Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
10.05 05:10
66f8f23776c09_Displaye...
10.05 02:10
mime-attachment 2
10.05 11:10
66fffb908255c_nnxin.exe
10.05 11:10
66fe13d56fd43_EdgeOUpd...
10.05 11:10
9dd06d870941.exe#d15
10.05 11:10
7f3c2473d1e6.exe#sp_vid
10.05 11:10
f2e7fcb20146.exe#sp_sl
10.05 11:10
956d73b7f041.exe#defau...
10.05 09:10
payload.msi
10.05 09:10
fedf8679e8d2.exe#d12

Latest News
10.05 06:10
IPhone Maker Hon Hai S...
10.05 06:10
Höhere Gerätesicherhei...
10.05 05:10
Phoniebox: A Family-Fr...
10.05 04:10
Clone of TEST BLOG WIL...
10.05 03:10
Anzeige: So gelingt di...
10.05 03:10
KI verstehen mit Excel...
10.05 03:10
Apple Releases Critica...
10.05 02:10
Mechanical Switch Sci-...
10.05 11:10
This Bluetooth GATT Co...
10.05 09:10
Mac Malware with L0Pse...

Summary | ZeroBOX

W-187226415.xlsb

Malicious Library Excel Binary Workbook file format(xlsb)

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 14, 2022, 11:18 a.m.	April 14, 2022, 11:21 a.m.

Size	1.0MB
Type	Microsoft Excel 2007+
MD5	`bed901b1480a2af9b76dc875722ec03a`
SHA256	`2a426033914e399f72f5e82ba4c1da2ef251cd70ef0ab4027822b81129a78a09`
CRC32	`8C83145C`
ssdeep	`24576:O9vBKAnpis3QXPH5sjl+opcMrAm9vBKAnpis3Q+9vBKAnpis3QSVLFUN:C5KA65VSrX5KAV5KAVNFK`
Yara	xlsb - Excel Binary Workbook file format detection Malicious_Library_Zero - Malicious_Library

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\W-187226415.xlsb
2216
- regsvr32.exe regsvr32 C:\Uduw\ehxw1.dll
  2380
- regsvr32.exe regsvr32 C:\Uduw\ehxw2.dll
  820
- regsvr32.exe regsvr32 C:\Uduw\ehxw3.dll
  2564

Name	Response	Post-Analysis Lookup
natalespatagonia.cl	A 192.185.17.132	192.185.17.132
camarajocaclaudino.pb.gov.br	A 162.241.62.76	162.241.62.76
maramaabroo.com	A 31.22.4.117	31.22.4.117

IP Address	Status	Action
162.241.62.76	Active	Moloch
164.124.101.2	Active	Moloch
192.185.17.132	Active	Moloch
31.22.4.117	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.185.17.132:443 -> 192.168.56.102:49173	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49170 -> 192.185.17.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 31.22.4.117:443 -> 192.168.56.102:49166	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49162 -> 31.22.4.117:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49179 -> 162.241.62.76:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49171 -> 192.185.17.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49164 -> 31.22.4.117:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49177 -> 162.241.62.76:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.241.62.76:443 -> 192.168.56.102:49180	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 14, 2022, 11:18 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 14, 2022, 11:18 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b5e1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 14, 2022, 11:18 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b5e3000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 14, 2022, 11:18 a.m.	process_identifier: 820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b5e1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 14, 2022, 11:18 a.m.	process_identifier: 820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b5e3000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 14, 2022, 11:18 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b5e1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 14, 2022, 11:18 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b5e3000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (3 events)

file	C:\Uduw\ehxw2.dll
file	C:\Uduw\ehxw1.dll
file	C:\Uduw\ehxw3.dll

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile April 14, 2022, 11:18 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000003f0 filepath: C:\Users\test22\AppData\Local\Temp\~$W-187226415.xlsb desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$W-187226415.xlsb create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

Creates a suspicious process (3 events)

cmdline	regsvr32 C:\Uduw\ehxw2.dll
cmdline	regsvr32 C:\Uduw\ehxw1.dll
cmdline	regsvr32 C:\Uduw\ehxw3.dll

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

Sangfor	Malware.Generic-XLM.Save.ma35
Cyren	XF/Agent.BF.gen!Eldorado
Symantec	Scr.MalMacro!gen3
ESET-NOD32	multiple detections
Avast	VBS:Malware-gen
Kaspersky	HEUR:Trojan.Script.Generic
Alibaba	Trojan:Office/Generic.f4b01eba
Rising	Downloader.Agent/XLM!1.DD40 (CLASSIC)
McAfee-GW-Edition	Artemis
GData	Macro.Trojan-Downloader.Agent.BDH
Tencent	Mac.Trojan.Macro40.Pkqz
Fortinet	MSExcel/Agent.AC!tr.dldr
AVG	VBS:Malware-gen

Network communications indicative of a potential document or script payload download was initiated by the process excel.exe (3 events)

Time & API	Arguments	Status	Return	Repeated
URLDownloadToFileW April 14, 2022, 11:18 a.m.	url: https://maramaabroo.com/XGLCPZf6et/Cvnhfn.png stack_pivoted: 0 filepath_r: C:\Uduw\ehxw1.dll filepath: C:\Uduw\ehxw1.dll		2148270085	0
URLDownloadToFileW April 14, 2022, 11:18 a.m.	url: https://natalespatagonia.cl/w2X7dAxp/Cvnhfn.png stack_pivoted: 0 filepath_r: C:\Uduw\ehxw2.dll filepath: C:\Uduw\ehxw2.dll		2148270085	0
URLDownloadToFileW April 14, 2022, 11:18 a.m.	url: https://camarajocaclaudino.pb.gov.br/5jajRnhLV0/Cvnhfn.png stack_pivoted: 0 filepath_r: C:\Uduw\ehxw3.dll filepath: C:\Uduw\ehxw3.dll		2148270085	0

One or more non-whitelisted processes were created (3 events)

parent_process	excel.exe				martian_process	regsvr32 C:\Uduw\ehxw2.dll
parent_process	excel.exe				martian_process	regsvr32 C:\Uduw\ehxw1.dll
parent_process	excel.exe				martian_process	regsvr32 C:\Uduw\ehxw3.dll