Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 14, 2021, 9:17 a.m.	Aug. 14, 2021, 9:19 a.m.

Size	73.9KB
Type	Microsoft Excel 2007+
MD5	`95efc56b74a992e18a361579a267c4f3`
SHA256	`e3573c5e7fb220bda82a4a4758dd3d18e59d1bb7d400297f779e8cb4eb4d4892`
CRC32	`182C89ED`
ssdeep	`1536:iRRTHxW3TR8SAC8GeTrR0Q7aubea6fxF+Jk4FDpFCkcA9Tkw3LvOrnHfzH:Wr4R8SAdH24leLfyJ/1pFC+6ALCnHLH`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\bill.xlsm
2300

Name	Response	Post-Analysis Lookup
source-london-login-a44c-44d1-bc9b-a.e-voicemail.com	A 104.21.24.5 A 172.67.215.66	104.21.24.5

IP Address	Status	Action
104.21.24.5	Active	Moloch
164.124.101.2	Active	Moloch

Flow	SID	Signature	Category
TCP 192.168.56.103:49167 -> 104.21.24.5:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49167 104.21.24.5:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a0:fa:80:ad:d8:f7:72:e0:c1:43:5e:82:26:37:07:91:da:e2:28:6e

request

GET https://source-london-login-a44c-44d1-bc9b-a.e-voicemail.com/api/Analytics/Macro?iid=1511a0be-b05f-473d-8f41-5800f48cba12

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 14, 2021, 9:17 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bc8e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:17 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0665f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:17 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0665f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2021, 9:17 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b722000 process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\~$bill.xlsm

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Aug. 14, 2021, 9:17 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000470 filepath: C:\Users\test22\AppData\Local\Temp\~$bill.xlsm desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$bill.xlsm create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 14, 2021, 9:17 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

Lionic	Trojan.MSExcel.Valyria.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	VB:Trojan.Valyria.4802
FireEye	VB:Trojan.Valyria.4802
Alibaba	TrojanDownloader:VBA/Agent.fc3ab284
ESET-NOD32	VBA/TrojanDownloader.Agent.TTN
Avast	SNH:Script [Dropper]
BitDefender	VB:Trojan.Valyria.4802
Ad-Aware	VB:Trojan.Valyria.4802
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	VB:Trojan.Valyria.4802 (B)
Ikarus	Trojan-Downloader.VBA.Agent
Avira	VBA/Dldr.Agent.njzgk
Antiy-AVL	Trojan/Generic.ASMacro.2CFCB
Microsoft	Trojan:Script/Wacatac.B!ml
GData	VB:Trojan.Valyria.4802
Cynet	Malicious (score: 99)
McAfee	RDN/Generic Downloader.x
MAX	malware (ai score=82)
Tencent	Win32.Trojan-downloader.Agent.Hvtf
Fortinet	VBA/Agent.TTN!tr.dldr
AVG	SNH:Script [Dropper]

bill.xlsm