Loading ...

Play interactive tourEdit tour

Analysis Report form_968802.xls

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:223418
Start date:17.04.2020
Start time:18:29:02
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 34s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:form_968802.xls
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Run name:Without Instrumentation
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal68.expl.evad.winXLS@5/13@1/1
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xls
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Found warning dialog
  • Click Ok
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 172.217.168.68
  • Excluded domains from analysis (whitelisted): www.google.com

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold680 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand-Line Interface1Winlogon Helper DLLProcess Injection1Masquerading1Credential DumpingFile and Directory Discovery1Remote File Copy2Data from Local SystemData CompressedRemote File Copy2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaRundll321Port MonitorsAccessibility FeaturesDisabling Security Tools1Network SniffingSystem Information Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesScripting21Accessibility FeaturesPath InterceptionModify Registry1Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseExploitation for Client Execution23System FirmwareDLL Search Order HijackingProcess Injection1Credentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationGraphical User Interface2Shortcut ModificationFile System Permissions WeaknessRundll321Account ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceScripting21Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

Signature Overview

Click to jump to signature section


Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\reg.exeJump to behavior
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: rksinha.com
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49159 -> 142.93.221.151:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49159 -> 142.93.221.151:80

Networking:

barindex
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 142.93.221.151 142.93.221.151
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /wp-content/themes/calliope/wp-front.php HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rksinha.comConnection: Keep-Alive
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C8K6Q49\Q5JUGUDL.htmJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /wp-content/themes/calliope/wp-front.php HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rksinha.comConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: rksinha.com
Urls found in memory or binary dataShow sources
Source: CVR6946.tmp.cvr.0.drString found in binary or memory: http://schema.org/WebPage
Source: CVR6946.tmp.cvr.0.drString found in binary or memory: https://adservice.google.com/adsid/google/ui

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable Content. 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 i' ' ' 'i Sheetl tj 'I
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: form_968802.xlsInitial sample: CALL
Found obfuscated Excel 4.0 MacroShow sources
Source: form_968802.xlsInitial sample: High usage of CHAR() function: 1194
Document contains embedded VBA macrosShow sources
Source: form_968802.xlsOLE indicator, VBA macros: true
Unable to load, office file is protected or invalidShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow title found: microsoft excel okthe workbook cannot be opened or repaired by microsoft excel because it's corrupt.
Uses reg.exe to modify the Windows registryShow sources
Source: unknownProcess created: C:\Windows\System32\reg.exe 'C:\Windows\system32\reg.exe' EXPORT HKCU\Software\Microsoft\Office\14.0\Excel\Security C:\Users\Public\9562.reg /y
Yara signature matchShow sources
Source: form_968802.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Classification labelShow sources
Source: classification engineClassification label: mal68.expl.evad.winXLS@5/13@1/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$form_968802.xlsJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRF3D8.tmpJump to behavior
Document contains an OLE Workbook stream indicating a Microsoft Excel fileShow sources
Source: form_968802.xlsOLE indicator, Workbook stream: true
Found command line outputShow sources
Source: C:\Windows\System32\reg.exeConsole Write: ...........u..0.....T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.............N...X...........Jump to behavior
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Runs a DLL by calling functionsShow sources
Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\Public\CVR6946.tmp.cvr,DllRegisterServer
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\System32\reg.exe 'C:\Windows\system32\reg.exe' EXPORT HKCU\Software\Microsoft\Office\14.0\Excel\Security C:\Users\Public\9562.reg /y
Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\Public\CVR6946.tmp.cvr,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\reg.exe 'C:\Windows\system32\reg.exe' EXPORT HKCU\Software\Microsoft\Office\14.0\Excel\Security C:\Users\Public\9562.reg /yJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\Public\CVR6946.tmp.cvr,DllRegisterServerJump to behavior
Found GUI installer (many successful clicks)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Document has a 'comments' value indicative of goodwareShow sources
Source: form_968802.xlsInitial sample: OLE summary comments = qdgJ2DVaP8n3fSHG7Go
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
form_968802.xls0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
rksinha.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://rksinha.com/wp-content/themes/calliope/wp-front.php1%VirustotalBrowse
http://rksinha.com/wp-content/themes/calliope/wp-front.php0%Avira URL Cloudsafe

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
form_968802.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x3126c:$s1: Excel
  • 0x3193a:$s1: Excel
  • 0x32072:$s1: Excel
  • 0x321eb:$s1: Excel
  • 0x3260e:$s1: Excel
  • 0x358b:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview


System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: 'C:\Windows\system32\rundll32.exe' C:\Users\Public\CVR6946.tmp.cvr,DllRegisterServer, CommandLine: 'C:\Windows\system32\rundll32.exe' C:\Users\Public\CVR6946.tmp.cvr,DllRegisterServer, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 4068, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' C:\Users\Public\CVR6946.tmp.cvr,DllRegisterServer, ProcessId: 1156

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
142.93.221.151form_968802.xlsGet hashmaliciousBrowse
  • rksinha.com/wp-content/themes/calliope/wp-front.php
form_968802.xlsGet hashmaliciousBrowse
  • rksinha.com/wp-content/themes/calliope/wp-front.php
order-222742.xlsGet hashmaliciousBrowse
  • rksinha.com/wp-content/themes/calliope/wp-front.php
order-222742.xlsGet hashmaliciousBrowse
  • rksinha.com/wp-content/themes/calliope/wp-front.php
order-222742.xlsGet hashmaliciousBrowse
  • rksinha.com/wp-content/themes/calliope/wp-front.php
Unpaid.invoice-645003.xlsGet hashmaliciousBrowse
  • rksinha.com//wp-content/themes/calliope/wp_data.php
Unpaid.invoice-645003.xlsGet hashmaliciousBrowse
  • rksinha.com//wp-content/themes/calliope/wp_data.php

Domains

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
rksinha.comform_968802.xlsGet hashmaliciousBrowse
  • 142.93.221.151
order-222742.xlsGet hashmaliciousBrowse
  • 142.93.221.151
order-222742.xlsGet hashmaliciousBrowse
  • 142.93.221.151
order-222742.xlsGet hashmaliciousBrowse
  • 142.93.221.151
Unpaid.invoice-645003.xlsGet hashmaliciousBrowse
  • 142.93.221.151
Unpaid.invoice-645003.xlsGet hashmaliciousBrowse
  • 142.93.221.151

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
unknownPrnnmouKijGet hashmaliciousBrowse
  • 54.225.66.103
No3790.xlsGet hashmaliciousBrowse
  • 198.251.81.225
form_968802.xlsGet hashmaliciousBrowse
  • 168.62.57.154
http://snowspirations.com/differ/66525898.zipGet hashmaliciousBrowse
  • 127.0.0.1
No3790.xlsGet hashmaliciousBrowse
  • 198.251.81.225
form_968802.xlsGet hashmaliciousBrowse
  • 142.93.221.151
https://besthack.co/differ/88259.zipGet hashmaliciousBrowse
  • 127.0.0.1
https://sweetrsnd.com/differ/603318385/603318385.zipGet hashmaliciousBrowse
  • 127.0.0.1
http://formsite.marketingmessengerbot.com/screen_.php?_dfEERifoGfjgvSwqq__ew0dXXskdcZmaspowwwq______________doffkvlgpPdkfjgggWqqweRe=james.worraker@hitachicapital.co.ukGet hashmaliciousBrowse
  • 199.192.30.36
NUM_33418.vbsGet hashmaliciousBrowse
  • 127.0.0.1
PAYMENT_119091031_LEGA.jarGet hashmaliciousBrowse
  • 66.171.248.178
https://packwoodwifi.com/differ/140044.zipGet hashmaliciousBrowse
  • 127.0.0.1
order-222742.xlsGet hashmaliciousBrowse
  • 142.93.221.151
PAYMENT_119091031_LEGA.jarGet hashmaliciousBrowse
  • 66.171.248.178
order-222742.xlsGet hashmaliciousBrowse
  • 52.114.75.78
order-222742.xlsGet hashmaliciousBrowse
  • 142.93.221.151
f_000418.exeGet hashmaliciousBrowse
  • 5.62.40.86
http://feylibertad.org/Amazon-PO20023938.jarGet hashmaliciousBrowse
  • 104.27.174.207
MyRadar-Pro- 8.1.0.apkGet hashmaliciousBrowse
  • 104.16.214.7
StockPurchaseAgreement_12.docGet hashmaliciousBrowse
  • 103.138.188.58

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.