Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 25, 2021, 9:34 a.m.	June 25, 2021, 9:38 a.m.

Size	472.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: cycads typing, Subject: contortionist enheartens, Author: hugeousness sulphonations, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue May 25 13:14:36 2021, Last Saved Time/Date: Tue May 25 13:14:37 2021, Security: 0
MD5	`f32e26c6ae13dac45097c72b8c8249f5`
SHA256	`190045bc473705e57a09727730e1d7f0d7a789980f1eb0de77e230248c54cb1a`
CRC32	`2EE8B2C6`
ssdeep	`6144:ok3hOdsylKlgryzc4bNhZF+E+W2knA8ucesPg2uY/T5Y9e8l9B00fWoLsR3NnBEp:uc/T5YYU/vW6s9xB/5EE6meNGovxn`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\PO%2093951170.xls
1868

Name	Response	Post-Analysis Lookup
kriegeradvogados.com.br	A 187.45.181.35	187.45.181.35
661partyrentals.com	A 66.96.147.106	66.96.147.106
app6.salesdatagenerator.com	A 162.241.155.78	162.241.155.78
gettingreadytolearn.co.uk	A 109.169.78.226	109.169.78.226
ottomanbilisim.com	A 185.179.27.103	185.179.27.103
decontaminationcovid19.com	A 72.10.162.214	72.10.162.214
firstcanadianmedical.ca	A 69.90.221.129	69.90.221.129
landingpages.pontodata.com.br	A 104.156.57.250	104.156.57.250
afemnor.es	A 52.47.49.164	52.47.49.164
www.carnivalspadubai.com	CNAME carnivalspadubai.com A 166.62.25.253	166.62.25.253

IP Address	Status	Action
104.156.57.250	Active	Moloch
109.169.78.226	Active	Moloch
162.241.155.78	Active	Moloch
164.124.101.2	Active	Moloch
166.62.25.253	Active	Moloch
185.179.27.103	Active	Moloch
187.45.181.35	Active	Moloch
52.47.49.164	Active	Moloch
66.96.147.106	Active	Moloch
69.90.221.129	Active	Moloch
72.10.162.214	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2029709	ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M1	Potentially Bad Traffic
TCP 192.168.56.101:49218 -> 166.62.25.253:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49222 -> 185.179.27.103:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49222 -> 185.179.27.103:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49222 -> 185.179.27.103:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.179.27.103:443 -> 192.168.56.101:49222	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 185.179.27.103:443 -> 192.168.56.101:49222	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 166.62.25.253:443 -> 192.168.56.101:49220	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 72.10.162.214:443 -> 192.168.56.101:49207	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49209 -> 52.47.49.164:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49210 -> 104.156.57.250:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49230 -> 109.169.78.226:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49213 -> 69.90.221.129:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 187.45.181.35:443 -> 192.168.56.101:49233	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49204 -> 72.10.162.214:443	2029707	ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M1	Potentially Bad Traffic
TCP 192.168.56.101:49204 -> 72.10.162.214:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49219 -> 166.62.25.253:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49204 -> 72.10.162.214:443	2029707	ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M1	Potentially Bad Traffic
TCP 192.168.56.101:49223 -> 185.179.27.103:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49223 -> 185.179.27.103:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49223 -> 185.179.27.103:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49214 -> 69.90.221.129:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 69.90.221.129:443 -> 192.168.56.101:49215	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 185.179.27.103:443 -> 192.168.56.101:49223	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 185.179.27.103:443 -> 192.168.56.101:49223	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49224 -> 185.179.27.103:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49224 -> 185.179.27.103:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49227 -> 162.241.155.78:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49226 -> 162.241.155.78:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49232 -> 187.45.181.35:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 72.10.162.214:443	2029707	ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M1	Potentially Bad Traffic
TCP 192.168.56.101:49206 -> 72.10.162.214:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 72.10.162.214:443	2029707	ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M1	Potentially Bad Traffic
TCP 192.168.56.101:49217 -> 66.96.147.106:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.241.155.78:443 -> 192.168.56.101:49228	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49231 -> 187.45.181.35:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.179.27.103:443 -> 192.168.56.101:49224	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 185.179.27.103:443 -> 192.168.56.101:49224	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49204 -> 72.10.162.214:443	2029707	ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M1	Potentially Bad Traffic
TCP 192.168.56.101:49206 -> 72.10.162.214:443	2029707	ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M1	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49209 52.47.49.164:443	C=US, O=Let's Encrypt, CN=R3	CN=afemnor.es	14:71:68:be:f2:05:a5:7f:3b:a9:54:37:89:0c:66:d7:41:58:1e:00
TLSv1 192.168.56.101:49210 104.156.57.250:443	C=US, O=Let's Encrypt, CN=R3	CN=landingpages.pontodata.com.br	af:50:2b:29:4e:1e:e3:f4:80:80:b4:0d:11:9b:5f:8f:24:8f:5d:08
TLSv1 192.168.56.101:49230 109.169.78.226:443	C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority	CN=gettingreadytolearn.co.uk	65:d0:85:40:97:dd:6b:a3:05:4a:0d:d4:23:9c:11:57:36:91:d5:e3
TLSv1 192.168.56.101:49217 66.96.147.106:443	C=US, O=Let's Encrypt, CN=R3	CN=*.661partyrentals.com	41:f9:db:ee:36:28:3f:0f:d7:48:7a:37:be:45:59:41:f4:d6:f9:0c

Performs some HTTP requests (4 events)

request	GET https://afemnor.es/wp-content/themes/dt-the7/inc/mods/compatibility/elementor/pro/modules/query-contol/FHo2N5GW1hAjyYV.php
request	GET https://landingpages.pontodata.com.br/wp-content/plugins/duracelltomi-google-tag-manager/integration/whichbrowser/src/Analyser/Header/Useragent/Device/NPIMchMQuv.php
request	GET https://661partyrentals.com/wp-content/plugins/ultimate-member/templates/email/UhUsapvuN2huM.php
request	GET https://gettingreadytolearn.co.uk/portal/wall/posts/157/thumbs/BeAsmBuB.php

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dc81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d9f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d9e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d9a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d991000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d951000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d911000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d8f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d8b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06ed0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 1868 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates suspicious VBA object (1 event)

com_class

Wscript.Shell

May attempt to create new processes

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
ALYac	VB:Trojan.Valyria.4710
VIPRE	LooksLike.Macro.Malware.gen!x1 (v)
Arcabit	HEUR.VBA.Trojan.d
Cyren	X97M/Agent.WF.gen!Eldorado
Avast	VBA:Crypt-AB [Trj]
BitDefender	VB:Trojan.Valyria.4710
MicroWorld-eScan	VB:Trojan.Valyria.4710
Ad-Aware	VB:Trojan.Valyria.4710
Emsisoft	VB:Trojan.Valyria.4710 (B)
TrendMicro	HEUR_VBA.OE
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.gg
FireEye	VB:Trojan.Valyria.4710
Avira	HEUR/Macro.Downloader.MRAGH.Gen
Microsoft	TrojanDownloader:O97M/Dridex.BVG!MTB
GData	VB:Trojan.Valyria.4710
TACHYON	Suspicious/X97M.Obfus.Gen.6
MAX	malware (ai score=86)
Zoner	Probably Heur.W97Obfuscated
SentinelOne	Static AI - Malicious OLE
Fortinet	VBA/Agent.WCP!tr.dldr
AVG	VBA:Crypt-AB [Trj]

Office document performs HTTP request (possibly to download malware) (1 event)

payload_url

https://decontaminationcovid19.com/wp-content/plugins/ultimate-elementor/compatibility/modules/73XtsqnqdwHAQp.php

PO%2093951170.xls

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All