Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 12, 2021, 5:56 p.m.	May 12, 2021, 5:58 p.m.

Size	2.6MB
Type	Microsoft Excel 2007+
MD5	`77838fe56970ec040ea084f6c5b3def6`
SHA256	`95f36b06a9ef5bdf1301634ff67e49d51643e747c9be8ade616e26328c10ca02`
CRC32	`62AD0384`
ssdeep	`49152:TyQjailJOEDH0LYkaveM9w9WJ6ixqNvATNtBWJn1hKX+qqwElQfaAYaNY55ZcvVc:WFirCWepWJ6ixqmh2Fz7qqwIaxdN4ZGe`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" "C:\Users\test22\AppData\Local\Temp\generated order 257404.xlsm"
2212

Name	Response	Post-Analysis Lookup
traffickerdigital.guru	A 185.61.154.27	185.61.154.27
italmaps.com	A 185.116.60.7	185.116.60.7
bitfore.co.uk	A 162.241.85.241	162.241.85.241
multigranos.com.bo	A 64.37.56.40	64.37.56.40
darkmattercompany.com	A 192.185.171.227	192.185.171.227
wickerconsultingllc.com	A 192.185.115.105	192.185.115.105
senalgrafsac.com	A 162.241.190.216	162.241.190.216
bhuttangill.com	A 95.216.246.100	95.216.246.100
grupoakrabu.com	A 67.222.131.40	67.222.131.40
vipecotton.com	A 104.21.56.243 A 172.67.138.115	172.67.138.115

IP Address	Status	Action
104.21.56.243	Active	Moloch
162.241.190.216	Active	Moloch
162.241.85.241	Active	Moloch
164.124.101.2	Active	Moloch
185.116.60.7	Active	Moloch
185.61.154.27	Active	Moloch
192.185.115.105	Active	Moloch
192.185.171.227	Active	Moloch
64.37.56.40	Active	Moloch
67.222.131.40	Active	Moloch
95.216.246.100	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49207 -> 67.222.131.40:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49210 -> 95.216.246.100:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49219 -> 162.241.85.241:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49211 -> 95.216.246.100:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49215 -> 162.241.190.216:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49223 -> 64.37.56.40:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 67.222.131.40:443 -> 192.168.56.101:49208	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 95.216.246.100:443 -> 192.168.56.101:49212	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49218 -> 162.241.85.241:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49222 -> 64.37.56.40:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49242 -> 192.185.115.105:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49229 -> 192.185.171.227:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49232 -> 104.21.56.243:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.116.60.7:443 -> 192.168.56.101:49235	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 162.241.85.241:443 -> 192.168.56.101:49220	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.185.171.227:443 -> 192.168.56.101:49230	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49238 -> 185.61.154.27:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49237 -> 185.61.154.27:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49233 -> 185.116.60.7:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.185.115.105:443 -> 192.168.56.101:49243	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49206 -> 67.222.131.40:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49214 -> 162.241.190.216:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.241.190.216:443 -> 192.168.56.101:49216	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 64.37.56.40:443 -> 192.168.56.101:49225	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49228 -> 192.185.171.227:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49234 -> 185.116.60.7:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.61.154.27:443 -> 192.168.56.101:49239	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49241 -> 192.185.115.105:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49232 104.21.56.243:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	4e:79:10:b8:c5:23:66:ec:e3:c5:cd:69:01:8e:5a:24:61:cc:26:83

Performs some HTTP requests (1 event)

request

GET https://vipecotton.com/wp-content/plugins/wpml-media-translation/res/css/7q0Vreh38laGy9.php

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 12, 2021, 5:56 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 5:56 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd6f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 5:56 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd6f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 5:56 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dcb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 5:56 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 5:56 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d901000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 5:56 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d8e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 5:56 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d8d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 5:56 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 5:56 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d8b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 5:56 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d8a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 5:56 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d861000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 5:56 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d851000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 5:56 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d811000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 5:56 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d7d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 5:56 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d7b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 5:56 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d771000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 5:56 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 5:56 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d751000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$generated order 257404.xlsm

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile May 12, 2021, 5:56 p.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000003a4 filepath: C:\Users\test22\AppData\Local\Temp\~$generated order 257404.xlsm desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$generated order 257404.xlsm create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

Creates suspicious VBA object (1 event)

com_class

Wscript.Shell

May attempt to create new processes

File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)

MicroWorld-eScan	Trojan.GenericKD.36862150
ALYac	Trojan.Downloader.XLS.Gen
AegisLab	Trojan.Script.Generic.4!c
BitDefender	Trojan.GenericKD.36862150
Cyren	XLSM/Dridex.A.gen!Camelot
Symantec	Trojan.Gen.NPE
ESET-NOD32	VBA/TrojanDownloader.Agent.WBH
TrendMicro-HouseCall	Possible_SMICEDIDG
Kaspersky	HEUR:Trojan.Script.Generic
Alibaba	TrojanDownloader:Office97/Dridex.4c8b0898
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
ViRobot	XLS.Z.Agent.2740826
Rising	Malware.ObfusVBA@ML.99 (VBA)
Ad-Aware	Trojan.GenericKD.36862150
Comodo	Malware@#3eflymud1j6o7
TrendMicro	Possible_SMICEDIDG
McAfee-GW-Edition	X97M/Downloader.hf
FireEye	Trojan.GenericKD.36862150
Emsisoft	Trojan.GenericKD.36862150 (B)
Ikarus	Trojan-Downloader.VBA.Agent
Avira	HEUR/Macro.Downloader.MRAFS.Gen
MAX	malware (ai score=100)
Gridinsoft	Trojan.U.Downloader.oa
Arcabit	HEUR.VBA.Trojan.d
ZoneAlarm	HEUR:Trojan.Script.Generic
GData	Trojan.GenericKD.36862150
Cynet	Malicious (score: 99)
AhnLab-V3	Downloader/MSOffice.Generic
McAfee	X97M/Downloader.im
Fortinet	VBA/Agent.31FD!tr
AVG	Script:SNH-gen [Trj]

Office document performs HTTP request (possibly to download malware) (1 event)

payload_url

https://grupoakrabu.com/img/galeria/paEAehZhSWNmH.php

generated order 257404.xlsm

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All