Edit tour

Windows Analysis Report
PrWP76ejHO.exe

Overview

General Information

Sample Name:	PrWP76ejHO.exe
Analysis ID:	756343
MD5:	db102a67350060a1e967aef81118f18d
SHA1:	a3131a3df17a154e41c09973ca8a9aabac29929e
SHA256:	98420cf47e19574739cff3f1f74bd3c6c70e103d0b28040b64fd3c77588c7ee7
Tags:	32exeFormbooktrojan
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Queues an APC in another process (thread injection)

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses ipconfig to lookup or modify the Windows network settings

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Yara signature match

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to read the clipboard data

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Contains functionality to retrieve information about pressed keystrokes

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

PrWP76ejHO.exe (PID: 1832 cmdline: C:\Users\user\Desktop\PrWP76ejHO.exe MD5: DB102A67350060A1E967AEF81118F18D)

iscan.exe (PID: 1764 cmdline: "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Local\Temp\zxtnbfvzh.c MD5: 2B4B3369E04DEDD66517641DB0F5A8AB)

conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

iscan.exe (PID: 5188 cmdline: "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Local\Temp\zxtnbfvzh.c MD5: 2B4B3369E04DEDD66517641DB0F5A8AB)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

iijhlev.exe (PID: 4468 cmdline: "C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe" "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Loca MD5: 2B4B3369E04DEDD66517641DB0F5A8AB)

conhost.exe (PID: 1836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WerFault.exe (PID: 5096 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 452 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

iijhlev.exe (PID: 4864 cmdline: "C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe" "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Loca MD5: 2B4B3369E04DEDD66517641DB0F5A8AB)

conhost.exe (PID: 5872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WerFault.exe (PID: 2436 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 420 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

ipconfig.exe (PID: 1916 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.fedefarmatour.online/dwdp/"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7d38:$a1: 3C 30 50 4F 53 54 74 09 40 0x209e7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xc0c6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1960e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1940c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x18eb8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1950e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x19686:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xbc91:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x18103:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1f62e:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x20751:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1b910:$sqlite3step: 68 34 1C 7B E1 0x1c488:$sqlite3step: 68 34 1C 7B E1 0x1b952:$sqlite3text: 68 38 2A 90 C5 0x1c4cd:$sqlite3text: 68 38 2A 90 C5 0x1b969:$sqlite3blob: 68 53 D8 7F 8C 0x1c4e3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f2b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa98f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17ed7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17cd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17781:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17dd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17f4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x169cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1def7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f01a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a1d9:$sqlite3step: 68 34 1C 7B E1 0x1ad51:$sqlite3step: 68 34 1C 7B E1 0x1a21b:$sqlite3text: 68 38 2A 90 C5 0x1ad96:$sqlite3text: 68 38 2A 90 C5 0x1a232:$sqlite3blob: 68 53 D8 7F 8C 0x1adac:$sqlite3blob: 68 53 D8 7F 8C
00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f2b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa98f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17ed7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17cd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17781:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17dd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17f4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x169cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1def7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f01a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a1d9:$sqlite3step: 68 34 1C 7B E1 0x1ad51:$sqlite3step: 68 34 1C 7B E1 0x1a21b:$sqlite3text: 68 38 2A 90 C5 0x1ad96:$sqlite3text: 68 38 2A 90 C5 0x1a232:$sqlite3blob: 68 53 D8 7F 8C 0x1adac:$sqlite3blob: 68 53 D8 7F 8C
00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f2b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa98f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17ed7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17cd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17781:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17dd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17f4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x169cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1def7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f01a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a1d9:$sqlite3step: 68 34 1C 7B E1 0x1ad51:$sqlite3step: 68 34 1C 7B E1 0x1a21b:$sqlite3text: 68 38 2A 90 C5 0x1ad96:$sqlite3text: 68 38 2A 90 C5 0x1a232:$sqlite3blob: 68 53 D8 7F 8C 0x1adac:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x102b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x8ed7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8cd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8781:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8dd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8f4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x79cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xeef7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1001a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xb1d9:$sqlite3step: 68 34 1C 7B E1 0xbd51:$sqlite3step: 68 34 1C 7B E1 0xb21b:$sqlite3text: 68 38 2A 90 C5 0xbd96:$sqlite3text: 68 38 2A 90 C5 0xb232:$sqlite3blob: 68 53 D8 7F 8C 0xbdac:$sqlite3blob: 68 53 D8 7F 8C
00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f2b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa98f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17ed7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17cd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17781:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17dd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17f4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x169cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1def7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f01a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a1d9:$sqlite3step: 68 34 1C 7B E1 0x1ad51:$sqlite3step: 68 34 1C 7B E1 0x1a21b:$sqlite3text: 68 38 2A 90 C5 0x1ad96:$sqlite3text: 68 38 2A 90 C5 0x1a232:$sqlite3blob: 68 53 D8 7F 8C 0x1adac:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f2b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa98f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17ed7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17cd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17781:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17dd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17f4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x169cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1def7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f01a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a1d9:$sqlite3step: 68 34 1C 7B E1 0x1ad51:$sqlite3step: 68 34 1C 7B E1 0x1a21b:$sqlite3text: 68 38 2A 90 C5 0x1ad96:$sqlite3text: 68 38 2A 90 C5 0x1a232:$sqlite3blob: 68 53 D8 7F 8C 0x1adac:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: iscan.exe PID: 5188	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3d24f:$a1: 3C 30 50 4F 53 54 74 09 40 0x123bbf:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: ipconfig.exe PID: 1916	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x890c0:$a1: 3C 30 50 4F 53 54 74 09 40 0xedaf1:$a1: 3C 30 50 4F 53 54 74 09 40 0xeeaed:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.iscan.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.iscan.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6f38:$a1: 3C 30 50 4F 53 54 74 09 40 0x1fbe7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb2c6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1880e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
3.2.iscan.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1860c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x180b8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1870e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x18886:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xae91:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x17303:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1e82e:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f951:$sequence_9: 56 68 03 01 00 00

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
PrWP76ejHO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PrWP76ejHO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Windows Analysis Report
PrWP76ejHO.exe