Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
10.05 02:10
mime-attachment 2
10.05 11:10
66fffb908255c_nnxin.exe
10.05 11:10
66fe13d56fd43_EdgeOUpd...
10.05 11:10
9dd06d870941.exe#d15
10.05 11:10
7f3c2473d1e6.exe#sp_vid
10.05 11:10
f2e7fcb20146.exe#sp_sl
10.05 11:10
956d73b7f041.exe#defau...
10.05 09:10
payload.msi
10.05 09:10
fedf8679e8d2.exe#d12
10.05 09:10
segura.vbs

Latest News
10.05 05:10
Phoniebox: A Family-Fr...
10.05 04:10
Clone of TEST BLOG WIL...
10.05 03:10
Anzeige: So gelingt di...
10.05 03:10
KI verstehen mit Excel...
10.05 03:10
Apple Releases Critica...
10.05 02:10
Mechanical Switch Sci-...
10.05 11:10
This Bluetooth GATT Co...
10.05 09:10
Mac Malware with L0Pse...
10.05 09:10
타이거다즐러, 올리브영 온라인몰 입점… ...
10.05 09:10
Ben Horowitz Will Dona...

Summary | ZeroBOX

REJ-507558316-Apr-12.xlsb

VBA_macro Malicious Library Excel Binary Workbook file format(xlsb)

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 13, 2022, 12:09 p.m.	April 13, 2022, 12:12 p.m.

Size	1.2MB
Type	Microsoft Excel 2007+
MD5	`c40dfd30b7298c8fecee2c1dfd04a4ff`
SHA256	`54ec1cd56022272156d9d8fcc48cc00cb05e96f843c139f63aff90c57cb28772`
CRC32	`6E08649B`
ssdeep	`24576:ibT5/NgEa4uiwMIEz3cDnWFBGcMKSWXMgeAZK0jR4kyeMuoN:ifla7q3PYGjMKJXMgNZLOeo`
Yara	xlsb - Excel Binary Workbook file format detection Malicious_Library_Zero - Malicious_Library Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\REJ-507558316-Apr-12.xlsb
2208
- regsvr32.exe regsvr32 /s C:\ProgramData\Ulhdhrthdr.dll
  2448
- regsvr32.exe regsvr32 /s C:\ProgramData\Ulhdhrthdr1.dll
  2464
- regsvr32.exe regsvr32 /s C:\ProgramData\Ulhdhrthdr2.dll
  1676

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.82.127.37	Active	Moloch
51.195.38.33	Active	Moloch
87.236.146.116	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://185.82.127.37/7790983516.dat
suspicious_features	Connection to IP address				suspicious_request	GET http://87.236.146.116/7790983516.dat
suspicious_features	Connection to IP address				suspicious_request	GET http://51.195.38.33/7790983516.dat

Performs some HTTP requests (3 events)

request	GET http://185.82.127.37/7790983516.dat
request	GET http://87.236.146.116/7790983516.dat
request	GET http://51.195.38.33/7790983516.dat

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 13, 2022, 12:09 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b4e3000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (3 events)

file	C:\ProgramData\Ulhdhrthdr2.dll
file	C:\ProgramData\Ulhdhrthdr.dll
file	C:\ProgramData\Ulhdhrthdr1.dll

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile April 13, 2022, 12:09 p.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000003f0 filepath: C:\Users\test22\AppData\Local\Temp\~$REJ-507558316-Apr-12.xlsb desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$REJ-507558316-Apr-12.xlsb create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

Creates a suspicious process (3 events)

cmdline	regsvr32 /s C:\ProgramData\Ulhdhrthdr.dll
cmdline	regsvr32 /s C:\ProgramData\Ulhdhrthdr1.dll
cmdline	regsvr32 /s C:\ProgramData\Ulhdhrthdr2.dll

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

Sangfor	Malware.Generic-XLM.Save.ma35
Cyren	XF/SneakyBin.E.gen!Eldorado
Avast	VBS:Malware-gen
Kaspersky	HEUR:Trojan.MSOffice.Generic
Tencent	Trojan.MsOffice.Macro40.11003135
GData	Macro.Trojan-Downloader.Agent.BDH
Ikarus	Trojan-Downloader.XLM.Agent
Fortinet	MSOffice/Agent.92DD!tr
AVG	VBS:Malware-gen

Communicates with host for which no DNS query was performed (3 events)

host	185.82.127.37
host	51.195.38.33
host	87.236.146.116

Network communications indicative of a potential document or script payload download was initiated by the process excel.exe (3 events)

Time & API	Arguments	Status	Return	Repeated
URLDownloadToFileW April 13, 2022, 12:09 p.m.	url: http://185.82.127.37/7790983516.dat stack_pivoted: 0 filepath_r: C:\ProgramData\Ulhdhrthdr.dll filepath: C:\ProgramData\Ulhdhrthdr.dll		2148270088	0
URLDownloadToFileW April 13, 2022, 12:09 p.m.	url: http://87.236.146.116/7790983516.dat stack_pivoted: 0 filepath_r: C:\ProgramData\Ulhdhrthdr1.dll filepath: C:\ProgramData\Ulhdhrthdr1.dll		2148270088	0
URLDownloadToFileW April 13, 2022, 12:09 p.m.	url: http://51.195.38.33/7790983516.dat stack_pivoted: 0 filepath_r: C:\ProgramData\Ulhdhrthdr2.dll filepath: C:\ProgramData\Ulhdhrthdr2.dll		2148270088	0

One or more non-whitelisted processes were created (3 events)

parent_process	excel.exe				martian_process	regsvr32 /s C:\ProgramData\Ulhdhrthdr.dll
parent_process	excel.exe				martian_process	regsvr32 /s C:\ProgramData\Ulhdhrthdr1.dll
parent_process	excel.exe				martian_process	regsvr32 /s C:\ProgramData\Ulhdhrthdr2.dll