31.0.0 Red Diamond
IR
339078
CloudBasic
13:16:03
13/01/2021
DHL-Address.xlsx
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
5de2e8bdb620804fd22d76f1e9fedf6e
942ce29cd8138a1594ee416debf753d8eaa71528
f5c3bea5b81c221bc8737bd8489154745c8d6644d7d19484218151f9a1c1f656
Excel Microsoft Office Open XML Format document (40004/1) 83.33%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
false
E4F1E21910443409E81E5B55DC8DE774
EC0885660BD216D0CDD5E6762B2F595376995BD0
CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
false
1F8086C4F7DE9AC50C354544138EFB63
DF1CE6541A5C69D8733233F74788499C244C345C
D38B35A19ECD3018DF239EC1F944BC797B1FC5F9F81BD0EB3BD10CCD30E1637D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
true
B232B5C7754D932B07C0D47F934EFBFE
7C3D92552F6EBAB8956727BEECAAC5D22C87A55B
3311CEA59262B019A69FB72B72A36FC8E55D48A0F14F853B3A52FC8740542E99
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\102D7B51.jpeg
false
AA7A56E6A97FFA9390DA10A2EC0C5805
200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5B636490.emf
false
6DAD8275F83B986347FE666567C7FFD0
51F5A7972D7E082B5EE36B2680EEA2EE75BBFEEE
03B22F8AD84430F5C1064C38D88F66F2A224BF97DDC82A21AAB379C6078B917D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FC5A891E.jpeg
false
AA7A56E6A97FFA9390DA10A2EC0C5805
200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
C:\Users\user\AppData\Local\Temp\CabCFB4.tmp
false
E4F1E21910443409E81E5B55DC8DE774
EC0885660BD216D0CDD5E6762B2F595376995BD0
CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
C:\Users\user\AppData\Local\Temp\TarCFB5.tmp
false
D0682A3C344DFC62FB18D5A539F81F61
09D3E9B899785DA377DF2518C6175D70CCF9DA33
4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
C:\Users\user\Desktop\~$DHL-Address.xlsx
true
96114D75E30EBD26B572C1FC83D1D02E
A44EEBDA5EB09862AC46346227F06F8CFAF19407
0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\Public\vbc.exe
true
B232B5C7754D932B07C0D47F934EFBFE
7C3D92552F6EBAB8956727BEECAAC5D22C87A55B
3311CEA59262B019A69FB72B72A36FC8E55D48A0F14F853B3A52FC8740542E99
199.193.7.228
192.210.214.178
globuserinessserverfiletransferprotocol.mangospot.net
true
192.210.214.178
smtp.privateemail.com
false
199.193.7.228
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AgentTesla
Yara detected AntiVM_3