Loading ...

Play interactive tourEdit tour

Analysis Report 6Cprm97UTl

Overview

General Information

Sample Name:6Cprm97UTl (renamed file extension from none to xls)
Analysis ID:336301
MD5:29c8b5edc30eadf757b72b0a14857903
SHA1:77d432fb96a0a453bae30107990c2c9ee0314330
SHA256:a174abce368b775138c203d66fa8a3845aead2d53d87f220c58a2fe8ee7d9cf0

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Lokibot
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Document exploit detected (process start blacklist hit)
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Found obfuscated Excel 4.0 Macro
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Obfuscated command line found
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches the installation path of Mozilla Firefox
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer
Yara signature match

Classification