Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 3, 2021, 8:53 p.m.	June 3, 2021, 8:55 p.m.

Size	611.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: suivante gonadotropic, Subject: paedophilics pontifex, Author: plowmanships priapisms, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed May 26 12:13:33 2021, Last Saved Time/Date: Wed May 26 12:13:34 2021, Security: 0
MD5	`10a6370bb359ff9f3a595c3ad389222c`
SHA256	`d605724b31d8627ffbf203ec7d917cb70019e6c95d0c501a7136f7e2b72b79bb`
CRC32	`65D16817`
ssdeep	`12288:HspCOElpb+2pUpkNXu5d3QB2RNv+ot0N8Mx6jKe3bhjWWiMLRwD:H5pjNQxE2RNvBt0N8fjKe4WikU`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\Inv%2004256248.xls
112

Name	Response	Post-Analysis Lookup
shantijoseph.com	A 87.247.240.31	87.247.240.31
srivinaysalian.com	A 216.37.42.46	216.37.42.46
menuiserie-lemoine.bzh	A 188.165.53.185	188.165.53.185
vitiligomatch.com	A 192.185.16.122	192.185.16.122
labrie-sabette.com	A 173.230.252.50	173.230.252.50
tineo.gal	A 82.98.169.3	82.98.169.3
ootashop.com	A 199.188.205.57	199.188.205.57
thelottery.io	A 138.68.242.172	138.68.242.172
kweraltd.com	A 54.39.133.15	54.39.133.15
abidshakir.co.uk	A 62.171.164.209	62.171.164.209

IP Address	Status	Action
138.68.242.172	Active	Moloch
164.124.101.2	Active	Moloch
173.230.252.50	Active	Moloch
188.165.53.185	Active	Moloch
192.185.16.122	Active	Moloch
199.188.205.57	Active	Moloch
216.37.42.46	Active	Moloch
54.39.133.15	Active	Moloch
62.171.164.209	Active	Moloch
82.98.169.3	Active	Moloch
87.247.240.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49205 -> 216.37.42.46:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 216.37.42.46:443 -> 192.168.56.101:49207	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49206 -> 216.37.42.46:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49213 -> 199.188.205.57:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49211 -> 62.171.164.209:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49209 -> 62.171.164.209:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49211 -> 62.171.164.209:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49209 -> 62.171.164.209:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49209 -> 62.171.164.209:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 199.188.205.57:443 -> 192.168.56.101:49215	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 62.171.164.209:443 -> 192.168.56.101:49211	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 62.171.164.209:443 -> 192.168.56.101:49211	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 62.171.164.209:443 -> 192.168.56.101:49209	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 62.171.164.209:443 -> 192.168.56.101:49209	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49210 -> 62.171.164.209:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49210 -> 62.171.164.209:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49210 -> 62.171.164.209:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49218 -> 192.185.16.122:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49217 -> 192.185.16.122:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 62.171.164.209:443 -> 192.168.56.101:49210	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 62.171.164.209:443 -> 192.168.56.101:49210	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.185.16.122:443 -> 192.168.56.101:49220	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49225 -> 54.39.133.15:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49226 -> 54.39.133.15:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49225 -> 54.39.133.15:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49226 -> 54.39.133.15:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49225 -> 54.39.133.15:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 54.39.133.15:443 -> 192.168.56.101:49226	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 54.39.133.15:443 -> 192.168.56.101:49225	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 54.39.133.15:443 -> 192.168.56.101:49226	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 54.39.133.15:443 -> 192.168.56.101:49225	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49224 -> 54.39.133.15:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49224 -> 54.39.133.15:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49224 -> 54.39.133.15:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 54.39.133.15:443 -> 192.168.56.101:49224	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 54.39.133.15:443 -> 192.168.56.101:49224	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49204 -> 82.98.169.3:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49233 -> 87.247.240.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49234 -> 87.247.240.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49229 -> 173.230.252.50:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.247.240.31:443 -> 192.168.56.101:49235	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49228 -> 173.230.252.50:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49214 -> 199.188.205.57:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 173.230.252.50:443 -> 192.168.56.101:49230	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49232 -> 188.165.53.185:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49222 -> 138.68.242.172:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49204 82.98.169.3:443	C=US, O=Let's Encrypt, CN=R3	CN=tineo.gal	87:ac:66:65:d8:3d:7f:7d:d4:f4:9b:59:1b:36:52:43:b9:20:8d:9c
TLSv1 192.168.56.101:49232 188.165.53.185:443	C=US, O=Let's Encrypt, CN=R3	CN=menuiserie-lemoine.bzh	4f:05:fa:a2:bf:27:fe:2c:ba:9a:ef:f3:3d:c4:4b:bd:42:8b:90:84

Performs some HTTP requests (2 events)

request	GET https://tineo.gal/wp-content/plugins/wordpress-seo/vendor/composer/installers/tests/Composer/Installers/lSNBjeKdHn.php
request	GET https://menuiserie-lemoine.bzh/wp-content/themes/twentynineteen/template-parts/content/x0XxEHWGdeyPBEj.php

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 3, 2021, 8:53 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 8:53 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 8:53 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 8:53 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dc81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 8:53 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 8:53 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 8:53 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d9f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 8:53 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d9e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 8:53 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d9a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 8:53 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d991000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 8:53 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d951000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 8:53 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d911000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 8:53 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d8f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 8:53 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d8b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 8:53 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 8:53 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 8:53 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ee0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 8:53 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ee0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 8:53 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x069f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 8:53 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates suspicious VBA object (1 event)

com_class

Wscript.Shell

May attempt to create new processes

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	VB:Trojan.Valyria.4710
FireEye	VB:Trojan.Valyria.4710
ALYac	VB:Trojan.Valyria.4710
Cyren	X97M/Agent.WF.gen!Eldorado
Avast	VBS:Dropper-QF [Trj]
BitDefender	VB:Trojan.Valyria.4710
Rising	Malware.ObfusVBA@ML.99 (VBA)
Ad-Aware	VB:Trojan.Valyria.4710
TACHYON	Suspicious/X97M.Obfus.Gen.6
VIPRE	LooksLike.Macro.Malware.gen!x1 (v)
TrendMicro	HEUR_VBA.OE
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.jb
Emsisoft	VB:Trojan.Valyria.4710 (B)
SentinelOne	Static AI - Suspicious OLE
Microsoft	Trojan:O97M/Sadoca.C!ml
GData	VB:Trojan.Valyria.4710
MAX	malware (ai score=87)
Zoner	Probably Heur.W97Obfuscated
Fortinet	VBA/Agent.WCP!tr.dldr
AVG	VBS:Dropper-QF [Trj]

Office document performs HTTP request (possibly to download malware) (1 event)

payload_url

https://tineo.gal/wp-content/plugins/wordpress-seo/vendor/composer/installers/tests/Composer/Installers/lSNBjeKdHn.php

Inv%2004256248.xls

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All