Edit tour

Windows Analysis Report
Hbi8WUpShm.exe

Overview

General Information

Sample Name:	Hbi8WUpShm.exe
Original Sample Name:	9739b15bd8493e99e281d62d213ddc4cce684b1e833af4634932c57a669035fc.exe
Analysis ID:	830325
MD5:	00a41a4804673581f675471bffa2bafc
SHA1:	a9ebc4956b89e080451dbe619176a7e9ab8c8dd9
SHA256:	9739b15bd8493e99e281d62d213ddc4cce684b1e833af4634932c57a669035fc
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Machine Learning detection for sample

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found decision node followed by non-executed suspicious APIs

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Hbi8WUpShm.exe (PID: 5868 cmdline: C:\Users\user\Desktop\Hbi8WUpShm.exe MD5: 00A41A4804673581F675471BFFA2BAFC)

explorer.exe (PID: 3324 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

chkdsk.exe (PID: 6012 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)

cmd.exe (PID: 4208 cmdline: /c del "C:\Users\user\Desktop\Hbi8WUpShm.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://asec.ahnlab.com/en/32149/ https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.eltres-iot.info/nu06/"], "decoy": ["cutmentor.net", "alexwright.xyz", "gymbastic.com", "creperie-lalios.com", "equipmentblock.com", "zwangerschapvanweektotweek.net", "asimulationcompany.com", "g9technoinnovation.com", "bestbirdies.xyz", "addhair.online", "get-breakfastburns.com", "aex-studentki.guru", "jhpx888.com", "gemologic.dev", "thegreencarshop.co.uk", "alessandromargonari.com", "cosmosynz.click", "letstalkreparation.com", "bka-i.com", "hervelegerdressshop.co.uk", "xn--5hqsa64xi8tdhd1xsp5oyyi.com", "jobstrendpk.com", "pavilionroofingservices.co.uk", "gonulserezart.com", "iby923.xyz", "languageforall.africa", "helloular3.com", "faster1.one", "lborient.com", "bzhxqm.com", "smartmetersystems.co.uk", "icfc2019.com", "handymantroop.com", "mychefacademy.com", "credit-cards-70626.com", "letmewowyou.com", "cityguide.africa", "dismissalnoise.com", "edu-degrees-89998.com", "estebanecheverry.com", "celsopaula.com", "jihuajl.com", "pyvob.xyz", "gdbdkj.com", "ballinc.online", "amadeussalem.net", "ievc-technologies.com", "arrindellnotary.com", "laneseempowerment.com", "bullreward.com", "evaluatemyathlete.com", "seu-qzs.com", "hexmexico.com", "coiffeur-kosmetik-basel1.ch", "1wacdu.top", "hoot.software", "goldhillmesatimes.com", "jobsnailikely.com", "cyberlavender.com", "ldgyb.com", "crunchtimemotion.com", "xn--74q746a2tj.net", "heikeshuwu.com", "fotel.xyz"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Hbi8WUpShm.exe	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Hbi8WUpShm.exe	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
Hbi8WUpShm.exe	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5651:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bfc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9dcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14cb7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
Hbi8WUpShm.exe	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8d08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8f82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14ab5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x145a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14bb7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14d2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x999a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1381c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa693:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ad27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bd2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Hbi8WUpShm.exe	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17c49:$sqlite3step: 68 34 1C 7B E1 0x17d5c:$sqlite3step: 68 34 1C 7B E1 0x17c78:$sqlite3text: 68 38 2A 90 C5 0x17d9d:$sqlite3text: 68 38 2A 90 C5 0x17c8b:$sqlite3blob: 68 53 D8 7F 8C 0x17db3:$sqlite3blob: 68 53 D8 7F 8C

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x99cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x148b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x959a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17849:$sqlite3step: 68 34 1C 7B E1 0x1795c:$sqlite3step: 68 34 1C 7B E1 0x17878:$sqlite3text: 68 38 2A 90 C5 0x1799d:$sqlite3text: 68 38 2A 90 C5 0x1788b:$sqlite3blob: 68 53 D8 7F 8C 0x179b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5bd9:$a1: 3C 30 50 4F 53 54 74 09 40 0x1c548:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa357:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1523f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9290:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x950a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1503d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14b29:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1513f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x152b7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9f22:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x13da4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xac1b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b2af:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c2b2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x181d1:$sqlite3step: 68 34 1C 7B E1 0x182e4:$sqlite3step: 68 34 1C 7B E1 0x18200:$sqlite3text: 68 38 2A 90 C5 0x18325:$sqlite3text: 68 38 2A 90 C5 0x18213:$sqlite3blob: 68 53 D8 7F 8C 0x1833b:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x99cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x148b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x959a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17849:$sqlite3step: 68 34 1C 7B E1 0x1795c:$sqlite3step: 68 34 1C 7B E1 0x17878:$sqlite3text: 68 38 2A 90 C5 0x1799d:$sqlite3text: 68 38 2A 90 C5 0x1788b:$sqlite3blob: 68 53 D8 7F 8C 0x179b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5e91:$a1: 3C 30 50 4F 53 54 74 09 40 0x1c800:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa60f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x154f7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9548:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x97c2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x152f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14de1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x153f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1556f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa1da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1405c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xaed3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b567:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c56a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18489:$sqlite3step: 68 34 1C 7B E1 0x1859c:$sqlite3step: 68 34 1C 7B E1 0x184b8:$sqlite3text: 68 38 2A 90 C5 0x185dd:$sqlite3text: 68 38 2A 90 C5 0x184cb:$sqlite3blob: 68 53 D8 7F 8C 0x185f3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.585228598.000000000FBA3000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xa12:$a2: pass 0xa18:$a3: email 0xa1f:$a4: login 0xa26:$a5: signin 0xa37:$a6: persistent 0xc0a:$r1: C:\Users\user\AppData\Roaming\J004P45B\J00log.ini
00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5e91:$a1: 3C 30 50 4F 53 54 74 09 40 0x1c800:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa60f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x154f7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9548:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x97c2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x152f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14de1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x153f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1556f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa1da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1405c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xaed3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b567:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c56a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18489:$sqlite3step: 68 34 1C 7B E1 0x1859c:$sqlite3step: 68 34 1C 7B E1 0x184b8:$sqlite3text: 68 38 2A 90 C5 0x185dd:$sqlite3text: 68 38 2A 90 C5 0x184cb:$sqlite3blob: 68 53 D8 7F 8C 0x185f3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: Hbi8WUpShm.exe PID: 5868	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xbc210:$a1: 3C 30 50 4F 53 54 74 09 40 0xbd4f7:$a1: 3C 30 50 4F 53 54 74 09 40 0x17d8dd:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: explorer.exe PID: 3324	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x33bfaa:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: chkdsk.exe PID: 6012	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5f82c:$a1: 3C 30 50 4F 53 54 74 09 40 0x6126a:$a1: 3C 30 50 4F 53 54 74 09 40 0x62a7c:$a1: 3C 30 50 4F 53 54 74 09 40 0x1312a9:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 49 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Hbi8WUpShm.exe.830000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.Hbi8WUpShm.exe.830000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Hbi8WUpShm.exe.830000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.Hbi8WUpShm.exe.830000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Hbi8WUpShm.exe.830000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
0.0.Hbi8WUpShm.exe.830000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.0.Hbi8WUpShm.exe.830000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.0.Hbi8WUpShm.exe.830000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.0.Hbi8WUpShm.exe.830000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.0.Hbi8WUpShm.exe.830000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 34.102.136.180

Timestamp:	192.168.2.534.102.136.18049699802031412 03/20/23-09:11:34.950454
SID:	2031412
Source Port:	49699
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 34.102.136.180

Timestamp:	192.168.2.534.102.136.18049699802031449 03/20/23-09:11:34.950454
SID:	2031449
Source Port:	49699
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 34.117.168.233

Timestamp:	192.168.2.534.117.168.23349701802031412 03/20/23-09:12:16.158626
SID:	2031412
Source Port:	49701
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 34.117.168.233

Timestamp:	192.168.2.534.117.168.23349701802031453 03/20/23-09:12:16.158626
SID:	2031453
Source Port:	49701
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 34.117.168.233

Timestamp:	192.168.2.534.117.168.23349701802031449 03/20/23-09:12:16.158626
SID:	2031449
Source Port:	49701
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 34.102.136.180

Timestamp:	192.168.2.534.102.136.18049699802031453 03/20/23-09:11:34.950454
SID:	2031453
Source Port:	49699
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Hbi8WUpShm.exe

ReversingLabs: Detection: 84%

Yara detected FormBook

Source: Yara match	File source: Hbi8WUpShm.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY

Antivirus / Scanner detection for submitted sample

Source: Hbi8WUpShm.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.alessandromargonari.com/nu06/www.languageforall.africa	Avira URL Cloud: Label: malware
Source: http://www.alessandromargonari.com/nu06/	Avira URL Cloud: Label: malware
Source: http://www.arrindellnotary.com/nu06/	Avira URL Cloud: Label: malware
Source: http://www.edu-degrees-89998.com/nu06/www.arrindellnotary.com	Avira URL Cloud: Label: malware
Source: http://www.eltres-iot.info/nu06/www.smartmetersystems.co.uk	Avira URL Cloud: Label: malware
Source: http://www.letstalkreparation.com/nu06/www.zwangerschapvanweektotweek.net	Avira URL Cloud: Label: malware
Source: http://www.heikeshuwu.com/nu06/www.alessandromargonari.com	Avira URL Cloud: Label: malware
Source: http://www.hervelegerdressshop.co.uk/nu06/www.edu-degrees-89998.com	Avira URL Cloud: Label: malware
Source: http://www.alexwright.xyz/nu06/	Avira URL Cloud: Label: malware
Source: http://www.edu-degrees-89998.com/nu06/	Avira URL Cloud: Label: malware
Source: http://www.heikeshuwu.com/nu06/	Avira URL Cloud: Label: malware
Source: http://www.ballinc.online/nu06/	Avira URL Cloud: Label: malware
Source: http://www.hervelegerdressshop.co.uk/nu06/	Avira URL Cloud: Label: malware
Source: http://www.smartmetersystems.co.uk/nu06/	Avira URL Cloud: Label: malware
Source: http://www.evaluatemyathlete.com/nu06/www.coiffeur-kosmetik-basel1.ch	Avira URL Cloud: Label: malware
Source: http://www.languageforall.africa/nu06/www.eltres-iot.info	Avira URL Cloud: Label: malware
Source: http://www.zwangerschapvanweektotweek.net/nu06/www.gonulserezart.com	Avira URL Cloud: Label: malware
Source: http://www.eltres-iot.info/nu06/	Avira URL Cloud: Label: malware
Source: http://www.languageforall.africa/nu06/	Avira URL Cloud: Label: malware
Source: http://www.pyvob.xyz	Avira URL Cloud: Label: malware
Source: http://www.smartmetersystems.co.uk/nu06/www.alexwright.xyz	Avira URL Cloud: Label: malware
Source: http://www.evaluatemyathlete.com/nu06/?4h8xq=AAU7dHxOAmD1XA8vVT3AMGpmmEX+lZnDYwXHz32oiklDU/SqaBIxIuHdufVlmX9k3aqv&UrZ=9rv4vpj	Avira URL Cloud: Label: malware
Source: http://www.pyvob.xyz/nu06/www.heikeshuwu.com	Avira URL Cloud: Label: malware
Source: www.eltres-iot.info/nu06/	Avira URL Cloud: Label: malware
Source: http://www.coiffeur-kosmetik-basel1.ch/nu06/www.pyvob.xyz	Avira URL Cloud: Label: malware
Source: http://www.gonulserezart.com/nu06/www.evaluatemyathlete.com	Avira URL Cloud: Label: malware
Source: http://www.gonulserezart.com/nu06/?UrZ=9rv4vpj&4h8xq=XguJjI6AKJ7iGHg0sIvbxor8PKuuNZIswUYLv8brtIVcEL19nblZmBuHZOHdf2lpP/kE	Avira URL Cloud: Label: malware
Source: http://www.gonulserezart.com/nu06/	Avira URL Cloud: Label: malware
Source: http://www.evaluatemyathlete.com/nu06/	Avira URL Cloud: Label: malware
Source: http://www.coiffeur-kosmetik-basel1.ch/nu06/	Avira URL Cloud: Label: malware
Source: http://www.pyvob.xyz/nu06/	Avira URL Cloud: Label: malware
Source: http://www.ballinc.online/nu06/www.hervelegerdressshop.co.uk	Avira URL Cloud: Label: malware
Source: http://www.zwangerschapvanweektotweek.net/nu06/?4h8xq=RzhUDSljQ8La7qrFgsCqcMZ5F/GKaWYSy/YExKb0zDK6Qw0jyiEXU4SBBDL3oY4sWHH+&UrZ=9rv4vpj	Avira URL Cloud: Label: malware
Source: http://www.alexwright.xyz/nu06/www.ballinc.online	Avira URL Cloud: Label: malware
Source: http://www.zwangerschapvanweektotweek.net/nu06/	Avira URL Cloud: Label: malware
Source: http://www.letstalkreparation.com/nu06/	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: Hbi8WUpShm.exe

Joe Sandbox ML: detected

Source: 0.0.Hbi8WUpShm.exe.830000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.Hbi8WUpShm.exe.830000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.eltres-iot.info/nu06/"], "decoy": ["cutmentor.net", "alexwright.xyz", "gymbastic.com", "creperie-lalios.com", "equipmentblock.com", "zwangerschapvanweektotweek.net", "asimulationcompany.com", "g9technoinnovation.com", "bestbirdies.xyz", "addhair.online", "get-breakfastburns.com", "aex-studentki.guru", "jhpx888.com", "gemologic.dev", "thegreencarshop.co.uk", "alessandromargonari.com", "cosmosynz.click", "letstalkreparation.com", "bka-i.com", "hervelegerdressshop.co.uk", "xn--5hqsa64xi8tdhd1xsp5oyyi.com", "jobstrendpk.com", "pavilionroofingservices.co.uk", "gonulserezart.com", "iby923.xyz", "languageforall.africa", "helloular3.com", "faster1.one", "lborient.com", "bzhxqm.com", "smartmetersystems.co.uk", "icfc2019.com", "handymantroop.com", "mychefacademy.com", "credit-cards-70626.com", "letmewowyou.com", "cityguide.africa", "dismissalnoise.com", "edu-degrees-89998.com", "estebanecheverry.com", "celsopaula.com", "jihuajl.com", "pyvob.xyz", "gdbdkj.com", "ballinc.online", "amadeussalem.net", "ievc-technologies.com", "arrindellnotary.com", "laneseempowerment.com", "bullreward.com", "evaluatemyathlete.com", "seu-qzs.com", "hexmexico.com", "coiffeur-kosmetik-basel1.ch", "1wacdu.top", "hoot.software", "goldhillmesatimes.com", "jobsnailikely.com", "cyberlavender.com", "ldgyb.com", "crunchtimemotion.com", "xn--74q746a2tj.net", "heikeshuwu.com", "fotel.xyz"]}

Source: Hbi8WUpShm.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Hbi8WUpShm.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: chkdsk.pdbGCTL source: Hbi8WUpShm.exe, 00000000.00000002.343821234.0000000000DA0000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: chkdsk.pdb source: Hbi8WUpShm.exe, 00000000.00000002.343821234.0000000000DA0000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Hbi8WUpShm.exe, 00000000.00000002.343927149.0000000000F2F000.00000040.00001000.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000003.306876462.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000002.343927149.0000000000E10000.00000040.00001000.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000003.305219114.0000000000AE2000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000002.573987841.000000000549F000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000002.573987841.0000000005380000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000003.344421529.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000003.339337414.0000000000E16000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Hbi8WUpShm.exe, 00000000.00000002.343927149.0000000000F2F000.00000040.00001000.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000003.306876462.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000002.343927149.0000000000E10000.00000040.00001000.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000003.305219114.0000000000AE2000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000002.00000002.573987841.000000000549F000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000002.573987841.0000000005380000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000003.344421529.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000003.339337414.0000000000E16000.00000004.00000020.00020000.00000000.sdmp

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.letstalkreparation.com
Source: C:\Windows\explorer.exe	Domain query: www.zwangerschapvanweektotweek.net
Source: C:\Windows\explorer.exe	Network Connect: 34.98.99.30 80
Source: C:\Windows\explorer.exe	Network Connect: 34.117.168.233 80
Source: C:\Windows\explorer.exe	Domain query: www.gonulserezart.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80
Source: C:\Windows\explorer.exe	Domain query: www.evaluatemyathlete.com
Source: C:\Windows\explorer.exe	Network Connect: 91.218.127.118 80

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49699 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49699 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49699 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49701 -> 34.117.168.233:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49701 -> 34.117.168.233:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49701 -> 34.117.168.233:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.eltres-iot.info/nu06/

Source: Joe Sandbox View

ASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG

Source: global traffic	HTTP traffic detected: GET /nu06/?UrZ=9rv4vpj&4h8xq=OZMvKvxZ5i73HD5IFsv1VHO5ZNO69iYYlfpbYuxpW74QVU2iMlDxxLJrAbC6wwddpRFg HTTP/1.1Host: www.letstalkreparation.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nu06/?4h8xq=RzhUDSljQ8La7qrFgsCqcMZ5F/GKaWYSy/YExKb0zDK6Qw0jyiEXU4SBBDL3oY4sWHH+&UrZ=9rv4vpj HTTP/1.1Host: www.zwangerschapvanweektotweek.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nu06/?UrZ=9rv4vpj&4h8xq=XguJjI6AKJ7iGHg0sIvbxor8PKuuNZIswUYLv8brtIVcEL19nblZmBuHZOHdf2lpP/kE HTTP/1.1Host: www.gonulserezart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nu06/?4h8xq=AAU7dHxOAmD1XA8vVT3AMGpmmEX+lZnDYwXHz32oiklDU/SqaBIxIuHdufVlmX9k3aqv&UrZ=9rv4vpj HTTP/1.1Host: www.evaluatemyathlete.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 34.117.168.233 34.117.168.233

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 20 Mar 2023 08:11:35 GMTContent-Type: text/htmlContent-Length: 291ETag: "63f88c83-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 20 Mar 2023 08:12:38 GMTContent-Type: text/htmlContent-Length: 291ETag: "63f88c83-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alessandromargonari.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alessandromargonari.com/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alessandromargonari.com/nu06/www.languageforall.africa
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alessandromargonari.comReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alexwright.xyz
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alexwright.xyz/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alexwright.xyz/nu06/www.ballinc.online
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alexwright.xyzReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arrindellnotary.com
Source: explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arrindellnotary.com/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arrindellnotary.comReferer:
Source: explorer.exe, 00000001.00000000.308784009.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.573479962.0000000000921000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ballinc.online
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ballinc.online/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ballinc.online/nu06/www.hervelegerdressshop.co.uk
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ballinc.onlineReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.coiffeur-kosmetik-basel1.ch
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.coiffeur-kosmetik-basel1.ch/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.coiffeur-kosmetik-basel1.ch/nu06/www.pyvob.xyz
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.coiffeur-kosmetik-basel1.chReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.edu-degrees-89998.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.edu-degrees-89998.com/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.edu-degrees-89998.com/nu06/www.arrindellnotary.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.edu-degrees-89998.comReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eltres-iot.info
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eltres-iot.info/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eltres-iot.info/nu06/www.smartmetersystems.co.uk
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eltres-iot.infoReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.evaluatemyathlete.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.evaluatemyathlete.com/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.evaluatemyathlete.com/nu06/www.coiffeur-kosmetik-basel1.ch
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.evaluatemyathlete.comReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gonulserezart.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gonulserezart.com/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gonulserezart.com/nu06/www.evaluatemyathlete.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gonulserezart.comReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.heikeshuwu.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.heikeshuwu.com/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.heikeshuwu.com/nu06/www.alessandromargonari.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.heikeshuwu.comReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hervelegerdressshop.co.uk
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hervelegerdressshop.co.uk/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hervelegerdressshop.co.uk/nu06/www.edu-degrees-89998.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hervelegerdressshop.co.ukReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.languageforall.africa
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.languageforall.africa/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.languageforall.africa/nu06/www.eltres-iot.info
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.languageforall.africaReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.letstalkreparation.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.letstalkreparation.com/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.letstalkreparation.com/nu06/www.zwangerschapvanweektotweek.net
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.letstalkreparation.comReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pyvob.xyz
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pyvob.xyz/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pyvob.xyz/nu06/www.heikeshuwu.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pyvob.xyzReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.smartmetersystems.co.uk
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.smartmetersystems.co.uk/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.smartmetersystems.co.uk/nu06/www.alexwright.xyz
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.smartmetersystems.co.ukReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zwangerschapvanweektotweek.net
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zwangerschapvanweektotweek.net/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zwangerschapvanweektotweek.net/nu06/www.gonulserezart.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zwangerschapvanweektotweek.netReferer:

Source: unknown

DNS traffic detected: queries for: www.letstalkreparation.com

Source: C:\Windows\explorer.exe

Code function: 1_2_0FB8BF82 getaddrinfo,setsockopt,recv,

Source: global traffic	HTTP traffic detected: GET /nu06/?UrZ=9rv4vpj&4h8xq=OZMvKvxZ5i73HD5IFsv1VHO5ZNO69iYYlfpbYuxpW74QVU2iMlDxxLJrAbC6wwddpRFg HTTP/1.1Host: www.letstalkreparation.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nu06/?4h8xq=RzhUDSljQ8La7qrFgsCqcMZ5F/GKaWYSy/YExKb0zDK6Qw0jyiEXU4SBBDL3oY4sWHH+&UrZ=9rv4vpj HTTP/1.1Host: www.zwangerschapvanweektotweek.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nu06/?UrZ=9rv4vpj&4h8xq=XguJjI6AKJ7iGHg0sIvbxor8PKuuNZIswUYLv8brtIVcEL19nblZmBuHZOHdf2lpP/kE HTTP/1.1Host: www.gonulserezart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nu06/?4h8xq=AAU7dHxOAmD1XA8vVT3AMGpmmEX+lZnDYwXHz32oiklDU/SqaBIxIuHdufVlmX9k3aqv&UrZ=9rv4vpj HTTP/1.1Host: www.evaluatemyathlete.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: Hbi8WUpShm.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: Hbi8WUpShm.exe, type: SAMPLE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Hbi8WUpShm.exe, type: SAMPLE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: Hbi8WUpShm.exe, type: SAMPLE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.0.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.0.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.585228598.000000000FBA3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Hbi8WUpShm.exe PID: 5868, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 3324, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: chkdsk.exe PID: 6012, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: Hbi8WUpShm.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Hbi8WUpShm.exe, type: SAMPLE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Hbi8WUpShm.exe, type: SAMPLE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: Hbi8WUpShm.exe, type: SAMPLE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.0.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.0.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.585228598.000000000FBA3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Hbi8WUpShm.exe PID: 5868, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 3324, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: chkdsk.exe PID: 6012, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_00831030
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_0084E1AB
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_0084D9FC
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_0084DABE
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_0084EBE1
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_00832D87
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_00832D90
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_0084D5A6
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_0084D5A3
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_0084E55F
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_00839E5B
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_00839E60
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_00832FB0
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_0084E7E3
Source: C:\Windows\explorer.exe	Code function: 1_2_0E44F232
Source: C:\Windows\explorer.exe	Code function: 1_2_0E449B30
Source: C:\Windows\explorer.exe	Code function: 1_2_0E449B32
Source: C:\Windows\explorer.exe	Code function: 1_2_0E44E036
Source: C:\Windows\explorer.exe	Code function: 1_2_0E445082
Source: C:\Windows\explorer.exe	Code function: 1_2_0E446D02
Source: C:\Windows\explorer.exe	Code function: 1_2_0E44C912
Source: C:\Windows\explorer.exe	Code function: 1_2_0E4525CD
Source: C:\Windows\explorer.exe	Code function: 1_2_0FB8B232
Source: C:\Windows\explorer.exe	Code function: 1_2_0FB8E5CD
Source: C:\Windows\explorer.exe	Code function: 1_2_0FB85B30
Source: C:\Windows\explorer.exe	Code function: 1_2_0FB85B32
Source: C:\Windows\explorer.exe	Code function: 1_2_0FB88912
Source: C:\Windows\explorer.exe	Code function: 1_2_0FB82D02
Source: C:\Windows\explorer.exe	Code function: 1_2_0FB81082
Source: C:\Windows\explorer.exe	Code function: 1_2_0FB8A036
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05471D55
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A0D20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05472D07
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_054725DD
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D2581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053BD5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0546D466
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B841F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05471FF1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053C6E30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0546D616
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05472EF7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053C4120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053AF900
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05461002
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D20A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053BB090
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_054728EC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_054720A8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05472B28
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053DEBB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0546DBD2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_054722AE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_008F2D87
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_008F2D90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0090D5A3
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0090D5A6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_008F9E5B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_008F9E60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_008F2FB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0090E7E3

Source: C:\Windows\SysWOW64\chkdsk.exe

Code function: String function: 053AB150 appears 35 times

Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_0084A360 NtCreateFile,
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_0084A490 NtClose,
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_0084A410 NtReadFile,
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_0084A540 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_0084A35A NtCreateFile,
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_0084A48A NtClose,
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_0084A40C NtReadFile,
Source: C:\Windows\explorer.exe	Code function: 1_2_0FB8B232 NtCreateFile,
Source: C:\Windows\explorer.exe	Code function: 1_2_0FB8CE12 NtProtectVirtualMemory,
Source: C:\Windows\explorer.exe	Code function: 1_2_0FB8CE0A NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E95D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E96D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053EAD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9560 NtWriteFile,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E95F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053EA710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053EA770 NtOpenThread,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9760 NtOpenProcess,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E97A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E99D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053EB040 NtSuspendThread,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E98A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E98F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053EA3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9A20 NtResumeThread,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9A10 NtQuerySection,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E9A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0090A360 NtCreateFile,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0090A490 NtClose,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0090A410 NtReadFile,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0090A540 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0090A35A NtCreateFile,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0090A48A NtClose,
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0090A40C NtReadFile,

Source: Hbi8WUpShm.exe

Static PE information: No import functions for PE file found

Source: Hbi8WUpShm.exe, 00000000.00000003.306876462.0000000000D95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Hbi8WUpShm.exe
Source: Hbi8WUpShm.exe, 00000000.00000002.343927149.0000000000F2F000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Hbi8WUpShm.exe
Source: Hbi8WUpShm.exe, 00000000.00000003.305219114.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Hbi8WUpShm.exe
Source: Hbi8WUpShm.exe, 00000000.00000002.343821234.0000000000DA6000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCHKDSK.EXEj% vs Hbi8WUpShm.exe
Source: Hbi8WUpShm.exe, 00000000.00000002.343927149.00000000010BF000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Hbi8WUpShm.exe

Source: Hbi8WUpShm.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Hbi8WUpShm.exe

Static PE information: Section .text

Source: Hbi8WUpShm.exe

ReversingLabs: Detection: 84%

Source: Hbi8WUpShm.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Hbi8WUpShm.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Hbi8WUpShm.exe C:\Users\user\Desktop\Hbi8WUpShm.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Hbi8WUpShm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Hbi8WUpShm.exe"

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/1@4/4

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3536:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Hbi8WUpShm.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: chkdsk.pdbGCTL source: Hbi8WUpShm.exe, 00000000.00000002.343821234.0000000000DA0000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: chkdsk.pdb source: Hbi8WUpShm.exe, 00000000.00000002.343821234.0000000000DA0000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Hbi8WUpShm.exe, 00000000.00000002.343927149.0000000000F2F000.00000040.00001000.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000003.306876462.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000002.343927149.0000000000E10000.00000040.00001000.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000003.305219114.0000000000AE2000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000002.573987841.000000000549F000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000002.573987841.0000000005380000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000003.344421529.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000003.339337414.0000000000E16000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Hbi8WUpShm.exe, 00000000.00000002.343927149.0000000000F2F000.00000040.00001000.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000003.306876462.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000002.343927149.0000000000E10000.00000040.00001000.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000003.305219114.0000000000AE2000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000002.00000002.573987841.000000000549F000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000002.573987841.0000000005380000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000003.344421529.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000003.339337414.0000000000E16000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_0084D4B5 push eax; ret
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_0084D502 push eax; ret
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_00849D02 push eax; retf
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_0084D50B push eax; ret
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Code function: 0_2_0084D56C push eax; ret
Source: C:\Windows\explorer.exe	Code function: 1_2_0E452B02 push esp; retn 0000h
Source: C:\Windows\explorer.exe	Code function: 1_2_0E452B1E push esp; retn 0000h
Source: C:\Windows\explorer.exe	Code function: 1_2_0E4529B5 push esp; retn 0000h
Source: C:\Windows\explorer.exe	Code function: 1_2_0FB8E9B5 push esp; retn 0000h
Source: C:\Windows\explorer.exe	Code function: 1_2_0FB8EB1E push esp; retn 0000h
Source: C:\Windows\explorer.exe	Code function: 1_2_0FB8EB02 push esp; retn 0000h
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053FD0D1 push ecx; ret
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0090E1A1 pushfd ; retf
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0090D4B5 push eax; ret
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0090D502 push eax; ret
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_00909D02 push eax; retf
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0090D50B push eax; ret
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0090D56C push eax; ret

Source: initial sample

Static PE information: section name: .text entropy: 7.411530981126198

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE4

Source: C:\Windows\SysWOW64\chkdsk.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	RDTSC instruction interceptor: First address: 0000000000839904 second address: 000000000083990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	RDTSC instruction interceptor: First address: 0000000000839B7E second address: 0000000000839B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 00000000008F9904 second address: 00000000008F990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 00000000008F9B7E second address: 00000000008F9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Windows\SysWOW64\chkdsk.exe TID: 4516

Thread sleep time: -46000s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Hbi8WUpShm.exe

Code function: 0_2_00839AB0 rdtsc

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 864
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 870

Source: C:\Windows\SysWOW64\chkdsk.exe

API coverage: 9.5 %

Source: C:\Users\user\Desktop\Hbi8WUpShm.exe

Process information queried: ProcessInformation

Source: explorer.exe, 00000001.00000003.547529114.0000000008644000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000001.00000002.584967768.000000000F04A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmcI"/
Source: explorer.exe, 00000001.00000000.308784009.000000000091F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000003.534691963.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 00000001.00000003.534691963.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000002.575054265.0000000004437000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000003.535663437.000000000F083000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533653493.000000000F073000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000003.534691963.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000001.00000003.547529114.0000000008644000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000001.00000002.584326671.000000000ED55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.536283884.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Hbi8WUpShm.exe

Code function: 0_2_00839AB0 rdtsc

Source: C:\Users\user\Desktop\Hbi8WUpShm.exe

Process token adjusted: Debug

Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05423540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053AAD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053CC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053CC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053C7D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05478D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0542A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0546E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05426DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05426DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05426DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05426DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05426DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05426DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0546FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0546FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0546FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0546FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053DFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053DFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05458DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053BD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053BD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_054705AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_054705AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053DBC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0543C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0543C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05426C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05426C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05426C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05426C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0547740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0547740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0547740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053C746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053DA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05478CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05426CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05426CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05426CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_054614FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053DE730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053CF716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05478F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053DA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053DA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0547070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0547070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0543FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0543FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053BFF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053BEF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B8794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E37F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05427794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05427794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05427794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0546AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0546AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053AE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053DA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053DA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053AC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053AC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053AC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D8E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05461608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053CAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053CAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053CAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053CAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053CAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0545FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0545FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05478ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0543FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B76E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05470EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05470EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05470EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_054246A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E8EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053C4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053C4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053C4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053C4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053C4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053AB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053AB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053AC962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053CB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053CB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_054341E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053DA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053CC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053AB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053AB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053AB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_054269A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_054251BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_054251BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_054251BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_054251BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053BB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053BB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053BB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053BB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05471074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05462073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05474015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05474015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05427016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05427016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05427016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053C0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053C0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053DF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053DF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053DF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0543B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0543B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0543B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0543B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0543B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0543B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05423884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05423884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A58EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05478B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053ADB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0546131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053AF358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053ADB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_054253CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_054253CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D2397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053DB390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0545D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0546138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053CDBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05475BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0546EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05434257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053C3A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0545B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0545B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_05478A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A5210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053AAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053AAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053B8A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053E927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0546AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_0546AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053BAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053BAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053DFAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053DD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053DD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D2AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 2_2_053D2ACB mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\Hbi8WUpShm.exe

Code function: 0_2_0083ACF0 LdrLoadDll,

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.letstalkreparation.com
Source: C:\Windows\explorer.exe	Domain query: www.zwangerschapvanweektotweek.net
Source: C:\Windows\explorer.exe	Network Connect: 34.98.99.30 80
Source: C:\Windows\explorer.exe	Network Connect: 34.117.168.233 80
Source: C:\Windows\explorer.exe	Domain query: www.gonulserezart.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80
Source: C:\Windows\explorer.exe	Domain query: www.evaluatemyathlete.com
Source: C:\Windows\explorer.exe	Network Connect: 91.218.127.118 80

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Hbi8WUpShm.exe

Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 1370000

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Hbi8WUpShm.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Hbi8WUpShm.exe	Thread register set: target process: 3324
Source: C:\Windows\SysWOW64\chkdsk.exe	Thread register set: target process: 3324

Source: C:\Windows\SysWOW64\chkdsk.exe

Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Hbi8WUpShm.exe"

Source: explorer.exe, 00000001.00000003.534691963.00000000086C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.547529114.00000000086B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.309167505.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.309167505.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000002.573862418.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: uProgram Manager*r
Source: explorer.exe, 00000001.00000000.309167505.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000002.573862418.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.309167505.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000002.573862418.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.308784009.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.573479962.0000000000878000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanLoc*U

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: Hbi8WUpShm.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: Hbi8WUpShm.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Shared Modules	Path Interception	512 Process Injection	1 Rootkit	1 Credential API Hooking	121 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	4 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	512 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Software Packing	Cached Domain Credentials	11 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Hbi8WUpShm.exe	85%	ReversingLabs	Win32.Trojan.FormBook
Hbi8WUpShm.exe	100%	Avira	TR/Crypt.ZPACK.Gen
Hbi8WUpShm.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.Hbi8WUpShm.exe.830000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
0.2.Hbi8WUpShm.exe.830000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.alexwright.xyz	0%	Avira URL Cloud	safe
http://www.zwangerschapvanweektotweek.net	0%	Avira URL Cloud	safe
http://www.eltres-iot.info	0%	Avira URL Cloud	safe
http://www.alessandromargonari.com/nu06/www.languageforall.africa	100%	Avira URL Cloud	malware
http://www.alessandromargonari.com/nu06/	100%	Avira URL Cloud	malware
http://www.arrindellnotary.com/nu06/	100%	Avira URL Cloud	malware
http://www.edu-degrees-89998.com/nu06/www.arrindellnotary.com	100%	Avira URL Cloud	malware
http://www.coiffeur-kosmetik-basel1.chReferer:	0%	Avira URL Cloud	safe
http://www.eltres-iot.info/nu06/www.smartmetersystems.co.uk	100%	Avira URL Cloud	malware
http://www.letstalkreparation.com/nu06/www.zwangerschapvanweektotweek.net	100%	Avira URL Cloud	malware
http://www.heikeshuwu.com/nu06/www.alessandromargonari.com	100%	Avira URL Cloud	malware
http://www.hervelegerdressshop.co.uk/nu06/www.edu-degrees-89998.com	100%	Avira URL Cloud	malware
http://www.alexwright.xyz/nu06/	100%	Avira URL Cloud	malware
http://www.edu-degrees-89998.com/nu06/	100%	Avira URL Cloud	malware
http://www.heikeshuwu.com/nu06/	100%	Avira URL Cloud	malware
http://www.ballinc.online/nu06/	100%	Avira URL Cloud	malware
http://www.hervelegerdressshop.co.uk/nu06/	100%	Avira URL Cloud	malware
http://www.smartmetersystems.co.uk/nu06/	100%	Avira URL Cloud	malware
http://www.eltres-iot.infoReferer:	0%	Avira URL Cloud	safe
http://www.evaluatemyathlete.com/nu06/www.coiffeur-kosmetik-basel1.ch	100%	Avira URL Cloud	malware
http://www.languageforall.africa/nu06/www.eltres-iot.info	100%	Avira URL Cloud	malware
http://www.zwangerschapvanweektotweek.net/nu06/www.gonulserezart.com	100%	Avira URL Cloud	malware
http://www.eltres-iot.info/nu06/	100%	Avira URL Cloud	malware
http://www.languageforall.africa/nu06/	100%	Avira URL Cloud	malware
http://www.evaluatemyathlete.comReferer:	0%	Avira URL Cloud	safe
http://www.pyvob.xyz	100%	Avira URL Cloud	malware
http://www.smartmetersystems.co.uk/nu06/www.alexwright.xyz	100%	Avira URL Cloud	malware
http://www.evaluatemyathlete.com/nu06/?4h8xq=AAU7dHxOAmD1XA8vVT3AMGpmmEX+lZnDYwXHz32oiklDU/SqaBIxIuHdufVlmX9k3aqv&UrZ=9rv4vpj	100%	Avira URL Cloud	malware
http://www.evaluatemyathlete.com	0%	Avira URL Cloud	safe
http://www.letstalkreparation.com	0%	Avira URL Cloud	safe
http://www.arrindellnotary.comReferer:	0%	Avira URL Cloud	safe
http://www.languageforall.africa	0%	Avira URL Cloud	safe
http://www.gonulserezart.com	0%	Avira URL Cloud	safe
http://www.pyvob.xyz/nu06/www.heikeshuwu.com	100%	Avira URL Cloud	malware
www.eltres-iot.info/nu06/	100%	Avira URL Cloud	malware
http://www.ballinc.onlineReferer:	0%	Avira URL Cloud	safe
http://www.gonulserezart.comReferer:	0%	Avira URL Cloud	safe
http://www.edu-degrees-89998.comReferer:	0%	Avira URL Cloud	safe
http://www.coiffeur-kosmetik-basel1.ch/nu06/www.pyvob.xyz	100%	Avira URL Cloud	malware
http://www.gonulserezart.com/nu06/www.evaluatemyathlete.com	100%	Avira URL Cloud	malware
http://www.gonulserezart.com/nu06/?UrZ=9rv4vpj&4h8xq=XguJjI6AKJ7iGHg0sIvbxor8PKuuNZIswUYLv8brtIVcEL19nblZmBuHZOHdf2lpP/kE	100%	Avira URL Cloud	malware
http://www.arrindellnotary.com	0%	Avira URL Cloud	safe
http://www.smartmetersystems.co.uk	0%	Avira URL Cloud	safe
http://www.hervelegerdressshop.co.uk	0%	Avira URL Cloud	safe
http://www.gonulserezart.com/nu06/	100%	Avira URL Cloud	malware
http://www.alexwright.xyzReferer:	0%	Avira URL Cloud	safe
http://www.edu-degrees-89998.com	0%	Avira URL Cloud	safe
http://www.evaluatemyathlete.com/nu06/	100%	Avira URL Cloud	malware
http://www.smartmetersystems.co.ukReferer:	0%	Avira URL Cloud	safe
http://www.letstalkreparation.comReferer:	0%	Avira URL Cloud	safe
http://www.coiffeur-kosmetik-basel1.ch/nu06/	100%	Avira URL Cloud	malware
http://www.pyvob.xyz/nu06/	100%	Avira URL Cloud	malware
http://www.ballinc.online/nu06/www.hervelegerdressshop.co.uk	100%	Avira URL Cloud	malware
http://www.pyvob.xyzReferer:	0%	Avira URL Cloud	safe
http://www.alessandromargonari.comReferer:	0%	Avira URL Cloud	safe
http://www.zwangerschapvanweektotweek.net/nu06/?4h8xq=RzhUDSljQ8La7qrFgsCqcMZ5F/GKaWYSy/YExKb0zDK6Qw0jyiEXU4SBBDL3oY4sWHH+&UrZ=9rv4vpj	100%	Avira URL Cloud	malware
http://www.zwangerschapvanweektotweek.netReferer:	0%	Avira URL Cloud	safe
http://www.heikeshuwu.comReferer:	0%	Avira URL Cloud	safe
http://www.heikeshuwu.com	0%	Avira URL Cloud	safe
http://www.hervelegerdressshop.co.ukReferer:	0%	Avira URL Cloud	safe
http://www.languageforall.africaReferer:	0%	Avira URL Cloud	safe
http://www.alessandromargonari.com	0%	Avira URL Cloud	safe
http://www.ballinc.online	0%	Avira URL Cloud	safe
http://www.alexwright.xyz/nu06/www.ballinc.online	100%	Avira URL Cloud	malware
http://www.zwangerschapvanweektotweek.net/nu06/	100%	Avira URL Cloud	malware
http://www.letstalkreparation.com/nu06/	100%	Avira URL Cloud	malware
http://www.coiffeur-kosmetik-basel1.ch	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
td-ccm-168-233.wixdns.net	34.117.168.233	true	true	unknown
evaluatemyathlete.com	34.98.99.30	true	false	unknown
www.zwangerschapvanweektotweek.net	91.218.127.118	true	true	unknown
letstalkreparation.com	34.102.136.180	true	false	unknown
www.letstalkreparation.com	unknown	unknown	true	unknown
www.evaluatemyathlete.com	unknown	unknown	true	unknown
www.gonulserezart.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.evaluatemyathlete.com/nu06/?4h8xq=AAU7dHxOAmD1XA8vVT3AMGpmmEX+lZnDYwXHz32oiklDU/SqaBIxIuHdufVlmX9k3aqv&UrZ=9rv4vpj	false	Avira URL Cloud: malware	unknown
www.eltres-iot.info/nu06/	true	Avira URL Cloud: malware	low
http://www.gonulserezart.com/nu06/?UrZ=9rv4vpj&4h8xq=XguJjI6AKJ7iGHg0sIvbxor8PKuuNZIswUYLv8brtIVcEL19nblZmBuHZOHdf2lpP/kE	true	Avira URL Cloud: malware	unknown
http://www.zwangerschapvanweektotweek.net/nu06/?4h8xq=RzhUDSljQ8La7qrFgsCqcMZ5F/GKaWYSy/YExKb0zDK6Qw0jyiEXU4SBBDL3oY4sWHH+&UrZ=9rv4vpj	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.alexwright.xyz/nu06/	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.smartmetersystems.co.uk/nu06/	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.alessandromargonari.com/nu06/www.languageforall.africa	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.alessandromargonari.com/nu06/	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.zwangerschapvanweektotweek.net	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.alexwright.xyz	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.eltres-iot.info	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ballinc.online/nu06/	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.edu-degrees-89998.com/nu06/www.arrindellnotary.com	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.arrindellnotary.com/nu06/	explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.hervelegerdressshop.co.uk/nu06/	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.coiffeur-kosmetik-basel1.chReferer:	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hervelegerdressshop.co.uk/nu06/www.edu-degrees-89998.com	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.heikeshuwu.com/nu06/	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.letstalkreparation.com/nu06/www.zwangerschapvanweektotweek.net	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.eltres-iot.info/nu06/www.smartmetersystems.co.uk	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.heikeshuwu.com/nu06/www.alessandromargonari.com	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.edu-degrees-89998.com/nu06/	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.eltres-iot.infoReferer:	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.evaluatemyathlete.com/nu06/www.coiffeur-kosmetik-basel1.ch	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.zwangerschapvanweektotweek.net/nu06/www.gonulserezart.com	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.languageforall.africa/nu06/www.eltres-iot.info	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.languageforall.africa/nu06/	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.smartmetersystems.co.uk/nu06/www.alexwright.xyz	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.evaluatemyathlete.comReferer:	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pyvob.xyz	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.eltres-iot.info/nu06/	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.evaluatemyathlete.com	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.letstalkreparation.com	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.arrindellnotary.comReferer:	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.languageforall.africa	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pyvob.xyz/nu06/www.heikeshuwu.com	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.gonulserezart.com	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gonulserezart.comReferer:	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ballinc.onlineReferer:	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.edu-degrees-89998.comReferer:	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.coiffeur-kosmetik-basel1.ch/nu06/www.pyvob.xyz	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000001.00000000.308784009.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.573479962.0000000000921000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.gonulserezart.com/nu06/	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.gonulserezart.com/nu06/www.evaluatemyathlete.com	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.arrindellnotary.com	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hervelegerdressshop.co.uk	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.smartmetersystems.co.uk	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.alexwright.xyzReferer:	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.edu-degrees-89998.com	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.evaluatemyathlete.com/nu06/	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.smartmetersystems.co.ukReferer:	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.coiffeur-kosmetik-basel1.ch/nu06/	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.letstalkreparation.comReferer:	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ballinc.online/nu06/www.hervelegerdressshop.co.uk	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.pyvob.xyzReferer:	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pyvob.xyz/nu06/	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.alessandromargonari.comReferer:	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zwangerschapvanweektotweek.netReferer:	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.heikeshuwu.comReferer:	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hervelegerdressshop.co.ukReferer:	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.heikeshuwu.com	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.languageforall.africaReferer:	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.alessandromargonari.com	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.letstalkreparation.com/nu06/	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.alexwright.xyz/nu06/www.ballinc.online	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.zwangerschapvanweektotweek.net/nu06/	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.coiffeur-kosmetik-basel1.ch	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ballinc.online	explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.102.136.180	letstalkreparation.com	United States	15169	GOOGLEUS	false
34.98.99.30	evaluatemyathlete.com	United States	15169	GOOGLEUS	false
34.117.168.233	td-ccm-168-233.wixdns.net	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	true
91.218.127.118	www.zwangerschapvanweektotweek.net	Netherlands	50673	SERVERIUS-ASNL	true

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	830325
Start date and time:	2023-03-20 09:09:36 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 23s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Hbi8WUpShm.exe
Original Sample Name:	9739b15bd8493e99e281d62d213ddc4cce684b1e833af4634932c57a669035fc.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/1@4/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 63.2% (good quality ratio 56.5%) Quality average: 68.6% Quality standard deviation: 33.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Hbi8WUpShm.exe

Simulations

Behavior and APIs

Time	Type	Description
09:10:42	API Interceptor	809x Sleep call for process: explorer.exe modified

Process:	C:\Windows\explorer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	984
Entropy (8bit):	5.2414849034866355
Encrypted:	false
SSDEEP:	24:Yq6CUXyhmbmPlbNdB6hmYmPlz0JahmNmPlHZ6T06Mhm6mPlbxdB6hm3mPl7KTdB2:YqDUXycSNbNdUcVNz0JacQNHZ6T06Mcs
MD5:	4816271302882BDFB06EE40F624169D1
SHA1:	A8F07F0A5940C4A9D4DAD112787FE109CCACA869
SHA-256:	26D30DFFC5E2C493FF97B32C775C98630F0466D49144778BAE2688BA0716C760
SHA-512:	3D46AA6777AF386524E65D8D158201B699F766A5640A3E917CFA78E337475F910A839B93E0097C6651D2FCBE02ED7BFAF9EF8274C9632A88D06985168087823B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{"RecentItems":[{"AppID":"Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim","PenUsageSec":15,"LastSwitchedLowPart":4155601904,"LastSwitchedHighPart":30747926,"PrePopulated":true},{"AppID":"Microsoft.WindowsMaps_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":4145601904,"LastSwitchedHighPart":30747926,"PrePopulated":true},{"AppID":"Microsoft.MSPaint_8wekyb3d8bbwe!Microsoft.MSPaint","PenUsageSec":15,"LastSwitchedLowPart":4135601904,"LastSwitchedHighPart":30747926,"PrePopulated":true},{"AppID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge","PenUsageSec":15,"LastSwitchedLowPart":4125601904,"LastSwitchedHighPart":30747926,"PrePopulated":true},{"AppID":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":4115601904,"LastSwitchedHighPart":30747926,"PrePopulated":true},{"AppID":"Microsoft.Getstarted_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":4105601904,"LastSwitchedHighPart":30747926,"PrePopulated":true}]}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.395887090595119
TrID:	Win32 Executable (generic) a (10002005/4) 99.98% DOS Executable Generic (2002/1) 0.02%
File name:	Hbi8WUpShm.exe
File size:	185856
MD5:	00a41a4804673581f675471bffa2bafc
SHA1:	a9ebc4956b89e080451dbe619176a7e9ab8c8dd9
SHA256:	9739b15bd8493e99e281d62d213ddc4cce684b1e833af4634932c57a669035fc
SHA512:	f5136ac20e83e69492288e70de29c628517983f4e32e4f07bf61cdae8273d7eebbdef35febec348189a79433abb65f23943cd62cf40a16711eca3751c4a3a8cb
SSDEEP:	3072:9SBtkUimUbUffP36DCEtnaBlVTeWR5vcLtWA0AN87GqgodtpVu:SFHP62IaBlVyW7sQK87GAjpw
TLSH:	A004BF32D642C031F2B211B4B6BD1B7B483D0E343295A4E6E3E525E06EE59A9F43931F
File Content Preview:	MZER.....X.......<......(...............................................!..L.!This program cannot be run in DOS mode....$.............f...f...f.......f.......f.......f.Rich..f.................PE..L...-rxA............................P.............@........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x41f150
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x4178722D [Fri Oct 22 02:36:29 2004 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 64h
call 00007F6008C17D7Ah
mov esp, ebp
pop ebp
ret
call 00007F6008C1B565h
pop eax
ret
call 00007F6008C1B565h
pop eax
ret
call 00007F6008C17DC3h
ret
call 00007F6008C1B565h
pop eax
ret
jmp 00007F6008C17E26h
ret
call 00007F6008C1B565h
pop eax
ret
push 88888888h
jmp 00007F6008C19794h
ret
call 00007F6008C1B565h
pop eax
ret
push 88888888h
jmp 00007F6008C19797h
ret
call 00007F6008C1B565h
pop eax
ret
push 88888888h
jmp 00007F6008C1979Ah
ret
call 00007F6008C1B565h
pop eax
ret
push 88888888h
jmp 00007F6008C1979Dh
ret
call 00007F6008C1B565h
pop eax
ret
push 88888888h
jmp 00007F6008C197A0h
ret
call 00007F6008C1B565h
pop eax
ret
push 88888888h
jmp 00007F6008C197A3h
ret
call 00007F6008C1B565h
pop eax
ret
push 88888888h
jmp 00007F6008C197A6h
ret
call 00007F6008C1B565h
pop eax
ret
push 88888888h
jmp 00007F6008C197A9h
ret
call 00007F6008C1B565h
pop eax
ret

Rich Headers

Programming Language:

[C++] VS2010 SP1 build 40219
[ASM] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2d1b4	0x2d200	False	0.7626547351108033	data	7.411530981126198	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.534.102.136.18049699802031412 03/20/23-09:11:34.950454	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49699	80	192.168.2.5	34.102.136.180
192.168.2.534.102.136.18049699802031449 03/20/23-09:11:34.950454	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49699	80	192.168.2.5	34.102.136.180
192.168.2.534.117.168.23349701802031412 03/20/23-09:12:16.158626	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49701	80	192.168.2.5	34.117.168.233
192.168.2.534.117.168.23349701802031453 03/20/23-09:12:16.158626	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49701	80	192.168.2.5	34.117.168.233
192.168.2.534.117.168.23349701802031449 03/20/23-09:12:16.158626	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49701	80	192.168.2.5	34.117.168.233
192.168.2.534.102.136.18049699802031453 03/20/23-09:11:34.950454	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49699	80	192.168.2.5	34.102.136.180

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 20, 2023 09:11:34.930716991 CET	49699	80	192.168.2.5	34.102.136.180
Mar 20, 2023 09:11:34.950098038 CET	80	49699	34.102.136.180	192.168.2.5
Mar 20, 2023 09:11:34.950277090 CET	49699	80	192.168.2.5	34.102.136.180
Mar 20, 2023 09:11:34.950453997 CET	49699	80	192.168.2.5	34.102.136.180
Mar 20, 2023 09:11:34.969583988 CET	80	49699	34.102.136.180	192.168.2.5
Mar 20, 2023 09:11:35.066672087 CET	80	49699	34.102.136.180	192.168.2.5
Mar 20, 2023 09:11:35.066715956 CET	80	49699	34.102.136.180	192.168.2.5
Mar 20, 2023 09:11:35.066847086 CET	49699	80	192.168.2.5	34.102.136.180
Mar 20, 2023 09:11:35.066898108 CET	49699	80	192.168.2.5	34.102.136.180
Mar 20, 2023 09:11:35.083978891 CET	80	49699	34.102.136.180	192.168.2.5
Mar 20, 2023 09:11:55.570101023 CET	49700	80	192.168.2.5	91.218.127.118
Mar 20, 2023 09:11:55.598764896 CET	80	49700	91.218.127.118	192.168.2.5
Mar 20, 2023 09:11:55.599045038 CET	49700	80	192.168.2.5	91.218.127.118
Mar 20, 2023 09:11:55.599268913 CET	49700	80	192.168.2.5	91.218.127.118
Mar 20, 2023 09:11:55.627808094 CET	80	49700	91.218.127.118	192.168.2.5
Mar 20, 2023 09:11:55.629206896 CET	80	49700	91.218.127.118	192.168.2.5
Mar 20, 2023 09:11:55.629324913 CET	80	49700	91.218.127.118	192.168.2.5
Mar 20, 2023 09:11:55.629522085 CET	49700	80	192.168.2.5	91.218.127.118
Mar 20, 2023 09:11:55.629584074 CET	49700	80	192.168.2.5	91.218.127.118
Mar 20, 2023 09:11:55.658082008 CET	80	49700	91.218.127.118	192.168.2.5
Mar 20, 2023 09:12:16.138863087 CET	49701	80	192.168.2.5	34.117.168.233
Mar 20, 2023 09:12:16.158241034 CET	80	49701	34.117.168.233	192.168.2.5
Mar 20, 2023 09:12:16.158474922 CET	49701	80	192.168.2.5	34.117.168.233
Mar 20, 2023 09:12:16.158626080 CET	49701	80	192.168.2.5	34.117.168.233
Mar 20, 2023 09:12:16.177845001 CET	80	49701	34.117.168.233	192.168.2.5
Mar 20, 2023 09:12:16.229779959 CET	80	49701	34.117.168.233	192.168.2.5
Mar 20, 2023 09:12:16.229813099 CET	80	49701	34.117.168.233	192.168.2.5
Mar 20, 2023 09:12:16.229986906 CET	49701	80	192.168.2.5	34.117.168.233
Mar 20, 2023 09:12:16.230048895 CET	49701	80	192.168.2.5	34.117.168.233
Mar 20, 2023 09:12:16.247335911 CET	80	49701	34.117.168.233	192.168.2.5
Mar 20, 2023 09:12:38.660048008 CET	49702	80	192.168.2.5	34.98.99.30
Mar 20, 2023 09:12:38.677489042 CET	80	49702	34.98.99.30	192.168.2.5
Mar 20, 2023 09:12:38.677763939 CET	49702	80	192.168.2.5	34.98.99.30
Mar 20, 2023 09:12:38.677958965 CET	49702	80	192.168.2.5	34.98.99.30
Mar 20, 2023 09:12:38.695177078 CET	80	49702	34.98.99.30	192.168.2.5
Mar 20, 2023 09:12:38.795730114 CET	80	49702	34.98.99.30	192.168.2.5
Mar 20, 2023 09:12:38.795758009 CET	80	49702	34.98.99.30	192.168.2.5
Mar 20, 2023 09:12:38.796055079 CET	49702	80	192.168.2.5	34.98.99.30
Mar 20, 2023 09:12:38.798008919 CET	49702	80	192.168.2.5	34.98.99.30
Mar 20, 2023 09:12:38.815126896 CET	80	49702	34.98.99.30	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 20, 2023 09:11:34.884437084 CET	60841	53	192.168.2.5	8.8.8.8
Mar 20, 2023 09:11:34.924032927 CET	53	60841	8.8.8.8	192.168.2.5
Mar 20, 2023 09:11:55.532341003 CET	61893	53	192.168.2.5	8.8.8.8
Mar 20, 2023 09:11:55.567677021 CET	53	61893	8.8.8.8	192.168.2.5
Mar 20, 2023 09:12:16.103852034 CET	60649	53	192.168.2.5	8.8.8.8
Mar 20, 2023 09:12:16.136781931 CET	53	60649	8.8.8.8	192.168.2.5
Mar 20, 2023 09:12:38.624042988 CET	51441	53	192.168.2.5	8.8.8.8
Mar 20, 2023 09:12:38.657809973 CET	53	51441	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 20, 2023 09:11:34.884437084 CET	192.168.2.5	8.8.8.8	0xd21b	Standard query (0)	www.letstalkreparation.com	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:11:55.532341003 CET	192.168.2.5	8.8.8.8	0xe7f5	Standard query (0)	www.zwangerschapvanweektotweek.net	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:12:16.103852034 CET	192.168.2.5	8.8.8.8	0x9aa5	Standard query (0)	www.gonulserezart.com	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:12:38.624042988 CET	192.168.2.5	8.8.8.8	0xfcc9	Standard query (0)	www.evaluatemyathlete.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 20, 2023 09:11:34.924032927 CET	8.8.8.8	192.168.2.5	0xd21b	No error (0)	www.letstalkreparation.com	letstalkreparation.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 20, 2023 09:11:34.924032927 CET	8.8.8.8	192.168.2.5	0xd21b	No error (0)	letstalkreparation.com		34.102.136.180	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:11:55.567677021 CET	8.8.8.8	192.168.2.5	0xe7f5	No error (0)	www.zwangerschapvanweektotweek.net		91.218.127.118	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:12:16.136781931 CET	8.8.8.8	192.168.2.5	0x9aa5	No error (0)	www.gonulserezart.com	gcdn0.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 20, 2023 09:12:16.136781931 CET	8.8.8.8	192.168.2.5	0x9aa5	No error (0)	gcdn0.wixdns.net	td-ccm-168-233.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 20, 2023 09:12:16.136781931 CET	8.8.8.8	192.168.2.5	0x9aa5	No error (0)	td-ccm-168-233.wixdns.net		34.117.168.233	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:12:38.657809973 CET	8.8.8.8	192.168.2.5	0xfcc9	No error (0)	www.evaluatemyathlete.com	evaluatemyathlete.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 20, 2023 09:12:38.657809973 CET	8.8.8.8	192.168.2.5	0xfcc9	No error (0)	evaluatemyathlete.com		34.98.99.30	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.letstalkreparation.com

www.zwangerschapvanweektotweek.net

www.gonulserezart.com

www.evaluatemyathlete.com

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE4
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE4
GetMessageW	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE4
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE4

Target ID:	0
Start time:	09:10:35
Start date:	20/03/2023
Path:	C:\Users\user\Desktop\Hbi8WUpShm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Hbi8WUpShm.exe
Imagebase:	0x830000
File size:	185856 bytes
MD5 hash:	00A41A4804673581F675471BFFA2BAFC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exePID: 3324, Parent PID: 5868

General

Target ID:	1
Start time:	09:10:36
Start date:	20/03/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69bc80000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000001.00000002.585228598.000000000FBA3000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: chkdsk.exePID: 6012, Parent PID: 3324

General

Target ID:	2
Start time:	09:10:47
Start date:	20/03/2023
Path:	C:\Windows\SysWOW64\chkdsk.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\chkdsk.exe
Imagebase:	0x1370000
File size:	23040 bytes
MD5 hash:	2D5A2497CB57C374B3AE3080FF9186FB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: cmd.exePID: 4208, Parent PID: 6012

General

Target ID:	3
Start time:	09:10:54
Start date:	20/03/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\Hbi8WUpShm.exe"
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 3536, Parent PID: 4208

General

Target ID:	4
Start time:	09:10:54
Start date:	20/03/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Hbi8WUpShm.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
Hbi8WUpShm.exe