Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
07.04 10:07
file_qzz145uz.kxq.txt.ps1
07.04 10:07
file_20dp34d4.orr.txt.ps1
07.04 10:07
file_3e3wgwby.144.txt.ps1
07.04 10:07
new-image_j.jpg.exe
07.04 10:07
moon.txt.exe
07.04 10:07
okeydookietrational.tx...
07.04 10:07
streamer.exe
07.04 10:07
file_2n4kbwex.dbr.txt.ps1
07.04 09:07
file_5jjhn5s1.zo4.txt.ps1
07.04 09:07
file_iet2mvl3.idw.txt.ps1

Latest News
07.04 10:07
[부고] 제이커넥트 이기복 대표 모친상
07.04 10:07
New Open SSH Vulnerabi...
07.04 09:07
WordPress User Enumera...
07.04 08:07
Smashing Security podc...
07.04 07:07
ECMAScript 2024 JavaSc...
07.04 07:07
The AI Fix #5: An angr...
07.04 07:07
It’s Time For Lawmaker...
07.04 07:07
Securing Supply Chains...
07.04 07:07
Emulating the Sabotage...
07.04 07:07
Threat Hunting Worksho...

Summary | ZeroBOX

catalog-64874377.xlsm

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 16, 2021, 9:53 a.m.	April 16, 2021, 9:55 a.m.

Size	120.1KB
Type	Microsoft Excel 2007+
MD5	`608719001a3fbf939763a416e80f1410`
SHA256	`953bf3a25e16716f18eb6da7fc85d732fe4e3c554797756014055e60b763f140`
CRC32	`9ED33ACD`
ssdeep	`3072:mOKybaf6JMcuaNB19ofM1xjy/YD6GQ8cl:mc2f6Jzuu9oM1lyu7Qnl`
Yara	None matched

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\catalog-64874377.xlsm
2616
- rundll32.exe rundll32 ..\ghnrope.rue1,DllRegisterServer
  5656
- rundll32.exe rundll32 ..\ghnrope.rue2,DllRegisterServer
  8064
- rundll32.exe rundll32 ..\ghnrope.rue3,DllRegisterServer
  4980
- rundll32.exe rundll32 ..\ghnrope.rue4,DllRegisterServer
  3624

Name	Response	Post-Analysis Lookup
boehm-kavon15lc.ru.com	A 34.95.253.189	34.95.253.189
jahthroneafricancrafts.com	A 75.119.136.137	75.119.136.137
glsiba.org	A 204.11.58.33	204.11.58.33
rosenbaum-milan15y.ru.com	A 34.95.253.189	34.95.253.189

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
204.11.58.33	Active	Moloch
34.95.253.189	Active	Moloch
75.119.136.137	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49812 -> 204.11.58.33:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 204.11.58.33:443 -> 192.168.56.102:49813	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49815 -> 75.119.136.137:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 75.119.136.137:443 -> 192.168.56.102:49817	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49816 -> 75.119.136.137:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49811 -> 204.11.58.33:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Performs some HTTP requests (2 events)

request	GET http://boehm-kavon15lc.ru.com/body.html
request	GET http://rosenbaum-milan15y.ru.com/body.html

Allocates read-write-execute memory (usually to unpack itself) (18 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 16, 2021, 9:53 a.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70af1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 16, 2021, 9:53 a.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70b4f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 16, 2021, 9:53 a.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70b4f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 16, 2021, 9:53 a.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70731000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 16, 2021, 9:53 a.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70731000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 16, 2021, 9:53 a.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74f41000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 16, 2021, 9:53 a.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75241000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 16, 2021, 9:53 a.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75111000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 16, 2021, 9:53 a.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 16, 2021, 9:53 a.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f61000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 16, 2021, 9:53 a.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f71000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 16, 2021, 9:53 a.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e5e1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 16, 2021, 9:53 a.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743f1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 16, 2021, 9:53 a.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726d1000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 16, 2021, 9:53 a.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 16, 2021, 9:53 a.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 16, 2021, 9:53 a.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 16, 2021, 9:53 a.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$catalog-64874377.xlsm

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile April 16, 2021, 9:53 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000338 filepath: C:\Users\test22\AppData\Local\Temp\~$catalog-64874377.xlsm desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$catalog-64874377.xlsm create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

MicroWorld-eScan	Trojan.Vita.18
FireEye	Trojan.Vita.18
K7GW	Trojan ( 0057940f1 )
K7AntiVirus	Trojan ( 0057940f1 )
Arcabit	Trojan.Vita.18
Cyren	XLSM/Sneaky.T.gen!Camelot
BitDefender	Trojan.Vita.18
Tencent	Trojan.Win32.Macro40.11000270
Emsisoft	Trojan.Vita.18 (B)
Ikarus	Trojan.Office.Doc
MAX	malware (ai score=88)
GData	Trojan.Vita.18
Qihoo-360	macro.office.07defname.gen

Network communications indicative of a potential document or script payload download was initiated by the process excel.exe (4 events)

Time & API	Arguments	Status	Return	Repeated
URLDownloadToFileW April 16, 2021, 9:53 a.m.	url: http://boehm-kavon15lc.ru.com/body.html stack_pivoted: 0 filepath_r: ..\ghnrope.rue1 filepath: C:\Users\test22\ghnrope.rue1	1	0	0
URLDownloadToFileW April 16, 2021, 9:53 a.m.	url: http://rosenbaum-milan15y.ru.com/body.html stack_pivoted: 0 filepath_r: ..\ghnrope.rue2 filepath: C:\Users\test22\ghnrope.rue2	1	0	0
URLDownloadToFileW April 16, 2021, 9:53 a.m.	url: https://glsiba.org/drms/body.html stack_pivoted: 0 filepath_r: ..\ghnrope.rue3 filepath: C:\Users\test22\ghnrope.rue3		2148270085	0
URLDownloadToFileW April 16, 2021, 9:53 a.m.	url: https://jahthroneafricancrafts.com/drms/body.html stack_pivoted: 0 filepath_r: ..\ghnrope.rue4 filepath: C:\Users\test22\ghnrope.rue4		2148270085	0

One or more non-whitelisted processes were created (4 events)

parent_process	excel.exe				martian_process	rundll32 ..\ghnrope.rue3,DllRegisterServer
parent_process	excel.exe				martian_process	rundll32 ..\ghnrope.rue2,DllRegisterServer
parent_process	excel.exe				martian_process	rundll32 ..\ghnrope.rue4,DllRegisterServer
parent_process	excel.exe				martian_process	rundll32 ..\ghnrope.rue1,DllRegisterServer

Generates some ICMP traffic