Report - SNC-1858911127-Apr-6.xlsb

Malicious Library Excel Binary Workbook file format(xlsb)
ScreenShot
Created 2022.04.07 11:26 Machine s1_win7_x6403
Filename SNC-1858911127-Apr-6.xlsb
Type Microsoft Excel 2007+
AI Score Not founds Behavior Score
6.2
ZERO API file : clean
VT API (file)
md5 f6d94e2b57f5dd80c4f1dcbbbc36688f
sha256 734610e3935c3b63360e20154f719f5e2a403cc2ac815dd57c428020def5d785
ssdeep 24576:mF+BnmJkeGC2PbA/HMoNYIPeuVe2HHCkm6CyIwl6hafINeWHWR72vF+BnmJkeGC9:aymaeGC9YSeQHCkXC/wl6LcW2929ymaW
imphash
impfuzzy
  Network IP location

Signature (13cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
watch Network communications indicative of a potential document or script payload download was initiated by the process excel.exe
watch One or more non-whitelisted processes were created
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Creates hidden or system file
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
info One or more processes crashed

Rules (2cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info xlsb Excel Binary Workbook file format detection binaries (upload)

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://91.234.254.131/7790983516.dat NL WorldStream B.V. 91.234.254.131 15827 mailcious
http://212.46.38.179/7790983516.dat SA Saudi Business Machines Ltd 212.46.38.179 15828 mailcious
212.46.38.179 SA Saudi Business Machines Ltd 212.46.38.179 mailcious
104.225.129.111 US FIBERHUB 104.225.129.111 mailcious
91.234.254.131 NL WorldStream B.V. 91.234.254.131 mailcious

Suricata ids



Similarity measure (PE file only) - Checking for service failure