Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 20, 2021, 4:31 p.m.	May 20, 2021, 4:36 p.m.

Size	797.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: dispensatory cycloidians, Subject: hepatectomized dehydrogenating, Author: devices rotch, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed May 19 13:26:23 2021, Last Saved Time/Date: Wed May 19 13:26:24 2021, Security: 0
MD5	`5186a21d30bbf28909683c4767597481`
SHA256	`57301e8fe9f386d64b44ddefe1c7124be0aba07cde84cba72d2c2aa9c1402b5d`
CRC32	`2442C02C`
ssdeep	`6144:fk3hOdsylKlgryzc4bNhZF+E+W2knALkzjDpvs:o`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\Inv%2006687243.xls
7180

Name	Response	Post-Analysis Lookup
mahinur.nucleustechbd.com	A 67.222.155.191	67.222.155.191
fotounirii.ro	A 89.35.173.76	89.35.173.76
gamberinigianluca.com	A 64.37.52.95	64.37.52.95
specs2go.shawalzahid.com	A 158.69.144.71	158.69.144.71
abdul.yousufbaloch.com	A 192.185.36.81	192.185.36.81
armaenerji.com	A 217.195.198.212	217.195.198.212
lamiragereception.com.au	A 67.23.226.231	67.23.226.231
fuherpronn.org	A 162.241.194.204	162.241.194.204
plascom.ind.br	A 191.252.142.218	191.252.142.218
lojamusic.com.br	A 162.241.2.234	162.241.2.234

IP Address	Status	Action
158.69.144.71	Active	Moloch
162.241.194.204	Active	Moloch
162.241.2.234	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
191.252.142.218	Active	Moloch
192.185.36.81	Active	Moloch
217.195.198.212	Active	Moloch
64.37.52.95	Active	Moloch
67.222.155.191	Active	Moloch
67.23.226.231	Active	Moloch
89.35.173.76	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49827 -> 192.185.36.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49824 -> 162.241.194.204:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.241.194.204:443 -> 192.168.56.102:49825	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.185.36.81:443 -> 192.168.56.102:49829	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49828 -> 192.185.36.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49843 -> 162.241.2.234:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49837 -> 191.252.142.218:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 67.222.155.191:443 -> 192.168.56.102:49833	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 158.69.144.71:443 -> 192.168.56.102:49815	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49817 -> 64.37.52.95:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49818 -> 64.37.52.95:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49835 -> 217.195.198.212:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.241.2.234:443 -> 192.168.56.102:49844	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49823 -> 162.241.194.204:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49813 -> 158.69.144.71:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49814 -> 158.69.144.71:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 64.37.52.95:443 -> 192.168.56.102:49819	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49831 -> 67.222.155.191:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49832 -> 67.222.155.191:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49838 -> 89.35.173.76:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49839 -> 89.35.173.76:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 89.35.173.76:443 -> 192.168.56.102:49840	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49842 -> 162.241.2.234:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49837 191.252.142.218:443	C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority	CN=plascom.ind.br	1f:e9:98:05:fa:19:00:c4:80:aa:f2:ac:9f:c1:3c:9f:e4:63:c1:90
TLSv1 192.168.56.102:49835 217.195.198.212:443	C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority	CN=armaenerji.com	ac:fa:ea:1f:67:61:cf:bb:ae:49:ae:ad:5f:2a:ad:cc:65:b3:c2:b4

Performs some HTTP requests (2 events)

request	GET https://armaenerji.com/UserFiles/site/enerji-kablolari/HES/tbqsCGNY.php
request	GET https://plascom.ind.br/_img/parceiros/Ii2g4cYzKfaMLz7.php

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 20, 2021, 4:31 p.m.	process_identifier: 7180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70af1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 4:31 p.m.	process_identifier: 7180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70b4f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 4:31 p.m.	process_identifier: 7180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70b4f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 4:31 p.m.	process_identifier: 7180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 4:31 p.m.	process_identifier: 7180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05601000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 4:32 p.m.	process_identifier: 7180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 4:32 p.m.	process_identifier: 7180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 4:32 p.m.	process_identifier: 7180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 4:32 p.m.	process_identifier: 7180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e5e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 4:32 p.m.	process_identifier: 7180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74131000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 4:32 p.m.	process_identifier: 7180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 4:32 p.m.	process_identifier: 7180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66b71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 4:32 p.m.	process_identifier: 7180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 4:32 p.m.	process_identifier: 7180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66bb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 4:32 p.m.	process_identifier: 7180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2021, 4:32 p.m.	process_identifier: 7180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74111000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2021, 4:32 p.m.	process_identifier: 7180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2021, 4:32 p.m.	process_identifier: 7180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2021, 4:32 p.m.	process_identifier: 7180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06d90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2021, 4:32 p.m.	process_identifier: 7180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07090000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Creates suspicious VBA object (1 event)

com_class

Wscript.Shell

May attempt to create new processes

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

MicroWorld-eScan	VB:Trojan.Valyria.4584
McAfee	X97M/Downloader.in
Sangfor	Malware.Generic-VBA.Save.Obfuscated
Arcabit	HEUR.VBA.Trojan.d
Cyren	X97M/Agent.WF.gen!Eldorado
ESET-NOD32	a variant of VBA/TrojanDownloader.Agent.WCP
Avast	SNH:Script [Dropper]
BitDefender	VB:Trojan.Valyria.4584
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
Ad-Aware	VB:Trojan.Valyria.4584
VIPRE	LooksLike.Macro.Malware.gen!x1 (v)
TrendMicro	HEUR_VBA.OE
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.bx
FireEye	VB:Trojan.Valyria.4584
Emsisoft	VB:Trojan.Valyria.4584 (B)
Microsoft	Trojan:Win32/Dridex!ml
GData	VB:Trojan.Valyria.4584
ALYac	VB:Trojan.Valyria.4584
MAX	malware (ai score=85)
Zoner	Probably Heur.W97Obfuscated
Rising	Malware.ObfusVBA@ML.85 (VBA)
SentinelOne	Static AI - Malicious OLE
Fortinet	VBA/Agent.WCP!tr.dldr
AVG	SNH:Script [Dropper]

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

67.23.226.231:443

Office document performs HTTP request (possibly to download malware) (1 event)

payload_url

https://specs2go.shawalzahid.com/wp-includes/sodium_compat/src/Core/Base64/gRC1QXli.php

Inv%2006687243.xls

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All