Summary | ZeroBOX

Document 81161221.xls

VBA_macro Generic Malware MSOffice File
Category Machine Started Completed
FILE s1_win7_x6402 June 15, 2021, 9:26 p.m. June 15, 2021, 9:28 p.m.
Size 788.0KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: tutors leaver, Subject: uplands bristles, Author: shamefacednesses glaciating, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Jun 14 10:44:34 2021, Last Saved Time/Date: Mon Jun 14 13:56:06 2021, Security: 0
MD5 d65c8d73d13ed5d4f2973631101c4b34
SHA256 35f32786d4cef03729a8702bee05910c8cb7682cf6b2370f911d437ad0df1644
CRC32 1ECEDA61
ssdeep 24576:TiOvq0l6lWl5lhYJ+elPxB0jE0JvoX92FR1TkNKbQ:tzl6lWl5lhKhlPxmjDmEmNKbQ
Yara
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]
  • Generic_Malware_Zero - Generic Malware
  • Microsoft_Office_File_Zero - Microsoft Office File

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49809 -> 70.32.93.146:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49828 -> 164.52.201.122:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 18.136.132.202:443 -> 192.168.56.102:49813 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 18.136.132.202:443 -> 192.168.56.102:49822 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49811 -> 18.136.132.202:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49820 -> 18.136.132.202:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49812 -> 18.136.132.202:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49824 -> 87.229.72.45:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49825 -> 87.229.72.45:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49843 -> 95.216.103.165:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49843 -> 95.216.103.165:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49843 -> 95.216.103.165:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49833 -> 119.18.54.94:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 95.216.103.165:443 -> 192.168.56.102:49843 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 95.216.103.165:443 -> 192.168.56.102:49843 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49839 -> 18.136.132.202:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49842 -> 95.216.103.165:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 94.124.84.11:443 -> 192.168.56.102:49817 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49815 -> 94.124.84.11:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 95.216.103.165:443 -> 192.168.56.102:49842 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 95.216.103.165:443 -> 192.168.56.102:49842 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49821 -> 18.136.132.202:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49842 -> 95.216.103.165:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49842 -> 95.216.103.165:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49816 -> 94.124.84.11:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 164.52.201.122:443 -> 192.168.56.102:49830 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49834 -> 119.18.54.94:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49819 -> 191.252.106.110:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49838 -> 18.136.132.202:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 18.136.132.202:443 -> 192.168.56.102:49840 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 87.229.72.45:443 -> 192.168.56.102:49826 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49829 -> 164.52.201.122:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 119.18.54.94:443 -> 192.168.56.102:49836 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49844 -> 95.216.103.165:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49844 -> 95.216.103.165:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 95.216.103.165:443 -> 192.168.56.102:49844 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 95.216.103.165:443 -> 192.168.56.102:49844 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49809
70.32.93.146:443
C=US, O=Let's Encrypt, CN=R3 CN=ptti.dexsandbox.com 9f:6b:ae:4a:9f:f4:39:99:00:ad:93:f3:17:74:9c:f4:ab:52:d6:81
TLSv1
192.168.56.102:49819
191.252.106.110:443
C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority CN=zankzakartigosesportivos.com.br 80:2b:d5:13:8d:9e:2b:40:62:20:db:fd:cb:44:74:17:48:54:58:22

request GET https://ptti.dexsandbox.com/wp-content/plugins/all-in-one-wp-migration-unlimited-extension/lib/controller/1I68ugOo4iMen.php
request GET https://zankzakartigosesportivos.com.br/loja/wp-includes/SimplePie/Content/Type/3sLExhiYtVuTS.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 7132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70af1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 7132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70b4f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 7132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70b4f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 7132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73711000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 7132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x058f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 7132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73321000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 7132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71f61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 7132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71f71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 7132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e5e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 7132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74131000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 7132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x726d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 7132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66b71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 7132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66bf1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 7132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66bb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 7132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75401000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 7132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x737f1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 7132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02f90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 7132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02f90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 7132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06420000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 7132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06a50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
host 172.217.25.14
com_class Wscript.Shell May attempt to create new processes
Elastic malicious (high confidence)
MicroWorld-eScan VB:Trojan.Valyria.4710
FireEye VB:Trojan.Valyria.4710
ALYac VB:Trojan.Valyria.4710
VIPRE LooksLike.Macro.Malware.gen!x1 (v)
Cyren X97M/Agent.WF.gen!Eldorado
Symantec Trojan.Gen.NPE
ESET-NOD32 VBA/TrojanDownloader.Agent.WGM
Avast VBA:Crypt-AB [Trj]
Kaspersky HEUR:Trojan-Downloader.MSOffice.SLoad.gen
BitDefender VB:Trojan.Valyria.4710
AegisLab Trojan.MSExcel.Valyria.4!c
Ad-Aware VB:Trojan.Valyria.4710
TACHYON Suspicious/X97M.Downloader.Gen
Emsisoft VB:Trojan.Valyria.4710 (B)
DrWeb Exploit.Siggen3.17880
TrendMicro HEUR_VBA.OE
McAfee-GW-Edition BehavesLike.OLE2.Downloader.bb
Ikarus Trojan-Downloader.VBA.Agent
Avira VBA/Dldr.Agent.raxyq
Microsoft TrojanDownloader:O97M/Dridex.BVG!MTB
Arcabit HEUR.VBA.Trojan.d
ViRobot XLS.Z.Agent.806912
GData VB:Trojan.Valyria.4710
MAX malware (ai score=87)
Zoner Probably Heur.W97Obfuscated
Rising Heur.Macro.Downloader.f (CLASSIC)
SentinelOne Static AI - Suspicious OLE
Fortinet VBA/Agent.WCP!tr.dldr
AVG VBA:Crypt-AB [Trj]
payload_url https://ptti.dexsandbox.com/wp-content/plugins/all-in-one-wp-migration-unlimited-extension/lib/controller/1I68ugOo4iMen.php