Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 20, 2021, 9:27 a.m.	May 20, 2021, 9:33 a.m.

Size	892.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: corroborators ridabilities, Subject: overtower spoilage, Author: lability daffiness, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed May 19 14:25:12 2021, Last Saved Time/Date: Wed May 19 14:25:14 2021, Security: 0
MD5	`c245d6f79bca2e8e87381a68b842c4d2`
SHA256	`f89115b6b774552e0311b43a584ea5f754f736b4106b7bd7f62e347ba75da659`
CRC32	`792D66C2`
ssdeep	`6144:Vk3hOdsylKlgryzc4bNhZF+E+W2knAxVEiHMOs:VVEGs`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\Delivery%20Order%2026947238.xls
2388

Name	Response	Post-Analysis Lookup
agentsv2.ivm.mv	A 192.185.36.231	192.185.36.231
ciatran.com.co	A 107.190.140.178	107.190.140.178
notificacao.acessoeduk.com.br	A 186.233.148.33	186.233.148.33
aims1.ezicodes.com	A 188.225.225.70	188.225.225.70
clodoaldofernandes.com.br	A 177.72.160.55	177.72.160.55
canteraspalomino.com	A 192.185.123.100	192.185.123.100
mail-call.us	A 74.220.219.123	74.220.219.123
proterra.med.br	A 192.185.217.211	192.185.217.211
fate.sa	A 192.196.158.90	192.196.158.90
www.ktateeb.vision-building.com	A 95.217.60.220	95.217.60.220

IP Address	Status	Action
107.190.140.178	Active	Moloch
164.124.101.2	Active	Moloch
177.72.160.55	Active	Moloch
186.233.148.33	Active	Moloch
188.225.225.70	Active	Moloch
192.185.123.100	Active	Moloch
192.185.217.211	Active	Moloch
192.185.36.231	Active	Moloch
192.196.158.90	Active	Moloch
74.220.219.123	Active	Moloch
95.217.60.220	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 107.190.140.178:443 -> 192.168.56.101:49207	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49210 -> 177.72.160.55:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49213 -> 74.220.219.123:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 107.190.140.178:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 177.72.160.55:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 177.72.160.55:443 -> 192.168.56.101:49211	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 74.220.219.123:443 -> 192.168.56.101:49215	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.185.217.211:443 -> 192.168.56.101:49221	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.185.123.100:443 -> 192.168.56.101:49229	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49219 -> 192.185.217.211:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49220 -> 192.185.217.211:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.185.36.231:443 -> 192.168.56.101:49225	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49224 -> 192.185.36.231:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 186.233.148.33:443 -> 192.168.56.101:49233	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49223 -> 192.185.36.231:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49204 -> 95.217.60.220:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49231 -> 186.233.148.33:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49228 -> 192.185.123.100:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.196.158.90:443 -> 192.168.56.101:49237	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49232 -> 186.233.148.33:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49235 -> 192.196.158.90:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49205 -> 107.190.140.178:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49214 -> 74.220.219.123:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49227 -> 192.185.123.100:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49236 -> 192.196.158.90:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49239 -> 188.225.225.70:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49240 -> 188.225.225.70:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 188.225.225.70:443 -> 192.168.56.101:49241	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49204 95.217.60.220:443	C=US, O=Let's Encrypt, CN=R3	CN=*.vision-building.com	09:de:ea:e1:cb:07:99:99:e2:9f:a7:a6:66:23:ee:4a:b6:f4:17:48

Performs some HTTP requests (1 event)

request

GET https://www.ktateeb.vision-building.com/public/graph/uploads/200x300/content_images/CByVubhIO51.php

Allocates read-write-execute memory (usually to unpack itself) (23 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dc81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6da41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6da21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6da11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d9f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d9e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d9a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d991000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d951000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d911000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d8f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d8b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06310000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06310000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2021, 9:27 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x074e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

MicroWorld-eScan	VB.Heur2.EmoDldr.14.31BDAF5D.Gen
FireEye	VB.Heur2.EmoDldr.14.31BDAF5D.Gen
ALYac	VB.Heur2.EmoDldr.14.31BDAF5D.Gen
Sangfor	Malware.Generic-VBA.Save.Obfuscated
Arcabit	HEUR.VBA.Trojan.d
ESET-NOD32	a variant of VBA/TrojanDownloader.Agent.WCP
BitDefender	VB.Heur2.EmoDldr.14.31BDAF5D.Gen
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
Ad-Aware	VB.Heur2.EmoDldr.14.31BDAF5D.Gen
VIPRE	LooksLike.Macro.Malware.gen!x1 (v)
TrendMicro	HEUR_VBA.OE
Emsisoft	VB.Heur2.EmoDldr.14.31BDAF5D.Gen (B)
Microsoft	Trojan:Script/Sabsik.FL.A!ml
GData	VB.Heur2.EmoDldr.14.31BDAF5D.Gen
MAX	malware (ai score=87)
Zoner	Probably Heur.W97Obfuscated
Rising	Malware.ObfusVBA@ML.85 (VBA)
SentinelOne	Static AI - Malicious OLE
Fortinet	VBA/Agent.WCP!tr.dldr

Creates suspicious VBA object (1 event)

com_class

Wscript.Shell

May attempt to create new processes

Office document performs HTTP request (possibly to download malware) (1 event)

payload_url

https://www.ktateeb.vision-building.com/public/graph/uploads/200x300/content_images/CByVubhIO51.php

Delivery%20Order%2026947238.xls

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All