Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 28, 2021, 8:16 a.m.	May 28, 2021, 8:22 a.m.

Size	618.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: lagunas sidearm, Subject: microphotometry phrasemakers, Author: luminescence backing, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed May 26 12:03:19 2021, Last Saved Time/Date: Wed May 26 12:03:20 2021, Security: 0
MD5	`7967d491dfb9148f1bb51cdb3acedbab`
SHA256	`77bdefe31e3ffc7ee64ad8c3b2e2a860d406a8b1d17678e4ac8d4b24a1f9c7ac`
CRC32	`3D73B130`
ssdeep	`12288:QhYa6XNUzNWyxJ1takCpnA2eOl6TE6z05Z3N:QhF6Xicyj1AkCFey6Te`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" "C:\Users\test22\AppData\Local\Temp\Delivery Order 92281186.xls"
5620

Name	Response	Post-Analysis Lookup
marcoislandguidebook.com	A 192.185.79.55	192.185.79.55
ntf.gov.sb	A 192.185.32.234	192.185.32.234
bellaloveboutique.com	A 107.180.58.44	107.180.58.44
prediction2020.com	A 107.160.244.54	107.160.244.54
ourcomm.co.uk	A 217.160.0.196	217.160.0.196
surustore.com	A 192.158.238.23	192.158.238.23
ootashop.com	A 199.188.205.57	199.188.205.57
alpax.elcanotradingcorp.com	A 108.167.181.248	108.167.181.248
brandsites.gunwebhosting.com.au	A 122.201.118.64	122.201.118.64
srivinaysalian.com	A 216.37.42.46	216.37.42.46

IP Address	Status	Action
107.160.244.54	Active	Moloch
107.180.58.44	Active	Moloch
108.167.181.248	Active	Moloch
122.201.118.64	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
192.158.238.23	Active	Moloch
192.185.32.234	Active	Moloch
192.185.79.55	Active	Moloch
199.188.205.57	Active	Moloch
216.37.42.46	Active	Moloch
217.160.0.196	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49810 -> 192.185.32.234:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49815 -> 122.201.118.64:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.185.32.234:443 -> 192.168.56.102:49812	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49818 -> 107.180.58.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 199.188.205.57:443 -> 192.168.56.102:49828	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 107.180.58.44:443 -> 192.168.56.102:49820	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 122.201.118.64:443 -> 192.168.56.102:49816	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49824 -> 107.160.244.54:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49824 -> 107.160.244.54:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49835 -> 216.37.42.46:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 216.37.42.46:443 -> 192.168.56.102:49836	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 107.160.244.54:443 -> 192.168.56.102:49824	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 107.160.244.54:443 -> 192.168.56.102:49824	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.185.79.55:443 -> 192.168.56.102:49840	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49819 -> 107.180.58.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49839 -> 192.185.79.55:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49826 -> 199.188.205.57:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49842 -> 108.167.181.248:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 108.167.181.248:443 -> 192.168.56.102:49845	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49822 -> 107.160.244.54:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49822 -> 107.160.244.54:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49822 -> 107.160.244.54:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49844 -> 108.167.181.248:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 107.160.244.54:443 -> 192.168.56.102:49822	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 107.160.244.54:443 -> 192.168.56.102:49822	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49827 -> 199.188.205.57:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49808 -> 192.158.238.23:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49830 -> 217.160.0.196:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49831 -> 217.160.0.196:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49811 -> 192.185.32.234:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 217.160.0.196:443 -> 192.168.56.102:49832	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49814 -> 122.201.118.64:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49823 -> 107.160.244.54:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49823 -> 107.160.244.54:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49823 -> 107.160.244.54:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49834 -> 216.37.42.46:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49838 -> 192.185.79.55:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 107.160.244.54:443 -> 192.168.56.102:49823	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 107.160.244.54:443 -> 192.168.56.102:49823	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49808 192.158.238.23:443	C=US, O=Let's Encrypt, CN=R3	CN=surustore.com	64:8a:61:10:46:af:ef:24:74:b1:3c:dc:ee:b1:3c:59:03:1c:b8:24

Performs some HTTP requests (1 event)

request

GET https://surustore.com/image/cache/catalog/demo/banners/h0dD8T2aNRz.php

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 28, 2021, 8:15 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70af1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:15 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70b4f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:15 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70b4f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:15 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:15 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:15 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:15 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:15 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:15 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e5e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:15 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74131000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:15 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:15 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66b71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:15 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:15 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66bb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:15 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2021, 8:15 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737f1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2021, 8:16 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2021, 8:16 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2021, 8:16 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07050000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2021, 8:16 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07060000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Creates suspicious VBA object (1 event)

com_class

Wscript.Shell

May attempt to create new processes

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	VB:Trojan.Valyria.4710
FireEye	VB:Trojan.Valyria.4710
Arcabit	HEUR.VBA.Trojan.d
Avast	VBS:Dropper-QF [Trj]
BitDefender	VB:Trojan.Valyria.4710
Ad-Aware	VB:Trojan.Valyria.4710
Emsisoft	VB:Trojan.Valyria.4710 (B)
VIPRE	LooksLike.Macro.Malware.gen!x1 (v)
TrendMicro	HEUR_VBA.OE
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.jb
Microsoft	Trojan:Win32/Dridex!ml
GData	VB:Trojan.Valyria.4710
ALYac	VB:Trojan.Valyria.4515
MAX	malware (ai score=88)
Zoner	Probably Heur.W97Obfuscated
Rising	Malware.ObfusVBA@ML.97 (VBA)
SentinelOne	Static AI - Malicious OLE
Fortinet	VBA/Agent.4710!tr
AVG	VBS:Dropper-QF [Trj]

Office document performs HTTP request (possibly to download malware) (1 event)

payload_url

https://surustore.com/image/cache/catalog/demo/banners/h0dD8T2aNRz.php

Delivery Order 92281186.xls

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All