Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.18 02:11
DOCTOR FIRM ORDER FORM...
11.18 09:11
babababa.exe
11.18 09:11
Jagtfalkenes.vbs
11.18 09:11
windows_update.dll
11.18 09:11
nicko.exe
11.18 09:11
GHO%E9%95%9C%E5%83%8F%...
11.18 09:11
stories.exe
11.17 10:11
wwbizsrvs.exe
11.15 01:11
wwbizsrvs.exe
11.15 01:11
op.exe

Latest News
11.18 05:11
Strela: A newcomer in ...
11.18 05:11
A week in security (No...
11.18 05:11
A week in security (No...
11.18 04:11
카페 어니언과 함께하는 2025 코리아브...
11.18 04:11
Singapore Oil Tycoon O...
11.18 04:11
Exploit attempts for u...
11.18 04:11
NSO Group Exploited Wh...
11.18 03:11
대한민국 전통가마 연구소 ‘태고사’ 20...
11.18 03:11
더 청담, '2024 전통문화혁신사업 수...
11.18 03:11
동방이기제작소, '2024 전통문화혁신사...

Summary | ZeroBOX

Auszahlungen.xls

VBA_macro Generic Malware MSOffice File

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 15, 2021, 1:50 p.m.	Oct. 15, 2021, 1:52 p.m.

Size	108.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Yhnxx, Last Saved By: X112, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Oct 8 09:36:50 2021, Last Saved Time/Date: Thu Oct 14 03:27:39 2021, Security: 0
MD5	`413bd16983ee371d2955416354a17b2c`
SHA256	`5457145d1709f6828a743ebe4ab34c74345647d7caca86d715db1cb52a7c596e`
CRC32	`26164F9E`
ssdeep	`3072:vdcKoSsxzNDZL2Qiw+4868O8KKA4Rdbwrk3hbdlylKsgqopeJBWhZFGkE+cL4Lxp:FcKoSsxzNDZL2Qiw+4868O8KKA4Rdbw/`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Generic_Malware_Zero - Generic Malware Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\Auszahlungen.xls
2480

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
23.19.58.52	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 15, 2021, 1:50 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bf98000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 15, 2021, 1:50 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bc8e000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 15, 2021, 1:50 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 15, 2021, 1:50 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 15, 2021, 1:50 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b822000 process_handle: 0xffffffff	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 15, 2021, 1:50 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

23.19.58.52

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

McAfee	RDN/Generic
ESET-NOD32	a variant of Generik.FAHIFDW
Kaspersky	HEUR:Trojan-Downloader.MSOffice.SLoad.gen
BitDefender	Trojan.GenericKD.37800096
MicroWorld-eScan	Trojan.GenericKD.37800096
Ad-Aware	Trojan.GenericKD.37800096
McAfee-GW-Edition	Artemis!Trojan
FireEye	Trojan.GenericKD.37800096
Sophos	Troj/DocDrp-AFZ
Ikarus	Win32.Outbreak
GData	Trojan.GenericKD.37800096
MAX	malware (ai score=82)
ZoneAlarm	HEUR:Trojan-Downloader.MSOffice.SLoad.gen
Microsoft	TrojanDownloader:O97M/EncDoc.AL!MTB

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

23.19.58.52:80