Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.18 02:11
DOCTOR FIRM ORDER FORM...
11.18 09:11
babababa.exe
11.18 09:11
Jagtfalkenes.vbs
11.18 09:11
windows_update.dll
11.18 09:11
nicko.exe
11.18 09:11
GHO%E9%95%9C%E5%83%8F%...
11.18 09:11
stories.exe
11.17 10:11
wwbizsrvs.exe
11.15 01:11
wwbizsrvs.exe
11.15 01:11
op.exe

Latest News
11.18 05:11
Strela: A newcomer in ...
11.18 05:11
A week in security (No...
11.18 05:11
A week in security (No...
11.18 04:11
카페 어니언과 함께하는 2025 코리아브...
11.18 04:11
Singapore Oil Tycoon O...
11.18 04:11
Exploit attempts for u...
11.18 04:11
NSO Group Exploited Wh...
11.18 03:11
대한민국 전통가마 연구소 ‘태고사’ 20...
11.18 03:11
더 청담, '2024 전통문화혁신사업 수...
11.18 03:11
동방이기제작소, '2024 전통문화혁신사...

Summary | ZeroBOX

Payment_Receipt 2422.xls

VBA_macro Generic Malware ScreenShot KeyLogger AntiDebug MSOffice File AntiVM

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 14, 2021, 4:10 p.m.	Oct. 14, 2021, 4:12 p.m.

Size	82.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Inc. Intuit, Create Time/Date: Wed Oct 13 10:08:56 2021, Last Saved Time/Date: Wed Oct 13 10:08:59 2021, Security: 0
MD5	`e63deaea51f7cc2064ff808e11e1ad55`
SHA256	`b8ef959a9176aef07fdca8705254a163b50b49a17217a4ff0107487f59d4a35d`
CRC32	`C31DFC9F`
ssdeep	`1536:LFk3hbdlylKsgqopeJBWhZFGkE+cL2NdAA5eSUPIbjB59ZYiosYvvXvTWbxgXTPE:LFk3hbdlylKsgqopeJBWhZFGkE+cL2Nn`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Generic_Malware_Zero - Generic Malware Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" "C:\Users\test22\AppData\Local\Temp\Payment_Receipt 2422.xls"
2456

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 14, 2021, 4:10 p.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b5c7000 process_handle: 0xffffffff	1	0	0

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

Lionic	Trojan.MSOffice.SLoad.a!c
Cyren	X97M/Dridex.A.gen!Eldorado
Symantec	W97M.Downloader
ESET-NOD32	VBA/TrojanDownloader.Agent.WTX
TrendMicro-HouseCall	TROJ_FRS.VSNTJD21
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-Downloader.MSOffice.SLoad.gen
Avira	W97M/Agent.2325811
Fortinet	VBA/Agent.AD55!tr

Yara rule detected in process memory (11 events)

description	Run a KeyLogger				rule	KeyLogger
description	Take ScreenShot				rule	ScreenShot
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep
description	Affect hook table				rule	win_hook

One or more non-whitelisted processes were created (1 event)

parent_process

excel.exe

martian_process

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /Embedding

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2456 resumed a thread in remote process 2744
NtResumeThread Oct. 14, 2021, 4:10 p.m.	thread_handle: 0x00000464 suspend_count: 1 process_identifier: 2744	1	0	0