Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 22, 2021, 9:14 a.m.	June 22, 2021, 9:16 a.m.

Size	217.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: strikeout nonpolitician, Subject: gayeties bonspiel, Author: lowerclassmen theosophy, Last Saved By: user, Name of Creating Application: Microsoft Excel, Last Printed: Wed Apr 21 12:08:24 2010, Create Time/Date: Thu Apr 13 21:48:14 2000, Last Saved Time/Date: Wed Jun 16 11:41:34 2021, Security: 0
MD5	`dfb500a801d3cd450e7f54af9ccb8c4d`
SHA256	`d4e71869ff0e236389f9b676931aefd5b898b466910c63f677df9d18d070103e`
CRC32	`6D5B6205`
ssdeep	`6144:NxEtjPOtioVjDGUU1qfDlavx+W2QnWxuXdRQyJuaTrJVB7HCwKi:5LyJucL7Bt`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\Document%2063653957.xls
1868

Name	Response	Post-Analysis Lookup
www.eloyfestas.com.br	CNAME eloyfestas.com.br A 191.252.105.201	191.252.105.201
cryptoexpert.work	A 103.253.212.34	103.253.212.34
yourcodeliberdade.com	A 200.98.245.52	200.98.245.52
games.mobileadsit.com	A 162.241.87.244	162.241.87.244
kapraywala.ga	A 67.227.152.156	67.227.152.156
tricomenergy.com.pk	A 18.136.132.202	18.136.132.202
galaxybrindes.com.br	A 107.161.183.42	107.161.183.42
esteticacanina.gruporampant.com	A 162.241.61.218	162.241.61.218
hartlepooltaxi.co.uk	A 149.202.90.163	149.202.90.163
www.vidroboxbirigui.com.br	A 191.252.105.201 CNAME vidroboxbirigui.com.br	191.252.105.201

IP Address	Status	Action
103.253.212.34	Active	Moloch
107.161.183.42	Active	Moloch
149.202.90.163	Active	Moloch
162.241.61.218	Active	Moloch
162.241.87.244	Active	Moloch
164.124.101.2	Active	Moloch
18.136.132.202	Active	Moloch
191.252.105.201	Active	Moloch
200.98.245.52	Active	Moloch
67.227.152.156	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49203 -> 103.253.212.34:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 103.253.212.34:443 -> 192.168.56.101:49206	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49208 -> 162.241.61.218:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:57460 -> 164.124.101.2:53	2025105	ET INFO DNS Query for Suspicious .ga Domain	Potentially Bad Traffic
TCP 192.168.56.101:49219 -> 18.136.132.202:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49224 -> 67.227.152.156:443	2025109	ET INFO Suspicious Domain (*.ga) in TLS SNI	Potentially Bad Traffic
TCP 192.168.56.101:49224 -> 67.227.152.156:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49229 -> 191.252.105.201:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 107.161.183.42:443 -> 192.168.56.101:49217	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 67.227.152.156:443 -> 192.168.56.101:49225	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 162.241.61.218:443 -> 192.168.56.101:49210	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49216 -> 107.161.183.42:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.241.87.244:443 -> 192.168.56.101:49232	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 18.136.132.202:443 -> 192.168.56.101:49221	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49230 -> 162.241.87.244:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2027868	ET INFO Observed DNS Query to .work TLD	Potentially Bad Traffic
TCP 192.168.56.101:49209 -> 162.241.61.218:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49220 -> 18.136.132.202:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49223 -> 67.227.152.156:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49205 -> 103.253.212.34:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49212 -> 149.202.90.163:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49213 -> 191.252.105.201:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49215 -> 107.161.183.42:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49231 -> 162.241.87.244:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49229 191.252.105.201:443	C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority	CN=eloyfestas.com.br	c5:14:0e:74:ba:24:10:31:c5:6a:6c:37:f3:28:55:65:37:7c:61:f0
TLSv1 192.168.56.101:49212 149.202.90.163:443	C=US, O=Let's Encrypt, CN=R3	CN=hartlepooltaxi.modmania.co.uk	a5:6a:8e:22:2f:94:f8:0e:1a:ed:43:2b:c0:7d:64:f4:88:81:b3:11
TLSv1 192.168.56.101:49213 191.252.105.201:443	C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority	CN=vidroboxbirigui.com.br	02:08:0e:83:18:21:a5:b4:e8:a4:51:a1:12:df:3a:4d:4d:68:8e:3c

Performs some HTTP requests (3 events)

request	GET https://hartlepooltaxi.co.uk/TaxiShop/modules/coreupdater/views/js/bbKt3OpktVRAFni.php
request	GET https://www.vidroboxbirigui.com.br/posts/GqlwMINB3GC.php
request	GET https://www.eloyfestas.com.br/posts/EwyU0Hv3aBAST.php

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 22, 2021, 9:14 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 22, 2021, 9:14 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 22, 2021, 9:14 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 22, 2021, 9:14 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dc81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 22, 2021, 9:14 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 22, 2021, 9:14 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 22, 2021, 9:14 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d9a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 22, 2021, 9:14 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d991000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 22, 2021, 9:14 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d951000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 22, 2021, 9:14 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 22, 2021, 9:14 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d901000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 22, 2021, 9:14 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d8c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 22, 2021, 9:14 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d8a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 22, 2021, 9:14 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d861000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 22, 2021, 9:14 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 22, 2021, 9:14 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d841000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 9:14 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07050000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 9:14 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07050000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 9:14 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x074a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2021, 9:14 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x074b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates suspicious VBA object (1 event)

com_class

MSXML2.XMLHTTP

May attempt to connect to the outside world

The process excel.exe wrote an executable file to disk (1 event)

file	C:\Users\test22\AppData\Roaming\58245.exe

Generates some ICMP traffic

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	VB:Trojan.Valyria.4710
FireEye	VB:Trojan.Valyria.4710
ALYac	VB:Trojan.Valyria.4710
Cyren	X97M/Agent.WF.gen!Eldorado
ESET-NOD32	VBA/TrojanDownloader.Agent.WHY
Kaspersky	HEUR:Trojan.MSOffice.Shelod.gen
BitDefender	VB:Trojan.Valyria.4710
AegisLab	Trojan.MSExcel.Valyria.4!c
Ad-Aware	VB:Trojan.Valyria.4710
TACHYON	Suspicious/X97M.Obfus.Gen.5
DrWeb	Exploit.Siggen3.18171
VIPRE	LooksLike.Macro.Malware.gen!x1 (v)
TrendMicro	HEUR_VBA.OE
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.db
Emsisoft	VB:Trojan.Valyria.4710 (B)
Microsoft	Trojan:Win32/Dridex!ml
GData	VB:Trojan.Valyria.4710
McAfee	RDN/Generic Downloader.x
MAX	malware (ai score=87)
Zoner	Probably Heur.W97Obfuscated
Rising	Heur.Macro.Downloader.f (CLASSIC)
SentinelOne	Static AI - Malicious OLE
Fortinet	VBA/Agent.WCP!tr.dldr

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

200.98.245.52:443

Office document performs HTTP request (possibly to download malware) (1 event)

payload_url

https://cryptoexpert.work/core/vendor/doctrine/lexer/lib/cpf9PlDnI8yT4tE.php

Document%2063653957.xls

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All