Click to jump to signature section
Source: Yara match | File source: nSMFpXgLe7.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: nSMFpXgLe7.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: nSMFpXgLe7.exe, type: SAMPLE | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: nSMFpXgLe7.exe, type: SAMPLE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: nSMFpXgLe7.exe, type: SAMPLE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0.0.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0.0.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0.0.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0.2.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0.2.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0.2.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: Process Memory Space: nSMFpXgLe7.exe PID: 4968, type: MEMORYSTR | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: nSMFpXgLe7.exe, type: SAMPLE | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: nSMFpXgLe7.exe, type: SAMPLE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: nSMFpXgLe7.exe, type: SAMPLE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0.0.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 0.0.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0.0.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0.2.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 0.2.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0.2.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: Process Memory Space: nSMFpXgLe7.exe PID: 4968, type: MEMORYSTR | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_011412B0 | 0_2_011412B0 |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_0116236A | 0_2_0116236A |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_01161506 | 0_2_01161506 |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_01161D39 | 0_2_01161D39 |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_0114B457 | 0_2_0114B457 |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_0114B452 | 0_2_0114B452 |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_011444C7 | 0_2_011444C7 |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_011444C0 | 0_2_011444C0 |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_0114FE87 | 0_2_0114FE87 |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_011446E7 | 0_2_011446E7 |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_011412B0 EntryPoint,LdrInitializeThunk,NtProtectVirtualMemory,KiUserExceptionDispatcher, | 0_2_011412B0 |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_011414E9 NtProtectVirtualMemory,KiUserExceptionDispatcher, | 0_2_011414E9 |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_01161153 push eax; ret | 0_2_01161159 |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_0114E9FC push es; retf | 0_2_0114EA09 |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_0116109C push eax; ret | 0_2_011610EF |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_011610F2 push eax; ret | 0_2_01161159 |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_011610E9 push eax; ret | 0_2_011610EF |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_0115A37A push esi; retf | 0_2_0115A37C |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_01149BCE pushad ; iretd | 0_2_01149BCF |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_0115AA73 push es; iretd | 0_2_0115AA75 |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_01161442 push dword ptr [482F20F0h]; ret | 0_2_0116148C |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_0115ACFE push cs; iretd | 0_2_0115ACFF |
Source: C:\Users\user\Desktop\nSMFpXgLe7.exe | Code function: 0_2_011627A5 push esp; ret | 0_2_011627A9 |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: Amcache.hve.3.dr | Binary or memory string: VMware |
Source: Amcache.hve.3.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: Amcache.hve.3.dr | Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.3.dr | Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.3.dr | Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed |
Source: Amcache.hve.3.dr | Binary or memory string: VMware, Inc. |
Source: Amcache.hve.3.dr | Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin |
Source: Amcache.hve.3.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.3.dr | Binary or memory string: VMware7,1 |
Source: Amcache.hve.3.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.3.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.3.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.3.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.3.dr | Binary or memory string: VMware, Inc.me |
Source: Amcache.hve.3.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.3.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.3.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: Yara match | File source: nSMFpXgLe7.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: nSMFpXgLe7.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.nSMFpXgLe7.exe.1140000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000000.307157257.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.324717900.0000000001141000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |