Summary | ZeroBOX

Document 1659904.xls

VBA_macro MSOffice File
Category Machine Started Completed
FILE s1_win7_x6402 June 15, 2021, 10:48 a.m. June 15, 2021, 10:51 a.m.
Size 802.0KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: degame rawarus, Subject: peradventure multiheaded, Author: bubonocele mechanoreceptions, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Jun 14 10:44:34 2021, Last Saved Time/Date: Mon Jun 14 13:58:24 2021, Security: 0
MD5 c03577c814275b568037f2eb9e0fc1e3
SHA256 aed6dd175e4f02243c27abe3194567a72631310fc737e03bb2764eff3024f60c
CRC32 7C2D8F7A
ssdeep 24576:4iOvq0l6lWl5lhYJ+elPxB0jEVJvuiVA9UL0ns3+YN/7U:wzl6lWl5lhKhlPxmjyYibLXVzU
Yara
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]
  • Microsoft_Office_File_Zero - Microsoft Office File

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49816 -> 104.255.220.56:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49808 -> 144.91.85.140:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49810 -> 144.91.85.140:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 104.255.220.56:443 -> 192.168.56.102:49818 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 144.91.85.140:443 -> 192.168.56.102:49811 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49817 -> 104.255.220.56:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49830 -> 192.254.185.136:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49813 -> 191.252.105.201:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49821 -> 162.253.125.64:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49820 -> 162.253.125.64:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 164.52.201.122:443 -> 192.168.56.102:49826 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49824 -> 164.52.201.122:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49814 -> 134.209.3.189:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.254.185.136:443 -> 192.168.56.102:49832 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 31.22.4.136:443 -> 192.168.56.102:49840 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49825 -> 164.52.201.122:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49834 -> 185.87.187.226:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49835 -> 185.87.187.226:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 185.87.187.226:443 -> 192.168.56.102:49836 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49815 -> 70.32.93.146:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 162.253.125.64:443 -> 192.168.56.102:49822 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49831 -> 192.254.185.136:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49838 -> 31.22.4.136:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49839 -> 31.22.4.136:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49813
191.252.105.201:443
C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority CN=patie.com.br 80:ed:07:6a:5e:2a:cd:c0:75:13:66:e9:e1:1e:30:1b:dc:3d:0b:a8
TLSv1
192.168.56.102:49814
134.209.3.189:443
C=US, O=Let's Encrypt, CN=R3 CN=exam.edumation.app 8e:cb:87:91:e7:e8:18:e5:f8:59:b5:36:03:03:6a:42:be:07:52:d2
TLSv1
192.168.56.102:49815
70.32.93.146:443
C=US, O=Let's Encrypt, CN=R3 CN=philips.dexsandbox.com 0f:02:af:2c:0b:a4:dc:04:c5:c1:18:40:9d:58:23:0c:5a:8c:c4:03

request GET https://www.patie.com.br/posts/hPdcXy5hUEfG.php
request GET https://exam.edumation.app/wp-content/themes/twentynineteen/sass/blocks/4bcHpcgYlJKPDXl.php
request GET https://philips.dexsandbox.com/edm/images/eoDhbmkJ.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70af1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70b4f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70b4f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73711000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x058a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73321000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71f61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71f71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e5e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74131000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x726d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66b71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66bf1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66bb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75401000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x737f1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 5032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 5032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 5032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06810000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 5032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06ae0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
host 172.217.25.14
com_class Wscript.Shell May attempt to create new processes
Elastic malicious (moderate confidence)
MicroWorld-eScan VB:Trojan.Valyria.4710
FireEye VB:Trojan.Valyria.4710
VIPRE LooksLike.Macro.Malware.gen!x1 (v)
Cyren X97M/Agent.WF.gen!Eldorado
ESET-NOD32 VBA/TrojanDownloader.Agent.WGM
Avast VBA:Crypt-AB [Trj]
BitDefender VB:Trojan.Valyria.4710
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
Ad-Aware VB:Trojan.Valyria.4710
TrendMicro HEUR_VBA.OE
McAfee-GW-Edition BehavesLike.OLE2.Downloader.cb
Emsisoft VB:Trojan.Valyria.4710 (B)
SentinelOne Static AI - Malicious OLE
Avira HEUR/Macro.Downloader.MRAGE.Gen
MAX malware (ai score=89)
Microsoft TrojanDownloader:O97M/Dridex.BVG!MTB
Arcabit HEUR.VBA.Trojan.d
GData VB:Trojan.Valyria.4710
Cynet Malicious (score: 99)
ALYac VB:Trojan.Valyria.4710
TACHYON Suspicious/X97M.Downloader.Gen
Zoner Probably Heur.W97Obfuscated
Rising Heur.Macro.Downloader.f (CLASSIC)
Fortinet VBA/Agent.WCP!tr.dldr
AVG VBA:Crypt-AB [Trj]
payload_url https://cek-api.match.my.id/vendor/google/auth/src/Cache/z7kVDYvd8s.php