Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

BIO.dotm

NPKI VBA_macro Antivirus AntiDebug AntiVM

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 3, 2021, 2:13 p.m.	Aug. 3, 2021, 2:15 p.m.

Size	27.1KB
Type	Microsoft Word 2007+
MD5	`3a4eade28ea08955d0bb0b271ae55e64`
SHA256	`5294f69209dca3b96cc506e8582ceac979a95f64587851615f103250ca2a0bbd`
CRC32	`38CDF2E9`
ssdeep	`384:nSk68Qz51Jm+bujj7mEXaxuCzSB00bF8jnMYNYnrEYhhXx1Df8BkITtZr+B3cH:SEQzLJm+buPKEKQ2s8jMYYthtfsReu`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

Name	Response	Post-Analysis Lookup
zenma.getenjoyment.net	A 185.176.43.106	185.176.43.106

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.176.43.106	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.176.43.106:80 -> 192.168.56.102:49166	2026989	ET INFO PowerShell Hidden Window Command Common In Powershell Stagers M1	A Network Trojan was detected
TCP 185.176.43.106:80 -> 192.168.56.102:49166	2026995	ET INFO PowerShell DownloadString Command Common In Powershell Stagers	A Network Trojan was detected

Suricata TLS

No Suricata TLS

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://zenma.getenjoyment.net/ja/ng.txt
suspicious_features	POST method with no referer header, POST method with no useragent header				suspicious_request	POST http://zenma.getenjoyment.net/ja/post.php

Performs some HTTP requests (2 events)

request	GET http://zenma.getenjoyment.net/ja/ng.txt
request	POST http://zenma.getenjoyment.net/ja/post.php

Sends data using the HTTP POST Method (1 event)

request

POST http://zenma.getenjoyment.net/ja/post.php

Word document hooks document open

Yara rule detected in process memory (8 events)

description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep