31.0.0 Red Diamond
IR
339305
CloudBasic
20:41:24
13/01/2021
0AX4532QWSA.xlsx
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
9b4eeaed62b4b0253a7a3205f771099d
e7340dd8904b13bf4dbf842c56479ffdb969287c
9bbe5843787cdc023cff31aaa88ce4b91e52e013d5e4b543323b7eea2f5f51d3
Generic OLE2 / Multistream Compound File (8008/1) 100.00%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
false
E4F1E21910443409E81E5B55DC8DE774
EC0885660BD216D0CDD5E6762B2F595376995BD0
CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
false
D4AE187B4574036C2D76B6DF8A8C1A30
B06F409FA14BAB33CBAF4A37811B8740B624D9E5
A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
false
32E596D60B1420543D1489D6B5044A34
C67E6926E3CBF559CC6DDD1C5A8D3BBBFF03381C
4423C7932F2489469DBA6E865A892EE43064AB538CCABACE961A67180A3CD543
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
false
5CEF381E0214BC424AC5B78FDCAF75CA
54581BE4387033BC4E5A8F2F6582ADB99942040B
44EB8AB261977454BF1E64CAE389AC2D899EE93C92623CF4E3E85F638A56E656
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe
true
72B76DB11728DD92AA4C3CB45F155B05
743E9F3600FD98E8F73F0E61DF6EDB1571BD4523
469EF5404A9F75003F9A50A94BFBBBC339F1F649275FEE87C102F72D4F97443E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\26ECC369.jpeg
false
AA7A56E6A97FFA9390DA10A2EC0C5805
200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\825E1F08.jpeg
false
AA7A56E6A97FFA9390DA10A2EC0C5805
200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C5384863.emf
false
C7141BC7A8B7E57597F8B4911CAE00A3
802966622B3360818CA9F46E0477DABD3AB1C417
BE7D5C9CC490CFC8FEAD865FDD5AEE3A2025A4815387E649BC40F167B9B65143
C:\Users\user\AppData\Local\Temp\Cab5D20.tmp
false
E4F1E21910443409E81E5B55DC8DE774
EC0885660BD216D0CDD5E6762B2F595376995BD0
CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
C:\Users\user\AppData\Local\Temp\Tar5D21.tmp
false
D0682A3C344DFC62FB18D5A539F81F61
09D3E9B899785DA377DF2518C6175D70CCF9DA33
4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
C:\Users\user\Desktop\~$0AX4532QWSA.xlsx
false
96114D75E30EBD26B572C1FC83D1D02E
A44EEBDA5EB09862AC46346227F06F8CFAF19407
0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\Public\vbc.exe
true
72B76DB11728DD92AA4C3CB45F155B05
743E9F3600FD98E8F73F0E61DF6EDB1571BD4523
469EF5404A9F75003F9A50A94BFBBBC339F1F649275FEE87C102F72D4F97443E
217.174.152.38
191.96.149.225
gammavilla.org
true
217.174.152.38
mail.gammavilla.org
true
unknown
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus detection for URL or domain
Found malware configuration
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AgentTesla
Yara detected AntiVM_3