Loading ...

Play interactive tourEdit tour

Analysis Report payment_2020_06_819990.xls

Overview

General Information

Sample Name:payment_2020_06_819990.xls
Analysis ID:251103
MD5:17d603d556addf3dac0921b5be308190
SHA1:1191e89412f1beb5b970ef0e91358944f9e1491e
SHA256:28f8a535c9ae4b1609e1229f4e676c3ea49678181e141e2fdbd964b4c4e3bc07

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Trickbot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Trickbot
Allocates memory in foreign processes
Delayed program exit found
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
May check the online IP address of the machine
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Allocates a big amount of memory (probably used for heap spraying)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Domain name seen in connection with other malware
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Xls With Macro 4.0
Yara signature match

Classification