Windows Analysis Report
9Y0iIDL2cA.exe

Overview

General Information

Sample Name: 9Y0iIDL2cA.exe
Original Sample Name: 6118e763aa0cf63beadfff4130d70396.exe
Analysis ID: 813072
MD5: 6118e763aa0cf63beadfff4130d70396
SHA1: 9c9276f9da4df7b33bd0e3be2e5fe6b4543fc49d
SHA256: f75f11958cb9b23e256cd0668e7490113565acd86d66180483e7b909d7750ed3
Tags: 32exetrojan
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 9Y0iIDL2cA.exe ReversingLabs: Detection: 46%
Source: 9Y0iIDL2cA.exe Virustotal: Detection: 42% Perma Link
Yara detected FormBook
Source: Yara match File source: 1.2.eepwidokpg.exe.a00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.eepwidokpg.exe.a00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.eepwidokpg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.eepwidokpg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.319776611.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.319657106.0000000000890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.271588186.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.319385149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.529001097.0000000003530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.527117361.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.529068114.0000000003560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.chmoptk.xyz/ko14/?a8a0I6=AN9ddFth&5jf=M7nqW8aR7mNvoHxLrPxI2y49I5+WA672UYaebqQM8uyw3pghcvdZz9ysw/++M4PBBSKx Avira URL Cloud: Label: malware
Source: http://www.benguey.com/ko14/www.garciaguardadopainting.com Avira URL Cloud: Label: malware
Source: http://www.getagrandbankcard.com/ko14/www.kubulaw.com Avira URL Cloud: Label: malware
Source: http://www.hbrsty.com/ko14/www.jirehgems.com Avira URL Cloud: Label: malware
Source: http://www.island6.work/ko14/?5jf=VaDSnsgvonCigUZ+pmDkuHBOCaBr5JnrGKmoNvP+bJqyBIIgbn+8auQsuvmDsx/CLI6H&a8a0I6=AN9ddFth Avira URL Cloud: Label: malware
Source: http://www.ke3yjs5tri.one/ko14/www.itsallwool.net Avira URL Cloud: Label: malware
Source: http://www.bluehorizonnirvana.com/ko14/ Avira URL Cloud: Label: malware
Source: http://www.hbrsty.com/ko14/ Avira URL Cloud: Label: malware
Source: http://www.jirehgems.com/ko14/ Avira URL Cloud: Label: malware
Source: http://www.kayseriplise.com/ko14/www.ke3yjs5tri.one Avira URL Cloud: Label: malware
Source: http://www.kubulaw.com/ko14/ Avira URL Cloud: Label: malware
Source: http://www.chmoptk.xyz/ko14/www.getagrandbankcard.com Avira URL Cloud: Label: malware
Source: http://www.ke3yjs5tri.one/ko14/ Avira URL Cloud: Label: malware
Source: http://www.kubulaw.com/ko14/www.1wthqp.top Avira URL Cloud: Label: malware
Source: http://www.island6.work/ko14/ Avira URL Cloud: Label: malware
Source: http://www.itsallwool.net/ko14/ Avira URL Cloud: Label: malware
Source: http://www.chmoptk.xyz/ko14/www.island6.work Avira URL Cloud: Label: malware
Source: http://www.bluehorizonnirvana.com/ko14/www.chmoptk.xyz Avira URL Cloud: Label: malware
Source: http://www.chmoptk.xyz/ko14/ Avira URL Cloud: Label: malware
Source: http://www.benguey.com/ko14/ Avira URL Cloud: Label: malware
Source: http://www.elandtoyar.com/ko14/ Avira URL Cloud: Label: malware
Source: http://www.bluehorizonnirvana.com/ko14/?a8a0I6=AN9ddFth&5jf=BQFbNS1tJ024OW9lmuATJr9Xnniob3WjOEkugQ07ZFP/1sWqi7DwmqNdo26PC6xDvEYj Avira URL Cloud: Label: malware
Source: http://www.island6.work/ko14/www.bluehorizonnirvana.com Avira URL Cloud: Label: malware
Source: http://www.chmoptk.xyz Avira URL Cloud: Label: malware
Source: http://www.elandtoyar.com/ko14/www.set4.co.uk Avira URL Cloud: Label: malware
Source: http://www.getagrandbankcard.com/ko14/ Avira URL Cloud: Label: malware
Source: http://www.garciaguardadopainting.com/ko14/ Avira URL Cloud: Label: malware
Source: http://www.jirehgems.com/ko14/www.elandtoyar.com Avira URL Cloud: Label: malware
Source: http://www.kayseriplise.com/ko14/ Avira URL Cloud: Label: malware
Source: http://www.set4.co.uk/ko14/www.benguey.com Avira URL Cloud: Label: malware
Source: http://www.itsallwool.net/ko14/www.hbrsty.com Avira URL Cloud: Label: malware
Source: http://www.set4.co.uk/ko14/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: www.chmoptk.xyz Virustotal: Detection: 11% Perma Link
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.eepwidokpg.exe.a00000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.2.eepwidokpg.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 00000003.00000002.319776611.00000000008C0000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.1wthqp.top/ko14/"], "decoy": ["bluehorizonnirvana.com", "itweakrd.com", "actionouverytri.com", "kayseriplise.com", "garciaguardadopainting.com", "b5qmu.xyz", "albrava.com", "50percentsweet.com", "artyshop.boutique", "6563youhui.com", "beant-consulting.com", "imtokonapp.shop", "web28tech.africa", "enriquezcleaningservice.shop", "domainnameindustrybriefs.com", "lose.cyou", "elandtoyar.com", "ke3yjs5tri.one", "iliaso.com", "amqp.xyz", "app386.com", "naskonnect.africa", "go-orpheus-marketing.net", "all4hitech.com", "brigghtbrooker.site", "debetcash.site", "clevelandcirclepress.net", "aw11.top", "diamondshouse-hannover.online", "itsallwool.net", "griffinpowerservices.com", "acceptdigitalcurrency.com", "bty1ll.com", "benguey.com", "kubulaw.com", "island6.work", "herdsman.tech", "dubonbon.com", "jdlx1.com", "jacqtalk.com", "jiujie001.com", "etimexprint.com", "getagrandbankcard.com", "lebebek.com", "chmoptk.xyz", "invierteconitin.com", "brownfat.info", "caragolet.online", "e36edgo0.com", "fclsg.com", "gulfcoastroofers.net", "kesamuroa.com", "progressafford.online", "set4.co.uk", "dev-acd.com", "7oranges.xyz", "bluezoneinabox.net", "jirehgems.com", "hbrsty.com", "interessebr.com", "bcihome.com", "codyhsu.com", "isaacbittner.com", "bitofwisdom.com"]}
Uses 32bit PE files
Source: 9Y0iIDL2cA.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 9Y0iIDL2cA.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: WWAHost.pdb source: eepwidokpg.exe, 00000003.00000003.317526197.000000000263E000.00000004.00000020.00020000.00000000.sdmp, eepwidokpg.exe, 00000003.00000003.317784057.0000000002710000.00000004.00000020.00020000.00000000.sdmp, eepwidokpg.exe, 00000003.00000002.322035553.0000000002630000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: WWAHost.pdbUGP source: eepwidokpg.exe, 00000003.00000003.317526197.000000000263E000.00000004.00000020.00020000.00000000.sdmp, eepwidokpg.exe, 00000003.00000003.317784057.0000000002710000.00000004.00000020.00020000.00000000.sdmp, eepwidokpg.exe, 00000003.00000002.322035553.0000000002630000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: eepwidokpg.exe, 00000001.00000003.265987511.000000001A380000.00000004.00001000.00020000.00000000.sdmp, eepwidokpg.exe, 00000001.00000003.265583322.000000001A1F0000.00000004.00001000.00020000.00000000.sdmp, eepwidokpg.exe, 00000003.00000003.269226378.0000000000612000.00000004.00000020.00020000.00000000.sdmp, eepwidokpg.exe, 00000003.00000003.270988599.00000000007A1000.00000004.00000020.00020000.00000000.sdmp, eepwidokpg.exe, 00000003.00000002.319928424.0000000000940000.00000040.00001000.00020000.00000000.sdmp, eepwidokpg.exe, 00000003.00000002.319928424.0000000000A5F000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.529601754.000000000409F000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000003.319368663.0000000003C4B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000003.321289184.0000000003DE3000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.529601754.0000000003F80000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: eepwidokpg.exe, eepwidokpg.exe, 00000003.00000003.269226378.0000000000612000.00000004.00000020.00020000.00000000.sdmp, eepwidokpg.exe, 00000003.00000003.270988599.00000000007A1000.00000004.00000020.00020000.00000000.sdmp, eepwidokpg.exe, 00000003.00000002.319928424.0000000000940000.00000040.00001000.00020000.00000000.sdmp, eepwidokpg.exe, 00000003.00000002.319928424.0000000000A5F000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.529601754.000000000409F000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000003.319368663.0000000003C4B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000003.321289184.0000000003DE3000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.529601754.0000000003F80000.00000040.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 4x nop then pop edi 3_2_0040E46E

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 34.98.99.30 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.chmoptk.xyz
Source: C:\Windows\explorer.exe Network Connect: 162.0.228.50 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.210 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.island6.work
Source: C:\Windows\explorer.exe Domain query: www.bluehorizonnirvana.com
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49705 -> 198.54.117.210:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49705 -> 198.54.117.210:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49705 -> 198.54.117.210:80
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.chmoptk.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.1wthqp.top/ko14/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ko14/?a8a0I6=AN9ddFth&5jf=M7nqW8aR7mNvoHxLrPxI2y49I5+WA672UYaebqQM8uyw3pghcvdZz9ysw/++M4PBBSKx HTTP/1.1Host: www.chmoptk.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ko14/?5jf=VaDSnsgvonCigUZ+pmDkuHBOCaBr5JnrGKmoNvP+bJqyBIIgbn+8auQsuvmDsx/CLI6H&a8a0I6=AN9ddFth HTTP/1.1Host: www.island6.workConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ko14/?a8a0I6=AN9ddFth&5jf=BQFbNS1tJ024OW9lmuATJr9Xnniob3WjOEkugQ07ZFP/1sWqi7DwmqNdo26PC6xDvEYj HTTP/1.1Host: www.bluehorizonnirvana.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.54.117.210 198.54.117.210
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 22 Feb 2023 03:57:18 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 277Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 63 68 6d 6f 70 74 6b 2e 78 79 7a 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.chmoptk.xyz Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 22 Feb 2023 03:57:39 GMTContent-Type: text/htmlContent-Length: 291ETag: "63f57e3b-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: 9Y0iIDL2cA.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.1wthqp.top
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.1wthqp.top/ko14/
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.1wthqp.top/ko14/www.kayseriplise.com
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.1wthqp.topReferer:
Source: explorer.exe, 00000004.00000002.540436871.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.300792983.000000000F270000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.benguey.com
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.benguey.com/ko14/
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.benguey.com/ko14/www.garciaguardadopainting.com
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.benguey.comReferer:
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bluehorizonnirvana.com
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bluehorizonnirvana.com/ko14/
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bluehorizonnirvana.com/ko14/www.chmoptk.xyz
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bluehorizonnirvana.comReferer:
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.chmoptk.xyz
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.chmoptk.xyz/ko14/
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.chmoptk.xyz/ko14/www.getagrandbankcard.com
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.chmoptk.xyz/ko14/www.island6.work
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.chmoptk.xyzReferer:
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.elandtoyar.com
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.elandtoyar.com/ko14/
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.elandtoyar.com/ko14/www.set4.co.uk
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.elandtoyar.comReferer:
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.garciaguardadopainting.com
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.garciaguardadopainting.com/ko14/
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.garciaguardadopainting.comReferer:
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.getagrandbankcard.com
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.getagrandbankcard.com/ko14/
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.getagrandbankcard.com/ko14/www.kubulaw.com
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.getagrandbankcard.comReferer:
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hbrsty.com
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hbrsty.com/ko14/
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hbrsty.com/ko14/www.jirehgems.com
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hbrsty.comReferer:
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.island6.work
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.island6.work/ko14/
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.island6.work/ko14/www.bluehorizonnirvana.com
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.island6.workReferer:
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.itsallwool.net
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.itsallwool.net/ko14/
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.itsallwool.net/ko14/www.hbrsty.com
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.itsallwool.netReferer:
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.jirehgems.com
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.jirehgems.com/ko14/
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.jirehgems.com/ko14/www.elandtoyar.com
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.jirehgems.comReferer:
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kayseriplise.com
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kayseriplise.com/ko14/
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kayseriplise.com/ko14/www.ke3yjs5tri.one
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kayseriplise.comReferer:
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ke3yjs5tri.one
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ke3yjs5tri.one/ko14/
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ke3yjs5tri.one/ko14/www.itsallwool.net
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ke3yjs5tri.oneReferer:
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kubulaw.com
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kubulaw.com/ko14/
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kubulaw.com/ko14/www.1wthqp.top
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kubulaw.comReferer:
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.set4.co.uk
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.set4.co.uk/ko14/
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.set4.co.uk/ko14/www.benguey.com
Source: explorer.exe, 00000004.00000002.540770631.000000000F42E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.set4.co.ukReferer:
Source: unknown DNS traffic detected: queries for: www.chmoptk.xyz
Source: C:\Windows\explorer.exe Code function: 4_2_103B8F82 getaddrinfo,setsockopt,recv, 4_2_103B8F82
Source: global traffic HTTP traffic detected: GET /ko14/?a8a0I6=AN9ddFth&5jf=M7nqW8aR7mNvoHxLrPxI2y49I5+WA672UYaebqQM8uyw3pghcvdZz9ysw/++M4PBBSKx HTTP/1.1Host: www.chmoptk.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ko14/?5jf=VaDSnsgvonCigUZ+pmDkuHBOCaBr5JnrGKmoNvP+bJqyBIIgbn+8auQsuvmDsx/CLI6H&a8a0I6=AN9ddFth HTTP/1.1Host: www.island6.workConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ko14/?a8a0I6=AN9ddFth&5jf=BQFbNS1tJ024OW9lmuATJr9Xnniob3WjOEkugQ07ZFP/1sWqi7DwmqNdo26PC6xDvEYj HTTP/1.1Host: www.bluehorizonnirvana.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405809

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.eepwidokpg.exe.a00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.eepwidokpg.exe.a00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.eepwidokpg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.eepwidokpg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.319776611.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.319657106.0000000000890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.271588186.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.319385149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.529001097.0000000003530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.527117361.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.529068114.0000000003560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.eepwidokpg.exe.a00000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.eepwidokpg.exe.a00000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.eepwidokpg.exe.a00000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.eepwidokpg.exe.a00000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.eepwidokpg.exe.a00000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.eepwidokpg.exe.a00000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.eepwidokpg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.eepwidokpg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.eepwidokpg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.eepwidokpg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.eepwidokpg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.eepwidokpg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.319776611.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.319776611.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.319776611.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.319657106.0000000000890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.319657106.0000000000890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.319657106.0000000000890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.271588186.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.271588186.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.271588186.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.319385149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.319385149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.319385149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.529001097.0000000003530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.529001097.0000000003530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.529001097.0000000003530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.527117361.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.527117361.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.527117361.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.529068114.0000000003560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.529068114.0000000003560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.529068114.0000000003560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: eepwidokpg.exe PID: 5608, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: eepwidokpg.exe PID: 1668, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: WWAHost.exe PID: 5352, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Uses 32bit PE files
Source: 9Y0iIDL2cA.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 1.2.eepwidokpg.exe.a00000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.eepwidokpg.exe.a00000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.eepwidokpg.exe.a00000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.eepwidokpg.exe.a00000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.eepwidokpg.exe.a00000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.eepwidokpg.exe.a00000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.eepwidokpg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.eepwidokpg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.eepwidokpg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.eepwidokpg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.eepwidokpg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.eepwidokpg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.319776611.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.319776611.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.319776611.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.319657106.0000000000890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.319657106.0000000000890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.319657106.0000000000890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.271588186.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.271588186.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.271588186.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.319385149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.319385149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.319385149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.529001097.0000000003530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.529001097.0000000003530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.529001097.0000000003530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.527117361.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.527117361.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.527117361.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.529068114.0000000003560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.529068114.0000000003560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.529068114.0000000003560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: eepwidokpg.exe PID: 5608, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: eepwidokpg.exe PID: 1668, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: WWAHost.exe PID: 5352, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Detected potential crypto function
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe Code function: 0_2_00406D5F 0_2_00406D5F
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_00401026 3_2_00401026
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_00401030 3_2_00401030
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_0041D8FB 3_2_0041D8FB
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_0041DCFB 3_2_0041DCFB
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_0041E524 3_2_0041E524
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_0041EDC0 3_2_0041EDC0
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_00402D90 3_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_00409E4B 3_2_00409E4B
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_00409E50 3_2_00409E50
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_0041D69A 3_2_0041D69A
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_0041EFE9 3_2_0041EFE9
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_00402FB0 3_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_0097B090 3_2_0097B090
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_00A320A8 3_2_00A320A8
Source: C:\Windows\explorer.exe Code function: 4_2_103B8232 4_2_103B8232
Source: C:\Windows\explorer.exe Code function: 4_2_103B7036 4_2_103B7036
Source: C:\Windows\explorer.exe Code function: 4_2_103AE082 4_2_103AE082
Source: C:\Windows\explorer.exe Code function: 4_2_103B2B32 4_2_103B2B32
Source: C:\Windows\explorer.exe Code function: 4_2_103B2B30 4_2_103B2B30
Source: C:\Windows\explorer.exe Code function: 4_2_103B5912 4_2_103B5912
Source: C:\Windows\explorer.exe Code function: 4_2_103AFD02 4_2_103AFD02
Source: C:\Windows\explorer.exe Code function: 4_2_103BB5CD 4_2_103BB5CD
Source: C:\Windows\explorer.exe Code function: 4_2_108FA082 4_2_108FA082
Source: C:\Windows\explorer.exe Code function: 4_2_10903036 4_2_10903036
Source: C:\Windows\explorer.exe Code function: 4_2_109075CD 4_2_109075CD
Source: C:\Windows\explorer.exe Code function: 4_2_10901912 4_2_10901912
Source: C:\Windows\explorer.exe Code function: 4_2_108FBD02 4_2_108FBD02
Source: C:\Windows\explorer.exe Code function: 4_2_10904232 4_2_10904232
Source: C:\Windows\explorer.exe Code function: 4_2_108FEB32 4_2_108FEB32
Source: C:\Windows\explorer.exe Code function: 4_2_108FEB30 4_2_108FEB30
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_0041A350 NtCreateFile, 3_2_0041A350
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_0041A400 NtReadFile, 3_2_0041A400
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_0041A480 NtClose, 3_2_0041A480
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_0041A530 NtAllocateVirtualMemory, 3_2_0041A530
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_0041A34A NtCreateFile, 3_2_0041A34A
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_0041A3FB NtReadFile, 3_2_0041A3FB
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_0041A3A3 NtReadFile, 3_2_0041A3A3
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_0041A52A NtAllocateVirtualMemory, 3_2_0041A52A
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_009A98F0 NtReadVirtualMemory,LdrInitializeThunk, 3_2_009A98F0
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_009A9840 NtDelayExecution,LdrInitializeThunk, 3_2_009A9840
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_009A9860 NtQuerySystemInformation,LdrInitializeThunk, 3_2_009A9860
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_009A99A0 NtCreateSection,LdrInitializeThunk, 3_2_009A99A0
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_009A9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_009A9910
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_009A9A00 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_009A9A00
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_009A9A20 NtResumeThread,LdrInitializeThunk, 3_2_009A9A20
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_009A9A50 NtCreateFile,LdrInitializeThunk, 3_2_009A9A50
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_009A95D0 NtClose,LdrInitializeThunk, 3_2_009A95D0
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_009A9540 NtReadFile,LdrInitializeThunk, 3_2_009A9540
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_009A96E0 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_009A96E0
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_009A9660 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_009A9660
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_009A9780 NtMapViewOfSection,LdrInitializeThunk, 3_2_009A9780
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_009A97A0 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_009A97A0
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_009A9710 NtQueryInformationToken,LdrInitializeThunk, 3_2_009A9710
Source: C:\Windows\explorer.exe Code function: 4_2_103B8232 NtCreateFile, 4_2_103B8232
Source: C:\Windows\explorer.exe Code function: 4_2_103B9E12 NtProtectVirtualMemory, 4_2_103B9E12
Source: C:\Windows\explorer.exe Code function: 4_2_103B9E0A NtProtectVirtualMemory, 4_2_103B9E0A
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe E2F1D65A23A0B85174C48680F0AC81D00346469C4CDE8331DABFC77742203ADC
Source: 9Y0iIDL2cA.exe ReversingLabs: Detection: 46%
Source: 9Y0iIDL2cA.exe Virustotal: Detection: 42%
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe File read: C:\Users\user\Desktop\9Y0iIDL2cA.exe Jump to behavior
Source: 9Y0iIDL2cA.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\9Y0iIDL2cA.exe C:\Users\user\Desktop\9Y0iIDL2cA.exe
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe Process created: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe "C:\Users\user\AppData\Local\Temp\eepwidokpg.exe" C:\Users\user\AppData\Local\Temp\hyhntbe.dr
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Process created: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe C:\Users\user\AppData\Local\Temp\eepwidokpg.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\eepwidokpg.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe Process created: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe "C:\Users\user\AppData\Local\Temp\eepwidokpg.exe" C:\Users\user\AppData\Local\Temp\hyhntbe.dr Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Process created: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\eepwidokpg.exe" Jump to behavior
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ERC\statecache.lock Jump to behavior
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe File created: C:\Users\user\AppData\Local\Temp\nsuA12.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/4@3/3
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404AB5
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2220:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2888:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 9Y0iIDL2cA.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: WWAHost.pdb source: eepwidokpg.exe, 00000003.00000003.317526197.000000000263E000.00000004.00000020.00020000.00000000.sdmp, eepwidokpg.exe, 00000003.00000003.317784057.0000000002710000.00000004.00000020.00020000.00000000.sdmp, eepwidokpg.exe, 00000003.00000002.322035553.0000000002630000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: WWAHost.pdbUGP source: eepwidokpg.exe, 00000003.00000003.317526197.000000000263E000.00000004.00000020.00020000.00000000.sdmp, eepwidokpg.exe, 00000003.00000003.317784057.0000000002710000.00000004.00000020.00020000.00000000.sdmp, eepwidokpg.exe, 00000003.00000002.322035553.0000000002630000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: eepwidokpg.exe, 00000001.00000003.265987511.000000001A380000.00000004.00001000.00020000.00000000.sdmp, eepwidokpg.exe, 00000001.00000003.265583322.000000001A1F0000.00000004.00001000.00020000.00000000.sdmp, eepwidokpg.exe, 00000003.00000003.269226378.0000000000612000.00000004.00000020.00020000.00000000.sdmp, eepwidokpg.exe, 00000003.00000003.270988599.00000000007A1000.00000004.00000020.00020000.00000000.sdmp, eepwidokpg.exe, 00000003.00000002.319928424.0000000000940000.00000040.00001000.00020000.00000000.sdmp, eepwidokpg.exe, 00000003.00000002.319928424.0000000000A5F000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.529601754.000000000409F000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000003.319368663.0000000003C4B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000003.321289184.0000000003DE3000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.529601754.0000000003F80000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: eepwidokpg.exe, eepwidokpg.exe, 00000003.00000003.269226378.0000000000612000.00000004.00000020.00020000.00000000.sdmp, eepwidokpg.exe, 00000003.00000003.270988599.00000000007A1000.00000004.00000020.00020000.00000000.sdmp, eepwidokpg.exe, 00000003.00000002.319928424.0000000000940000.00000040.00001000.00020000.00000000.sdmp, eepwidokpg.exe, 00000003.00000002.319928424.0000000000A5F000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.529601754.000000000409F000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000003.319368663.0000000003C4B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000003.321289184.0000000003DE3000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.529601754.0000000003F80000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Unpacked PE file: 3.2.eepwidokpg.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 1_2_00402FB5 push ecx; ret 1_2_00402FC8
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_004170DA pushad ; iretd 3_2_004170DB
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_004168E0 push ecx; ret 3_2_004168E1
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_004168A6 pushfd ; retf 3_2_004168A9
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_0041D4F2 push eax; ret 3_2_0041D4F8
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_0041D4FB push eax; ret 3_2_0041D562
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_0041D4A5 push eax; ret 3_2_0041D4F8
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_0041D55C push eax; ret 3_2_0041D562
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_0041CFB3 push esp; iretd 3_2_0041CFB8
Source: C:\Windows\explorer.exe Code function: 4_2_103BBB1E push esp; retn 0000h 4_2_103BBB1F
Source: C:\Windows\explorer.exe Code function: 4_2_103BBB02 push esp; retn 0000h 4_2_103BBB03
Source: C:\Windows\explorer.exe Code function: 4_2_103BB9B5 push esp; retn 0000h 4_2_103BBAE7
Source: C:\Windows\explorer.exe Code function: 4_2_109079B5 push esp; retn 0000h 4_2_10907AE7
Source: C:\Windows\explorer.exe Code function: 4_2_10907B1E push esp; retn 0000h 4_2_10907B1F
Source: C:\Windows\explorer.exe Code function: 4_2_10907B02 push esp; retn 0000h 4_2_10907B03
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 1_2_0040279C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_0040279C
Drops PE files
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe File created: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xE1
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe RDTSC instruction interceptor: First address: 0000000001299904 second address: 000000000129990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe RDTSC instruction interceptor: First address: 0000000001299B6E second address: 0000000001299B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\explorer.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 5600 Thread sleep time: -36000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WWAHost.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_00409AA0 rdtsc 3_2_00409AA0
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 867 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 866 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000004.00000003.475824311.0000000009297000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.539446531.00000000092B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.477189918.0000000009298000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.478407640.00000000092B0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW5
Source: explorer.exe, 00000004.00000002.538436254.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: explorer.exe, 00000004.00000002.534613888.0000000007166000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000004.00000002.538436254.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000002.538436254.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 00000004.00000000.289083997.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 00000004.00000002.540436871.000000000F270000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
Source: explorer.exe, 00000004.00000002.531986416.00000000050A1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: explorer.exe, 00000004.00000000.289083997.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 1_2_00402B07 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00402B07
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 1_2_0040279C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_0040279C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 1_2_0040853E __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 1_2_0040853E
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_00409AA0 rdtsc 3_2_00409AA0
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_00969080 mov eax, dword ptr fs:[00000030h] 3_2_00969080
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 3_2_0040ACE0 LdrLoadDll, 3_2_0040ACE0
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 1_2_00403F6A SetUnhandledExceptionFilter, 1_2_00403F6A
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 1_2_00402B07 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00402B07
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 1_2_00401DAC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00401DAC

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 34.98.99.30 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.chmoptk.xyz
Source: C:\Windows\explorer.exe Network Connect: 162.0.228.50 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.210 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.island6.work
Source: C:\Windows\explorer.exe Domain query: www.bluehorizonnirvana.com
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Section unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: 13E0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Thread register set: target process: 3452 Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Thread register set: target process: 3452 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Process created: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\eepwidokpg.exe" Jump to behavior
Source: explorer.exe, 00000004.00000002.529120859.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.274890398.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 00000004.00000002.534483419.0000000006770000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.529120859.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.289083997.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.529120859.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.274890398.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.527880954.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.274266194.0000000001378000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CProgmanile
Source: explorer.exe, 00000004.00000002.529120859.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.274890398.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\AppData\Local\Temp\eepwidokpg.exe Code function: 1_2_00404B76 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 1_2_00404B76
Source: C:\Users\user\Desktop\9Y0iIDL2cA.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.eepwidokpg.exe.a00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.eepwidokpg.exe.a00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.eepwidokpg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.eepwidokpg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.319776611.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.319657106.0000000000890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.271588186.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.319385149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.529001097.0000000003530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.527117361.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.529068114.0000000003560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.eepwidokpg.exe.a00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.eepwidokpg.exe.a00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.eepwidokpg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.eepwidokpg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.319776611.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.319657106.0000000000890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.271588186.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.319385149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.529001097.0000000003530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.527117361.0000000001290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.529068114.0000000003560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 813072 Sample: 9Y0iIDL2cA.exe Startdate: 22/02/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 5 other signatures 2->55 11 9Y0iIDL2cA.exe 19 2->11         started        process3 file4 33 C:\Users\user\AppData\...\eepwidokpg.exe, PE32 11->33 dropped 14 eepwidokpg.exe 1 11->14         started        process5 signatures6 67 Detected unpacking (changes PE section rights) 14->67 69 Maps a DLL or memory area into another process 14->69 71 Tries to detect virtualization through RDTSC time measurements 14->71 17 eepwidokpg.exe 14->17         started        20 conhost.exe 14->20         started        process7 signatures8 41 Modifies the context of a thread in another process (thread injection) 17->41 43 Maps a DLL or memory area into another process 17->43 45 Sample uses process hollowing technique 17->45 47 Queues an APC in another process (thread injection) 17->47 22 explorer.exe 2 6 17->22 injected process9 dnsIp10 35 www.chmoptk.xyz 162.0.228.50, 49703, 80 NAMECHEAP-NETUS Canada 22->35 37 www.island6.work 22->37 39 3 other IPs or domains 22->39 57 System process connects to network (likely due to code injection or exploit) 22->57 59 Performs DNS queries to domains with low reputation 22->59 26 WWAHost.exe 22->26         started        signatures11 process12 signatures13 61 Modifies the context of a thread in another process (thread injection) 26->61 63 Maps a DLL or memory area into another process 26->63 65 Tries to detect virtualization through RDTSC time measurements 26->65 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.0.228.50
 www.chmoptk.xyz Canada
22612 NAMECHEAP-NETUS true
198.54.117.210
 parkingpage.namecheap.com United States
22612 NAMECHEAP-NETUS false
34.98.99.30
 island6.work United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
island6.work 34.98.99.30 true
parkingpage.namecheap.com 198.54.117.210 true
www.chmoptk.xyz 162.0.228.50 true
www.island6.work unknown unknown
www.bluehorizonnirvana.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.chmoptk.xyz/ko14/?a8a0I6=AN9ddFth&5jf=M7nqW8aR7mNvoHxLrPxI2y49I5+WA672UYaebqQM8uyw3pghcvdZz9ysw/++M4PBBSKx true
  • Avira URL Cloud: malware
 unknown
http://www.island6.work/ko14/?5jf=VaDSnsgvonCigUZ+pmDkuHBOCaBr5JnrGKmoNvP+bJqyBIIgbn+8auQsuvmDsx/CLI6H&a8a0I6=AN9ddFth false
  • Avira URL Cloud: malware
 unknown
www.1wthqp.top/ko14/ true
  • Avira URL Cloud: safe
 low
http://www.bluehorizonnirvana.com/ko14/?a8a0I6=AN9ddFth&5jf=BQFbNS1tJ024OW9lmuATJr9Xnniob3WjOEkugQ07ZFP/1sWqi7DwmqNdo26PC6xDvEYj true
  • Avira URL Cloud: malware
 unknown