Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 27, 2021, 9:15 a.m.	May 27, 2021, 9:17 a.m.

Size	924.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: habitabilities polygamous, Subject: santerias plantless, Author: ecologies distribution, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed May 19 14:23:50 2021, Last Saved Time/Date: Wed May 19 14:23:52 2021, Security: 0
MD5	`a7b63000938bbeb31722acac4a96b004`
SHA256	`eb9509c453a808694eb50c18101558f492f16e6fdb3f349686da3d7c627311c9`
CRC32	`5010BE71`
ssdeep	`6144:Ik3hOdsylKlgryzc4bNhZF+E+W2knAh4s3eZCoebhQ:qelii`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\Document%20777622.xls
112

Name	Response	Post-Analysis Lookup
agentsv2.ivm.mv	A 192.185.36.231	192.185.36.231
donboscoschoolbd.com	A 138.201.27.66	138.201.27.66
bonsventosnautica.com.br	A 162.241.203.116	162.241.203.116
coeniglich.de	A 172.104.152.37	172.104.152.37
clinicasaludmasculina.com	A 192.185.131.33	192.185.131.33
smtp.computeraccess.co.in	A 192.185.154.138	192.185.154.138
supereclinica.com.br	A 162.241.203.185	162.241.203.185
proterra.med.br	A 192.185.217.211	192.185.217.211
bypuzzle.com.br	A 192.185.215.103	192.185.215.103
www.ktateeb.vision-building.com

IP Address	Status	Action
138.201.27.66	Active	Moloch
162.241.203.116	Active	Moloch
162.241.203.185	Active	Moloch
164.124.101.2	Active	Moloch
172.104.152.37	Active	Moloch
192.185.131.33	Active	Moloch
192.185.154.138	Active	Moloch
192.185.215.103	Active	Moloch
192.185.217.211	Active	Moloch
192.185.36.231	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.185.154.138:443 -> 192.168.56.101:49207	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49210 -> 162.241.203.185:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 192.185.154.138:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49204 -> 192.185.154.138:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49225 -> 192.185.217.211:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49219 -> 192.185.215.103:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.185.215.103:443 -> 192.168.56.101:49221	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49209 -> 162.241.203.185:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49223 -> 192.185.217.211:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.241.203.185:443 -> 192.168.56.101:49211	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49228 -> 192.185.36.231:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49232 -> 192.185.131.33:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49213 -> 138.201.27.66:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49213 -> 138.201.27.66:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49214 -> 138.201.27.66:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49237 -> 162.241.203.116:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49213 -> 138.201.27.66:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49233 -> 192.185.131.33:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49214 -> 138.201.27.66:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49214 -> 138.201.27.66:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.241.203.116:443 -> 192.168.56.101:49238	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 138.201.27.66:443 -> 192.168.56.101:49213	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 138.201.27.66:443 -> 192.168.56.101:49213	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49236 -> 162.241.203.116:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 138.201.27.66:443 -> 192.168.56.101:49214	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49229 -> 192.185.36.231:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 138.201.27.66:443 -> 192.168.56.101:49214	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49215 -> 138.201.27.66:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49215 -> 138.201.27.66:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.185.217.211:443 -> 192.168.56.101:49226	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 138.201.27.66:443 -> 192.168.56.101:49215	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 138.201.27.66:443 -> 192.168.56.101:49215	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.185.131.33:443 -> 192.168.56.101:49234	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49218 -> 192.185.215.103:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.185.36.231:443 -> 192.168.56.101:49230	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49217 -> 172.104.152.37:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 27, 2021, 9:15 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:15 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:15 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:15 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dc81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:15 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:15 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:15 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d9f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:15 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d9e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:15 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d9a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:15 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d991000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:15 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d951000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2021, 9:15 a.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2021, 9:15 a.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2021, 9:15 a.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2021, 9:15 a.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates suspicious VBA object (1 event)

com_class

Wscript.Shell

May attempt to create new processes

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Sangfor	Malware.Generic-VBA.Save.Obfuscated
Arcabit	HEUR.VBA.Trojan.d
ESET-NOD32	a variant of VBA/TrojanDownloader.Agent.WCP
BitDefender	VB:Trojan.Valyria.4515
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
MicroWorld-eScan	VB:Trojan.Valyria.4515
Ad-Aware	VB:Trojan.Valyria.4515
VIPRE	LooksLike.Macro.Malware.gen!x1 (v)
TrendMicro	HEUR_VBA.OE
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.dx
FireEye	VB:Trojan.Valyria.4515
Emsisoft	VB:Trojan.Valyria.4515 (B)
Microsoft	Trojan:Script/Sabsik.FL.A!ml
GData	VB:Trojan.Valyria.4515
ALYac	VB:Trojan.Valyria.4515
MAX	malware (ai score=88)
Zoner	Probably Heur.W97Obfuscated
Rising	Heur.Macro.Downloader.f (CLASSIC)
SentinelOne	Static AI - Malicious OLE
Fortinet	VBA/Agent.WCP!tr.dldr

Office document performs HTTP request (possibly to download malware) (1 event)

payload_url

https://www.ktateeb.vision-building.com/public/graph/uploads/200x300/content_images/CByVubhIO51.php

Document%20777622.xls

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All