Summary | ZeroBOX

Invoice_480219.xls

Dridex VBA_macro MSOffice File PE File DLL PE32
Category Machine Started Completed
FILE s1_win7_x6402 July 22, 2021, 10:15 a.m. July 22, 2021, 10:27 a.m.
Size 313.0KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Invoice_480219, Author: Quickbooks, LLC, Last Saved By: user, Name of Creating Application: Microsoft Excel, Last Printed: Thu Jul 26 12:08:13 2018, Create Time/Date: Thu Jul 26 00:26:51 2018, Last Saved Time/Date: Wed Jul 21 11:59:49 2021, Security: 0
MD5 f70c0885e76e57f37399d54b10f183ad
SHA256 b11c33ee5fd193e6548d14c2bde4865d30d6d5fd25135bc258cfd8595ae3695c
CRC32 F6F05223
ssdeep 6144:+0Y35qAOJl/YrLYz+WrNhZF+E+W2RGtXPjKBbA2G0VeU+fMGMf0ziEbMjy:1jwbA2EfKAp
Yara
  • Microsoft_Office_File_Zero - Microsoft Office File
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

Name Response Post-Analysis Lookup
payreminament.com 128.199.243.169
IP Address Status Action
164.124.101.2 Active Moloch
208.83.69.35 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 208.83.69.35:8088 -> 192.168.56.102:49166 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b617000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b2b3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05c07000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05c07000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735e2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b2b3000
process_handle: 0xffffffff
1 0 0
file C:\ProgramData\qSmartTagControlButton.dll
cmdline mshta C:\ProgramData//klCylinderCol.sct
Elastic malicious (high confidence)
MicroWorld-eScan VBA.Heur2.Dridex.4.CD579A05.Gen
ALYac VBA.Heur2.Dridex.4.CD579A05.Gen
Kaspersky UDS:Exploit.MSOffice.CVE-2017-8570.gen
BitDefender VBA.Heur2.Dridex.4.CD579A05.Gen
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
Ad-Aware VBA.Heur2.Dridex.4.CD579A05.Gen
Emsisoft VBA.Heur2.Dridex.4.CD579A05.Gen (B)
TrendMicro HEUR_VBA.O2
McAfee-GW-Edition BehavesLike.OLE2.Downloader.fg
FireEye VBA.Heur2.Dridex.4.CD579A05.Gen
MAX malware (ai score=83)
Microsoft Trojan:Script/Wacatac.B!ml
GData VBA.Heur2.Dridex.4.CD579A05.Gen
TACHYON Suspicious/X97M.Obfus.Gen.8
Zoner Probably Heur.W97ShellB
Qihoo-360 virus.office.obfuscated.1
parent_process excel.exe martian_process mshta C:\ProgramData//klCylinderCol.sct