GLS.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\2022-571-GLS.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\2022-571-GLS.exe C:\Users\user\Desktop\2022-571-GLS.exe
Source: C:\Users\user\Desktop\2022-571-GLS.exe Process created: C:\Users\user\AppData\Local\Temp\jsqqecy.exe "C:\Users\user\AppData\Local\Temp\jsqqecy.exe" C:\Users\user\AppData\Local\Temp\xduyswx.up
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Process created: C:\Users\user\AppData\Local\Temp\jsqqecy.exe "C:\Users\user\AppData\Local\Temp\jsqqecy.exe" C:\Users\user\AppData\Local\Temp\xduyswx.up
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\jsqqecy.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2022-571-GLS.exe Process created: C:\Users\user\AppData\Local\Temp\jsqqecy.exe "C:\Users\user\AppData\Local\Temp\jsqqecy.exe" C:\Users\user\AppData\Local\Temp\xduyswx.up Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Process created: C:\Users\user\AppData\Local\Temp\jsqqecy.exe "C:\Users\user\AppData\Local\Temp\jsqqecy.exe" C:\Users\user\AppData\Local\Temp\xduyswx.up Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\jsqqecy.exe" Jump to behavior
Source: C:\Users\user\Desktop\2022-571-GLS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\2022-571-GLS.exe File created: C:\Users\user\AppData\Local\Temp\nst2735.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/4@3/3
Source: C:\Users\user\Desktop\2022-571-GLS.exe Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar, 0_2_00402036
Source: C:\Users\user\Desktop\2022-571-GLS.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\2022-571-GLS.exe Code function: 0_2_004043F5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004043F5
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4828:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Command line argument: --headless 1_2_00BC18D0
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Command line argument: --unix 1_2_00BC18D0
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Command line argument: --width 1_2_00BC18D0
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Command line argument: --height 1_2_00BC18D0
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Command line argument: --signal 1_2_00BC18D0
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Command line argument: --server 1_2_00BC18D0
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Command line argument: --headless 2_2_00BC18D0
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Command line argument: --unix 2_2_00BC18D0
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Command line argument: --width 2_2_00BC18D0
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Command line argument: --height 2_2_00BC18D0
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Command line argument: --signal 2_2_00BC18D0
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Command line argument: --server 2_2_00BC18D0
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: netsh.pdb source: jsqqecy.exe, 00000002.00000002.381171915.0000000001119000.00000004.00000020.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.383264606.0000000003200000.00000040.10000000.00040000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.381214615.0000000001131000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: jsqqecy.exe, 00000001.00000003.299119725.00000000029C0000.00000004.00001000.00020000.00000000.sdmp, jsqqecy.exe, 00000001.00000003.299523428.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000003.303967054.0000000001217000.00000004.00000800.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.381584152.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.382622757.00000000014CF000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.382550493.0000000003384000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.380856964.00000000031ED000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.563303711.0000000003520000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.563833806.000000000363F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: netsh.pdbGCTL source: jsqqecy.exe, 00000002.00000002.381171915.0000000001119000.00000004.00000020.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.383264606.0000000003200000.00000040.10000000.00040000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.381214615.0000000001131000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: jsqqecy.exe, 00000001.00000003.299119725.00000000029C0000.00000004.00001000.00020000.00000000.sdmp, jsqqecy.exe, 00000001.00000003.299523428.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000003.303967054.0000000001217000.00000004.00000800.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.381584152.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.382622757.00000000014CF000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.382550493.0000000003384000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.380856964.00000000031ED000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.563303711.0000000003520000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.563833806.000000000363F000.00000040.00000800.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 1_2_00BD5A75 push ecx; ret 1_2_00BD5A88
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_0041D05E push cs; ret 2_2_0041D05F
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_0041681D push 99159BFBh; iretd 2_2_00416822
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00417829 push esp; retf 2_2_0041782A
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00416C89 push es; ret 2_2_00416C9A
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_0041D4B5 push eax; ret 2_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_0041D56C push eax; ret 2_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_0041D502 push eax; ret 2_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_0041D50B push eax; ret 2_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_0040674B push esi; iretd 2_2_0040674D
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00BD5A75 push ecx; ret 2_2_00BD5A88
PE file contains sections with non-standard names
Source: jsqqecy.exe.0.dr Static PE information: section name: .00cfg
Source: jsqqecy.exe.0.dr Static PE information: section name: .voltbl
Drops PE files
Source: C:\Users\user\Desktop\2022-571-GLS.exe File created: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8B 0xBE 0xE5
Source: C:\Users\user\Desktop\2022-571-GLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe RDTSC instruction interceptor: First address: 0000000002939904 second address: 000000000293990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe RDTSC instruction interceptor: First address: 0000000002939B7E second address: 0000000002939B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 3156 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 6032 Thread sleep time: -38000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00409AB0 rdtsc 2_2_00409AB0
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe API coverage: 2.2 %
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe API coverage: 2.2 %
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\2022-571-GLS.exe Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405620
Source: C:\Users\user\Desktop\2022-571-GLS.exe Code function: 0_2_00405FF6 FindFirstFileA,FindClose, 0_2_00405FF6
Source: C:\Users\user\Desktop\2022-571-GLS.exe Code function: 0_2_00402654 FindFirstFileA, 0_2_00402654
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 1_2_00BD52F3 FindFirstFileExW, 1_2_00BD52F3
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 1_2_00BD53A7 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 1_2_00BD53A7
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00BD52F3 FindFirstFileExW, 2_2_00BD52F3
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00BD53A7 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 2_2_00BD53A7
Source: C:\Users\user\Desktop\2022-571-GLS.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000003.00000000.366063254.000000000834F000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
Source: explorer.exe, 00000003.00000000.365236364.000000000830B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000000.342989666.00000000059F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
Source: explorer.exe, 00000003.00000000.366769523.0000000008394000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.351146407.000000000CDC8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&
Source: explorer.exe, 00000003.00000000.365236364.000000000830B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 1_2_00BD383A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00BD383A
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 1_2_00BD25EB GetProcessHeap, 1_2_00BD25EB
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00409AB0 rdtsc 2_2_00409AB0
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 1_2_00BD00FE mov ecx, dword ptr fs:[00000030h] 1_2_00BD00FE
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 1_2_00BD41ED mov eax, dword ptr fs:[00000030h] 1_2_00BD41ED
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00BD00FE mov ecx, dword ptr fs:[00000030h] 2_2_00BD00FE
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00BD41ED mov eax, dword ptr fs:[00000030h] 2_2_00BD41ED
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_0040ACF0 LdrLoadDll, 2_2_0040ACF0
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 1_2_00BCD780 SetUnhandledExceptionFilter, 1_2_00BCD780
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 1_2_00BD383A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00BD383A
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 1_2_00BCDC8D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00BCDC8D
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 1_2_00BCD78C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00BCD78C
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00BD383A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00BD383A
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00BCDC8D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00BCDC8D
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00BCD78C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00BCD78C
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 2_2_00BCD780 SetUnhandledExceptionFilter, 2_2_00BCD780

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.easyentry.vip
Source: C:\Windows\explorer.exe Network Connect: 34.117.168.233 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.221.114.43 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.cdlcapitolsolutions.com
Source: C:\Windows\explorer.exe Network Connect: 75.2.81.221 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.fulili.com
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\jsqqecy.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Thread register set: target process: 3528 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Thread register set: target process: 3528 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Process created: C:\Users\user\AppData\Local\Temp\jsqqecy.exe "C:\Users\user\AppData\Local\Temp\jsqqecy.exe" C:\Users\user\AppData\Local\Temp\xduyswx.up Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\jsqqecy.exe" Jump to behavior
Source: explorer.exe, 00000003.00000000.358106625.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.339007760.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.306844469.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: EProgram Managerzx
Source: explorer.exe, 00000003.00000000.348541007.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.363020980.0000000005C70000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.358106625.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.358106625.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.339007760.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.306844469.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.338725850.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.306396985.00000000009C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progmanath
Source: explorer.exe, 00000003.00000000.358106625.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.339007760.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.306844469.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 1_2_00BCD9A5 cpuid 1_2_00BCD9A5
Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exe Code function: 1_2_00BCD632 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_00BCD632
Source: C:\Users\user\Desktop\2022-571-GLS.exe Code function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040324F

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.jsqqecy.exe.1090000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.jsqqecy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.jsqqecy.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.jsqqecy.exe.1090000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.jsqqecy.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.jsqqecy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.jsqqecy.exe.1090000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.jsqqecy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.jsqqecy.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.jsqqecy.exe.1090000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.jsqqecy.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.jsqqecy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 755996 Sample: 2022-571-GLS.exe Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 4 other signatures 2->51 11 2022-571-GLS.exe 19 2->11         started        process3 file4 31 C:\Users\user\AppData\Local\...\jsqqecy.exe, PE32 11->31 dropped 14 jsqqecy.exe 11->14         started        process5 signatures6 63 Multi AV Scanner detection for dropped file 14->63 65 Machine Learning detection for dropped file 14->65 67 Maps a DLL or memory area into another process 14->67 69 Tries to detect virtualization through RDTSC time measurements 14->69 17 jsqqecy.exe 14->17         started        process7 signatures8 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Queues an APC in another process (thread injection) 17->43 20 explorer.exe 17->20 injected process9 dnsIp10 33 www.fulili.com 45.221.114.43, 49698, 80 sun-asnSC South Africa 20->33 35 td-ccm-168-233.wixdns.net 34.117.168.233, 49696, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 20->35 37 4 other IPs or domains 20->37 53 System process connects to network (likely due to code injection or exploit) 20->53 55 Uses netsh to modify the Windows network and firewall settings 20->55 24 netsh.exe 20->24         started        signatures11 process12 signatures13 57 Modifies the context of a thread in another process (thread injection) 24->57 59 Maps a DLL or memory area into another process 24->59 61 Tries to detect virtualization through RDTSC time measurements 24->61 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.221.114.43
 www.fulili.com South Africa
328543 sun-asnSC true
34.117.168.233
 td-ccm-168-233.wixdns.net United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG true
75.2.81.221
 825610.parkingcrew.net United States
16509 AMAZON-02US false

Contacted Domains

Name IP Active
td-ccm-168-233.wixdns.net 34.117.168.233 true
www.fulili.com 45.221.114.43 true
825610.parkingcrew.net 75.2.81.221 true
www.cdlcapitolsolutions.com unknown unknown
www.easyentry.vip unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.cdlcapitolsolutions.com/b31b/?8pq=gR42Xd1117OgJS+Outh2bFri+uyQrgf7E7TvWkJgQJ6aRmKfoh8EdM/DtT372TknNdyW&q0DDzX=YreDi true
  • Avira URL Cloud: malware
 unknown
http://www.fulili.com/b31b/?8pq=tdO7S/Z/VqUa/I2xC15i+El5qu+HGrTkpc7PSFUM9PDChnmIJTvvTeLkqdaOGaksChda&q0DDzX=YreDi true
  • Avira URL Cloud: safe
 unknown
http://www.easyentry.vip/b31b/?8pq=kQFV/3Ti5731GiKzPcF+l7m9iVSkkn86bXlgwK5ZhVk2Z3fCEdzJJK3qVV3FyS9CSUee&q0DDzX=YreDi true
  • Avira URL Cloud: safe
 unknown
www.cdlcapitolsolutions.com/b31b/ true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
 low