popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

15.docx

VBA_macro MSOffice File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us July 21, 2021, 9:07 a.m. July 21, 2021, 9:09 a.m.
Size 263.6KB
Type Microsoft Word 2007+
MD5 0e3e79026507f3cf814f75cd53fea060
SHA256 30113bb379e8104f9471bb5430eabc6fa2cfedd7b67d6fe69f83dac8ee808765
CRC32 F0ADB513
ssdeep 6144:td8C3Aj15H+uL6jYp8u97Q5J1fE3tbWS2QOuv3ibzwSDHuR:DHqnL6jd31s3p3ifwSqR
Yara None matched

Name Response Post-Analysis Lookup
feedbackportal.download
A 208.68.37.17
208.68.37.17
IP Address Status Action
164.124.101.2 Active Moloch
208.68.37.17 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49163 -> 208.68.37.17:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49164 -> 208.68.37.17:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49163
208.68.37.17:443 		C=US, O=Let's Encrypt, CN=R3 CN=feedbackportal.download 06:df:3a:ee:87:57:1a:5c:dd:52:57:25:39:48:a4:9c:18:58:13:b5
TLSv1
192.168.56.103:49164
208.68.37.17:443 		C=US, O=Let's Encrypt, CN=R3 CN=feedbackportal.download 06:df:3a:ee:87:57:1a:5c:dd:52:57:25:39:48:a4:9c:18:58:13:b5

request OPTIONS https://feedbackportal.download/ecm/ibm/3173379797/
request HEAD https://feedbackportal.download/ecm/ibm/3173379797/converter.dot
request OPTIONS https://feedbackportal.download/ecm/ibm/
request GET https://feedbackportal.download/ecm/ibm/3173379797/converter.dot
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a466000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a364000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a321000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a292000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x69f21000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x698ad000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$15.docx
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000480
filepath: C:\Users\test22\AppData\Local\Temp\~$15.docx
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$15.docx
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
Lionic Trojan.MSWord.Groooboor.4!c
Arcabit Trojan.Groooboor.Gen.13
BitDefender Trojan.Groooboor.Gen.13
NANO-Antivirus Exploit.Xml.CVE-2017-0199.equmby
MicroWorld-eScan Trojan.Groooboor.Gen.13
FireEye Trojan.Groooboor.Gen.13
Emsisoft Trojan.Groooboor.Gen.13 (B)
GData Trojan.Groooboor.Gen.13
MAX malware (ai score=88)
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef40000
process_handle: 0xffffffff
1 0 0