Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 15, 2021, 10:48 a.m.	June 15, 2021, 10:51 a.m.

Size	802.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: degame rawarus, Subject: peradventure multiheaded, Author: bubonocele mechanoreceptions, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Jun 14 10:44:34 2021, Last Saved Time/Date: Mon Jun 14 13:58:24 2021, Security: 0
MD5	`c03577c814275b568037f2eb9e0fc1e3`
SHA256	`aed6dd175e4f02243c27abe3194567a72631310fc737e03bb2764eff3024f60c`
CRC32	`7C2D8F7A`
ssdeep	`24576:4iOvq0l6lWl5lhYJ+elPxB0jEVJvuiVA9UL0ns3+YN/7U:wzl6lWl5lhKhlPxmjyYibLXVzU`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" "C:\Users\test22\AppData\Local\Temp\Document 1659904.xls"
5032

Name	Response	Post-Analysis Lookup
final.foodpoint.ma	A 185.87.187.226	185.87.187.226
damta.mrboatstudio.com	A 31.22.4.136	31.22.4.136
voixdescedres.com	A 162.253.125.64	162.253.125.64
exam.edumation.app	A 134.209.3.189	134.209.3.189
hellomeela.phptasks.com	A 104.255.220.56	104.255.220.56
www.patie.com.br	A 191.252.105.201 CNAME patie.com.br	191.252.105.201
new.ishr.co.in	A 164.52.201.122	164.52.201.122
philips.dexsandbox.com	A 70.32.93.146	70.32.93.146
invest.arabia-investment.com	A 192.254.185.136	192.254.185.136
cek-api.match.my.id	A 144.91.85.140	144.91.85.140

IP Address	Status	Action
104.255.220.56	Active	Moloch
134.209.3.189	Active	Moloch
144.91.85.140	Active	Moloch
162.253.125.64	Active	Moloch
164.124.101.2	Active	Moloch
164.52.201.122	Active	Moloch
172.217.25.14	Active	Moloch
185.87.187.226	Active	Moloch
191.252.105.201	Active	Moloch
192.254.185.136	Active	Moloch
31.22.4.136	Active	Moloch
70.32.93.146	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49816 -> 104.255.220.56:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49808 -> 144.91.85.140:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49810 -> 144.91.85.140:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.255.220.56:443 -> 192.168.56.102:49818	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 144.91.85.140:443 -> 192.168.56.102:49811	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49817 -> 104.255.220.56:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49830 -> 192.254.185.136:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49813 -> 191.252.105.201:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49821 -> 162.253.125.64:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49820 -> 162.253.125.64:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 164.52.201.122:443 -> 192.168.56.102:49826	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49824 -> 164.52.201.122:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49814 -> 134.209.3.189:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.254.185.136:443 -> 192.168.56.102:49832	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 31.22.4.136:443 -> 192.168.56.102:49840	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49825 -> 164.52.201.122:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49834 -> 185.87.187.226:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49835 -> 185.87.187.226:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.87.187.226:443 -> 192.168.56.102:49836	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49815 -> 70.32.93.146:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.253.125.64:443 -> 192.168.56.102:49822	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49831 -> 192.254.185.136:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49838 -> 31.22.4.136:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49839 -> 31.22.4.136:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49813 191.252.105.201:443	C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority	CN=patie.com.br	80:ed:07:6a:5e:2a:cd:c0:75:13:66:e9:e1:1e:30:1b:dc:3d:0b:a8
TLSv1 192.168.56.102:49814 134.209.3.189:443	C=US, O=Let's Encrypt, CN=R3	CN=exam.edumation.app	8e:cb:87:91:e7:e8:18:e5:f8:59:b5:36:03:03:6a:42:be:07:52:d2
TLSv1 192.168.56.102:49815 70.32.93.146:443	C=US, O=Let's Encrypt, CN=R3	CN=philips.dexsandbox.com	0f:02:af:2c:0b:a4:dc:04:c5:c1:18:40:9d:58:23:0c:5a:8c:c4:03

Performs some HTTP requests (3 events)

request	GET https://www.patie.com.br/posts/hPdcXy5hUEfG.php
request	GET https://exam.edumation.app/wp-content/themes/twentynineteen/sass/blocks/4bcHpcgYlJKPDXl.php
request	GET https://philips.dexsandbox.com/edm/images/eoDhbmkJ.php

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 15, 2021, 10:48 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70af1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 10:48 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70b4f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 10:48 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70b4f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 10:48 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 10:48 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 10:48 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 10:48 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 10:48 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 10:48 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e5e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 10:48 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74131000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 10:48 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 10:48 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66b71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 10:48 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 10:48 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66bb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 10:48 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2021, 10:48 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737f1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2021, 10:49 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2021, 10:49 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2021, 10:49 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2021, 10:49 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Creates suspicious VBA object (1 event)

com_class

Wscript.Shell

May attempt to create new processes

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Elastic	malicious (moderate confidence)
MicroWorld-eScan	VB:Trojan.Valyria.4710
FireEye	VB:Trojan.Valyria.4710
VIPRE	LooksLike.Macro.Malware.gen!x1 (v)
Cyren	X97M/Agent.WF.gen!Eldorado
ESET-NOD32	VBA/TrojanDownloader.Agent.WGM
Avast	VBA:Crypt-AB [Trj]
BitDefender	VB:Trojan.Valyria.4710
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
Ad-Aware	VB:Trojan.Valyria.4710
TrendMicro	HEUR_VBA.OE
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.cb
Emsisoft	VB:Trojan.Valyria.4710 (B)
SentinelOne	Static AI - Malicious OLE
Avira	HEUR/Macro.Downloader.MRAGE.Gen
MAX	malware (ai score=89)
Microsoft	TrojanDownloader:O97M/Dridex.BVG!MTB
Arcabit	HEUR.VBA.Trojan.d
GData	VB:Trojan.Valyria.4710
Cynet	Malicious (score: 99)
ALYac	VB:Trojan.Valyria.4710
TACHYON	Suspicious/X97M.Downloader.Gen
Zoner	Probably Heur.W97Obfuscated
Rising	Heur.Macro.Downloader.f (CLASSIC)
Fortinet	VBA/Agent.WCP!tr.dldr
AVG	VBA:Crypt-AB [Trj]

Office document performs HTTP request (possibly to download malware) (1 event)

payload_url

https://cek-api.match.my.id/vendor/google/auth/src/Cache/z7kVDYvd8s.php

Document 1659904.xls

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All