popup

Report - invoice_886558.doc

RTF File doc
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.05.12 17:43 Machine s1_win7_x6402
Filename invoice_886558.doc
Type data
AI Score Not founds Behavior Score
5.0
ZERO API file : clean
VT API (file) 26 detected (Obfuscated, ObfsStrm, Save, Bloodhound, multiple detections, Malicious, score, dinbqn, RtfExp, RTFMALFORM, CVE-2017-1188, CVE2017, Malformed, Malform, Probably Heur, RTFBadHeader, ai score=83)
md5 4a267c16665e6730c7eb3b5db26c0fcb
sha256 e72b40143ada76c9fd7b27294792afac419862552f1fb1c7231411ab9a853375
ssdeep 192:ID84om7k4Mu4ZAJmIAPEfP2567Z0tArgnCArfDCnsF/q/X27tT9iK+Zh6IjlFoB:A84zJMu4KJhfP2OZ0MuCArnwXU5yjLoB
imphash
impfuzzy
  Network IP location

Signature (11cnts)

Level Description
warning File has been identified by 26 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Libraries known to be associated with a CVE were requested (may be False Positive)
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice Creates (office) documents on the filesystem
notice Creates hidden or system file
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
info One or more processes crashed

Rules (1cnts)

Level Name Description Collection
info Rich_Text_Format_Zero Rich Text Format Signature Zero binaries (upload)

Network (9cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://nbnbnstdyewagedevibx.dns.army/bnbdoc/regasm.exe
whois
Unknown 103.153.77.121 clean
http://bit.do/fQKsw
whois
US AMAZON-AES 54.83.52.76 clean
http://bncoporations.ml/Bn1/fre.php
whois
US CLOUDFLARENET 104.21.55.224 clean
bit.do
whois
US AMAZON-AES 54.83.52.76 mailcious
nbnbnstdyewagedevibx.dns.army
whois
Unknown 103.153.77.121 clean
bncoporations.ml
whois
US CLOUDFLARENET 104.21.55.224 clean
103.153.77.121
whois
Unknown 103.153.77.121 malware
54.83.52.76
whois
US AMAZON-AES 54.83.52.76 suspicious
172.67.173.200
whois
US CLOUDFLARENET 172.67.173.200 clean

Suricata ids

ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ml Domain
ET INFO DNS Query for Suspicious .ml Domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP

Similarity measure (PE file only) - Checking for service failure