Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 26, 2021, 5:37 p.m.	May 26, 2021, 5:39 p.m.

Size	844.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: grues dauding, Subject: diverts triste, Author: decrepitude oscitations, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed May 19 14:26:43 2021, Last Saved Time/Date: Wed May 19 14:26:45 2021, Security: 0
MD5	`8cd09ba1a0a1c52115e5419c92342708`
SHA256	`99811775df40b9988040f787af520531714fe8fbce7139886843b96fbb20cb4b`
CRC32	`8B071F4A`
ssdeep	`6144:3k3hOdsylKlgryzc4bNhZF+E+W2knA6IKi:s`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" "C:\Users\test22\AppData\Local\Temp\PO 474050.xls"
2216

Name	Response	Post-Analysis Lookup
agentsv2.ivm.mv	A 192.185.36.231	192.185.36.231
creatalca.cl	A 192.185.16.103	192.185.16.103
coeniglich.de	A 172.104.152.37	172.104.152.37
market-in.org	A 104.21.55.237 A 172.67.174.113	104.21.55.237
aims1.ezicodes.com	A 188.225.225.70	188.225.225.70
fate.sa	A 192.196.158.90	192.196.158.90
mail-call.us	A 74.220.219.123	74.220.219.123
newzroot.com	A 138.201.203.76	138.201.203.76
sklep.northserwis.pl	A 82.177.209.21	82.177.209.21
akachi.co.za	A 66.85.46.71	66.85.46.71

IP Address	Status	Action
104.21.55.237	Active	Moloch
138.201.203.76	Active	Moloch
164.124.101.2	Active	Moloch
172.104.152.37	Active	Moloch
188.225.225.70	Active	Moloch
192.185.16.103	Active	Moloch
192.185.36.231	Active	Moloch
192.196.158.90	Active	Moloch
66.85.46.71	Active	Moloch
74.220.219.123	Active	Moloch
82.177.209.21	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49203 -> 66.85.46.71:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49207 -> 74.220.219.123:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 66.85.46.71:443 -> 192.168.56.101:49205	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49204 -> 66.85.46.71:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 188.225.225.70:443 -> 192.168.56.101:49213	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49222 -> 192.185.36.231:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49208 -> 74.220.219.123:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49211 -> 188.225.225.70:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49227 -> 192.196.158.90:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49212 -> 188.225.225.70:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 74.220.219.123:443 -> 192.168.56.101:49209	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49235 -> 192.185.16.103:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49234 -> 192.185.16.103:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49216 -> 82.177.209.21:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49215 -> 82.177.209.21:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.185.16.103:443 -> 192.168.56.101:49236	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 82.177.209.21:443 -> 192.168.56.101:49217	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49220 -> 104.21.55.237:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.185.36.231:443 -> 192.168.56.101:49224	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49223 -> 192.185.36.231:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49226 -> 192.196.158.90:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49231 -> 138.201.203.76:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49231 -> 138.201.203.76:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49230 -> 138.201.203.76:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49231 -> 138.201.203.76:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49230 -> 138.201.203.76:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.196.158.90:443 -> 192.168.56.101:49228	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49230 -> 138.201.203.76:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 138.201.203.76:443 -> 192.168.56.101:49231	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 138.201.203.76:443 -> 192.168.56.101:49231	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49232 -> 138.201.203.76:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49232 -> 138.201.203.76:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 138.201.203.76:443 -> 192.168.56.101:49232	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 138.201.203.76:443 -> 192.168.56.101:49232	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49238 -> 172.104.152.37:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 138.201.203.76:443 -> 192.168.56.101:49230	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 138.201.203.76:443 -> 192.168.56.101:49230	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49220 104.21.55.237:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	22:cd:f1:1e:6d:a9:c2:d5:50:ed:b8:c5:51:58:1d:dc:46:4a:32:53

Performs some HTTP requests (1 event)

request

GET https://market-in.org/wp-content/uploads/2020/06/H4RiD4lTF.php

Allocates read-write-execute memory (usually to unpack itself) (23 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 26, 2021, 5:37 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2021, 5:37 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2021, 5:37 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2021, 5:37 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dc81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2021, 5:37 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2021, 5:37 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6da41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2021, 5:37 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6da21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2021, 5:37 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6da11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2021, 5:37 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2021, 5:37 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d9f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2021, 5:37 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d9e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2021, 5:37 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d9a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2021, 5:37 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d991000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2021, 5:37 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d951000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2021, 5:38 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d911000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2021, 5:38 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d8f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2021, 5:38 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d8b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2021, 5:38 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2021, 5:38 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2021, 5:38 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates suspicious VBA object (1 event)

com_class

Wscript.Shell

May attempt to create new processes

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
ALYac	Trojan.Downloader.XLS.gen
VIPRE	LooksLike.Macro.Malware.gen!x1 (v)
Sangfor	Malware.Generic-VBA.Save.Obfuscated
Arcabit	HEUR.VBA.Trojan.d
Cyren	X97M/Agent.WF.gen!Eldorado
Symantec	W97M.Downloader
ESET-NOD32	a variant of Generik.FJCFWJD
Avast	VBS:Dropper-QF [Trj]
Kaspersky	HEUR:Trojan-Dropper.MSOffice.SDrop.gen
BitDefender	VB:Trojan.Valyria.4584
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
ViRobot	XLS.Z.Agent.864256
MicroWorld-eScan	VB:Trojan.Valyria.4584
Ad-Aware	VB:Trojan.Valyria.4584
Emsisoft	VB:Trojan.Valyria.4584 (B)
F-Secure	Heuristic.HEUR/Macro.Downloader.MRAFS.Gen
DrWeb	Exploit.Siggen3.17570
TrendMicro	HEUR_VBA.OE
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.cx
FireEye	VB:Trojan.Valyria.4584
Ikarus	Trojan-Downloader.VBA.Agent
Avira	HEUR/Macro.Downloader.MRAFS.Gen
Microsoft	TrojanDownloader:O97M/Dridex.NYKC!MTB
AegisLab	Trojan.MSOffice.SDrop.b!c
GData	VB:Trojan.Valyria.4584
TACHYON	Suspicious/X97M.Obfus.Gen.6
MAX	malware (ai score=82)
Zoner	Probably Heur.W97Obfuscated
Rising	Heur.Macro.Downloader.f (CLASSIC)
SentinelOne	Static AI - Malicious OLE
Fortinet	VBA/Agent.WCP!tr.dldr
AVG	VBS:Dropper-QF [Trj]

Office document performs HTTP request (possibly to download malware) (1 event)

payload_url

https://akachi.co.za/uJPPYNmRbBCB8fm.php

PO 474050.xls

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All