Analysis Report Dridex-06-bc1b.xlsm
Overview
General Information
Detection
Score: | 64 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Compliance: |
---|
Uses new MSVCR Dlls | Show sources |
Source: | File opened: | Jump to behavior |
Software Vulnerabilities: |
---|
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: | Jump to behavior |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | String found in binary or memory: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | OLE, VBA macro line: |
Source: | OLE indicator, VBA macros: |
Source: | Process created: |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Initial sample: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Window / User API: | Jump to behavior |
Source: | Process information queried: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting2 | Path Interception | Process Injection12 | Masquerading1 | OS Credential Dumping | Process Discovery2 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Ingress Tool Transfer1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution2 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection12 | LSASS Memory | Application Window Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Scripting2 | Security Account Manager | File and Directory Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | System Information Discovery2 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
51% | Virustotal | Browse | ||
5% | Metadefender | Browse | ||
59% | ReversingLabs | Document-Word.Trojan.Ursnif | ||
100% | Avira | W2000M/Agent.1970033 |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| low | ||
false | high |
Contacted IPs |
---|
No contacted IP infos |
---|
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 344478 |
Start date: | 26.01.2021 |
Start time: | 16:27:54 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 14m 10s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | Dridex-06-bc1b.xlsm |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Run name: | Without Instrumentation |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal64.expl.winXLSM@5/6@0/0 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
16:28:55 | API Interceptor |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1005 |
Entropy (8bit): | 7.551834228633037 |
Encrypted: | false |
SSDEEP: | 24:aB2uoC0w2bONUV99upE4ZXn8bf4F0T+xAlO6y:BuoBwawUV99/4ZXn8bT6AOf |
MD5: | DA5C67B7042BB04E6BFB9F60D9470287 |
SHA1: | BFBDC4596111EF5D95183DB0526353CBCA84C43F |
SHA-256: | 0522D7C7600F1DD56346450DFE1466BA51CFEBCD095CD3154FB30DC563F96763 |
SHA-512: | D16BCF49A56F0FB926DB7C8DA413A976E1D0F53DA5EA73B729A5D11FFCF42FA149D17D3587A3DF56665C6CAAC44F903CA5D0278DCFDA8FE3C43318724C3507EE |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1976 |
Entropy (8bit): | 1.9759705070369498 |
Encrypted: | false |
SSDEEP: | 12:Yn9e/kaHslqLYp0FIQ4+P/k1EijBdShS8u1NnNlou1NRztDAcqdckgDWojkMXNVf:YniVH9a0x4I8BAKNHoKNfDn9tUs0zCp |
MD5: | 1C7221B8A7104792FDEEA41E5D7BA0D0 |
SHA1: | D49122E2BF94D92ED067570D638B672855C05893 |
SHA-256: | 76F287B1E3251B7E0E5BA27BFB05B35831150CC665DE00F9FD2D807E2D2A028D |
SHA-512: | 928EF6FCCDB96A4AADD35D36171F3D09DE5605A70FE505862A294F089FEF53E697426017D3973B9BCAFF8D579A8A85C38943DCF47C5C5DD1187AB1A20D50E473 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 5305 |
Entropy (8bit): | 7.83628317482236 |
Encrypted: | false |
SSDEEP: | 96:ndsgj5y6EGgWKW/WkPsLhsKto+bDOukamzejtjcF+6QTzys5kcWCgupHLib:ndsgjI6RdKcXOn9b9vmUgs6QXys+NYW |
MD5: | 31F86AA3BD1ADA53D99B7BBEF6A1DEFC |
SHA1: | 148331C2D5EB437437D48ABE51866384D7154044 |
SHA-256: | E0EC55345EDC7EF4BBE4F20ABD6F8FE965475C632766FAE6CA1853674F2DC34C |
SHA-512: | 96D1DC354DCB3A262B997A98E83A0162F0F9E93050C7BC952B46FB886336C1C6370B3D5A9316039FD84211161F34BA3A866B8DFD385323551743674A24FF7B39 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 944 |
Entropy (8bit): | 2.804053645867569 |
Encrypted: | false |
SSDEEP: | 24:0Cll/QamvsthF9KZqnxAUZHoaiqQsbt0IFBlQr85R6:0Cll/Q52CA3sqnmI7er8e |
MD5: | E55D9854B48468137B4BE7946D2E4D4D |
SHA1: | E14FBF8F2D4D5523834FF3C99DE5690A7592B14C |
SHA-256: | DA8C4B2C1339F89EE846B16D3030B828705984F109F1F66E25B5CB673A822092 |
SHA-512: | FE30A236BD0D9872CB4A762051359AD79D31B23A0879E5F0933FE63A8C29566A10204F02546A184208CCDAA2ABF27F67D188F51EF4BB9975A71CFA33DCF03E86 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 241332 |
Entropy (8bit): | 4.206850792807328 |
Encrypted: | false |
SSDEEP: | 1536:cGDEQNSk8SCtKBX0Gpb2vxKHnVMOkOX0mRO/NIAIQK7viKAJYsA0ppDCLTfMRsLm:cSZNSk8DtKBrpb2vxrOpprf/nVq |
MD5: | 47FB0AEC60B0CC92888C17917249762D |
SHA1: | 6C086BD344A6CCBF212633358A5D3C6DFDB44A49 |
SHA-256: | 047A907BABD5E1BB1F963BE8364F765FBAF7D2E70649D0229536E009BB2A281E |
SHA-512: | AF997268A820D41C888C1C47643C133D03739A2EDE504AD3223BB1983BCF16369F68B362E009950DEAA264073FEBDFB80B2588FE1E2BC997175C357E7D007520 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fV:vBFFGS |
MD5: | 797869BB881CFBCDAC2064F92B26E46F |
SHA1: | 61C1B8FBF505956A77E9A79CE74EF5E281B01F4B |
SHA-256: | D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185 |
SHA-512: | 1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.6136938439046835 |
TrID: |
|
File name: | Dridex-06-bc1b.xlsm |
File size: | 29655 |
MD5: | f72f88ebdf048fdfedf0aa3e298d9e71 |
SHA1: | b8ea58415338bed65d4cd194ead6ac663ad71a6c |
SHA256: | 78ccf25ecee02f759cefa6b1c29a00fb4ce64c000f7b9c04c1fc08e04d04bc1b |
SHA512: | 0c6d96fcda11df417cfd48d51753d5a6334d80df04b3709ccbfc8a2d5d073822ad606da49e99c724a9d5bd16a98a623f2f9f3a2cbfe2b01bc668f44991db2903 |
SSDEEP: | 384:flRwzF2FBLDDBf2kbi+lj4YhX8rRI6vXO9BvGiSmDU+P4QRdUgE5cF9Y3XF:fDAFqP1u6NsrRzXO+iSkU+waSxcF9YnF |
File Content Preview: | PK..........!.c...............[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4e2aa8aa4bcbcac |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 2 |
OLE File "/opt/package/joesandbox/database/analysis/344478/sample/Dridex-06-bc1b.xlsm" |
---|
Indicators | |
---|---|
Has Summary Info: | False |
Application Name: | unknown |
Encrypted Document: | False |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | True |
Summary | |
---|---|
Author: | |
Last Saved By: | |
Create Time: | 2020-11-24T09:53:01Z |
Last Saved Time: | 2020-11-24T11:16:24Z |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Thumbnail Scaling Desired: | false |
Company: | |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 16.0300 |
Streams with VBA |
---|
VBA File Name: Foglio1.cls, Stream Size: 2640 |
---|
General | |
---|---|
Stream Path: | VBA/Foglio1 |
VBA File Name: | Foglio1.cls |
Stream Size: | 2640 |
Data ASCII: | . . . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . p . . N . . . . c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . p a g o U n o , 1 0 , 0 , M S F o r m s , F r a m e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . |
Data Raw: | 01 16 03 00 00 12 01 00 00 fc 03 00 00 f6 00 00 00 22 02 00 00 ff ff ff ff 03 04 00 00 a7 07 00 00 00 00 00 00 01 00 00 00 70 fe ed 4e 00 00 ff ff 63 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
PagamentoDocumento |
VB_Name |
VB_Creatable |
Application.OnTime |
VB_Exposed |
Frame" |
Len(n) |
VB_Control |
"TURN()": |
VB_Customizable |
"Aut" |
ActiveSheet.UsedRange.SpecialCells(xlCellTypeConstants): |
"=RE" |
Replace(E, |
"pagoUno, |
"BarUno" |
Chr(Asc(Mid(n, |
Split(u, |
PagamentoDocumento() |
VB_TemplateDerived |
MSForms, |
False |
excell() |
excell |
Attribute |
Private |
VB_PredeclaredId |
VB_GlobalNameSpace |
pagoUno_Layout() |
VB_Base |
VBA Code |
---|
|
VBA File Name: Modulo1.bas, Stream Size: 889 |
---|
General | |
---|---|
Stream Path: | VBA/Modulo1 |
VBA File Name: | Modulo1.bas |
Stream Size: | 889 |
Data ASCII: | . . . . . . . . . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 7a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 81 02 00 00 19 03 00 00 00 00 00 00 01 00 00 00 70 fe a5 6b 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
Attribute |
VB_Name |
BarUno() |
ActiveWorkbook.Close |
VBA Code |
---|
|
VBA File Name: Questa_cartella_di_lavoro.cls, Stream Size: 1014 |
---|
General | |
---|---|
Stream Path: | VBA/Questa_cartella_di_lavoro |
VBA File Name: | Questa_cartella_di_lavoro.cls |
Stream Size: | 1014 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . p . . k . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 70 fe 1e 6b 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
"Questa_cartella_di_lavoro" |
False |
VB_Exposed |
Attribute |
VB_Name |
VB_Creatable |
VB_PredeclaredId |
VB_GlobalNameSpace |
VB_Base |
VB_Customizable |
VB_TemplateDerived |
VBA Code |
---|
|
Streams |
---|
Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 564 |
---|
General | |
---|---|
Stream Path: | PROJECT |
File Type: | ASCII text, with CRLF line terminators |
Stream Size: | 564 |
Entropy: | 5.25985243733 |
Base64 Encoded: | True |
Data ASCII: | I D = " { 0 5 6 6 E 4 0 1 - 8 0 6 F - 4 7 1 6 - B 6 4 7 - E 0 B 8 5 9 A 4 D 5 7 D } " . . D o c u m e n t = Q u e s t a _ c a r t e l l a _ d i _ l a v o r o / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = F o g l i o 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l o 1 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 8 D A 6 F 9 5 7 3 9 5 7 3 9 5 7 3 9 5 7 3 " . . D P B = " B 0 B 2 0 7 6 8 0 8 6 8 0 |
Data Raw: | 49 44 3d 22 7b 30 35 36 36 45 34 30 31 2d 38 30 36 46 2d 34 37 31 36 2d 42 36 34 37 2d 45 30 42 38 35 39 41 34 44 35 37 44 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 51 75 65 73 74 61 5f 63 61 72 74 65 6c 6c 61 5f 64 69 5f 6c 61 76 6f 72 6f 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 46 6f 67 6c 69 6f 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d |
Stream Path: PROJECTwm, File Type: data, Stream Size: 128 |
---|
General | |
---|---|
Stream Path: | PROJECTwm |
File Type: | data |
Stream Size: | 128 |
Entropy: | 3.34420769179 |
Base64 Encoded: | False |
Data ASCII: | Q u e s t a _ c a r t e l l a _ d i _ l a v o r o . Q . u . e . s . t . a . _ . c . a . r . t . e . l . l . a . _ . d . i . _ . l . a . v . o . r . o . . . F o g l i o 1 . F . o . g . l . i . o . 1 . . . M o d u l o 1 . M . o . d . u . l . o . 1 . . . . . |
Data Raw: | 51 75 65 73 74 61 5f 63 61 72 74 65 6c 6c 61 5f 64 69 5f 6c 61 76 6f 72 6f 00 51 00 75 00 65 00 73 00 74 00 61 00 5f 00 63 00 61 00 72 00 74 00 65 00 6c 00 6c 00 61 00 5f 00 64 00 69 00 5f 00 6c 00 61 00 76 00 6f 00 72 00 6f 00 00 00 46 6f 67 6c 69 6f 31 00 46 00 6f 00 67 00 6c 00 69 00 6f 00 31 00 00 00 4d 6f 64 75 6c 6f 31 00 4d 00 6f 00 64 00 75 00 6c 00 6f 00 31 00 00 00 00 00 |
Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 3535 |
---|
General | |
---|---|
Stream Path: | VBA/_VBA_PROJECT |
File Type: | data |
Stream Size: | 3535 |
Entropy: | 4.33045908783 |
Base64 Encoded: | False |
Data ASCII: | . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . |
Data Raw: | cc 61 b2 00 00 03 00 ff 10 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00 |
Stream Path: VBA/dir, File Type: data, Stream Size: 847 |
---|
General | |
---|---|
Stream Path: | VBA/dir |
File Type: | data |
Stream Size: | 847 |
Entropy: | 6.50704839241 |
Base64 Encoded: | True |
Data ASCII: | . K . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . H . . a . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . - |
Data Raw: | 01 4b b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 48 c3 aa 61 01 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47 |
OLE File "/opt/package/joesandbox/database/analysis/344478/sample/Dridex-06-bc1b.xlsm" |
---|
Indicators | |
---|---|
Has Summary Info: | False |
Application Name: | unknown |
Encrypted Document: | False |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | False |
Summary | |
---|---|
Author: | |
Last Saved By: | |
Create Time: | 2020-11-24T09:53:01Z |
Last Saved Time: | 2020-11-24T11:16:24Z |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Thumbnail Scaling Desired: | false |
Company: | |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 16.0300 |
Streams |
---|
Stream Path: \x1CompObj, File Type: data, Stream Size: 112 |
---|
General | |
---|---|
Stream Path: | \x1CompObj |
File Type: | data |
Stream Size: | 112 |
Entropy: | 4.6011544911 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . n ` . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 F r a m e . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F r a m e . 1 . . 9 . q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 20 20 18 6e 60 f4 ce 11 9b cd 00 aa 00 60 8e 01 1a 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 72 61 6d 65 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0e 00 00 00 46 6f 72 6d 73 2e 46 72 61 6d 65 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: f, File Type: data, Stream Size: 54 |
---|
General | |
---|---|
Stream Path: | f |
File Type: | data |
Stream Size: | 54 |
Entropy: | 1.81172045559 |
Base64 Encoded: | False |
Data ASCII: | . . ( . . . . . . . . . . . . . . . . . . . . . . } . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 00 04 28 00 06 0c 06 08 0e 00 00 80 0e 00 00 80 03 00 00 00 0e 00 00 80 00 7d 00 00 84 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: o, File Type: empty, Stream Size: 0 |
---|
General | |
---|---|
Stream Path: | o |
File Type: | empty |
Stream Size: | 0 |
Entropy: | 0.0 |
Base64 Encoded: | False |
Data ASCII: | |
Data Raw: |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 16:28:48 |
Start date: | 26/01/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13fb90000 |
File size: | 27641504 bytes |
MD5 hash: | 5FB0A0F93382ECD19F5F499A5CAA59F0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 16:28:54 |
Start date: | 26/01/2021 |
Path: | C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13fe90000 |
File size: | 995024 bytes |
MD5 hash: | 45A078B2967E0797360A2D4434C41DB4 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 16:28:55 |
Start date: | 26/01/2021 |
Path: | C:\Windows\System32\DWWIN.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffff0000 |
File size: | 152576 bytes |
MD5 hash: | 25247E3C4E7A7A73BAEEA6C0008952B1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Disassembly |
---|
Code Analysis |
---|