sample20210111-01.xlsm

Status: finished

Submission Time: 2021-01-11 18:25:09 +01:00

Malicious

Exploiter

Evader

E-Banking Trojan

Hidden Macro 4.0, Hidden Macro 4.0 Dridex

Comments

Details

Analysis ID:
338158
API (Web) ID:
578209
Analysis Started:

2021-01-11 18:27:00 +01:00
Analysis Finished:

2021-01-11 18:43:21 +01:00
MD5:
fa5350d4304c4c2ceafa435244b5a5fc
SHA1:
fc8a20962b8cf86568b1e85be02ee9c7b62d94b2
SHA256:
0104974a7bf43e2e31d25ae485f57c62efe89eaea2d3e520db8a76fa70dd956d
Technologies:

Engines
IOCs

Joe Sandbox

Download Report	Detection	Info
	malicious
Full Report Management Report IOC Report	malicious Score: 88	System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 Run Condition: Potential for more IOCs and behavior

Third Party Analysis Engines

Open Full Report

malicious

Score: 17/63

malicious

Score: 9/28

IPs

IP	Country	Detection
5.100.228.233	Netherlands
80.86.91.27	Germany
46.105.131.65	France
Click to see the 4 hidden entries
77.220.64.37	Italy
192.185.41.153	United States
74.220.219.210	United States
184.171.244.207	United States

Domains

Name	IP	Detection
osmosisecuador.com	192.185.41.153
bulksms.interweblimited.com	74.220.219.210
sistacweb.com	184.171.244.207

URLs

Name	Detection
https://77.220.64.37/F
https://77.220.64.37/H
https://outlook.office.com/
Click to see the 97 hidden entries
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
https://entitlement.diagnostics.office.com
https://77.220.64.37/W
https://clients.config.office.net/user/v1.0/android/policies
https://77.220.64.37/S
https://outlook.office365.com/api/v1.0/me/Activities
https://o365auditrealtimeingestion.manage.office.com
https://77.220.64.37/?
https://77.220.64.37/;
https://clients.config.office.net/user/v1.0/ios
https://77.220.64.37/O
https://77.220.64.37/B
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
https://77.220.64.37/3321935-2125563209-4053062332-1002
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
http://weather.service.msn.com/data.aspx
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
https://80.86.91.27:3308/raphy
https://80.86.91.27:3308/crosoft
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
https://graph.windows.net
https://5.100.228.233:3389/ES
https://5.100.228.233:3389/oft
https://5.100.228.233:3389/N
https://onedrive.live.com/embed?
https://staging.cortana.ai
https://visio.uservoice.com/forums/368202-visio-on-devices
https://5.100.228.233:3389/P
https://api.cortana.ai
https://5.100.228.233:3389/Z
https://5.100.228.233:3389/X
https://skyapi.live.net/Activity/
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
https://77.220.64.37/l
https://messaging.office.com/
https://web.microsoftstream.com/video/
https://devnull.onenote.com
https://graph.windows.net/
https://46.105.131.65:1512/la
https://77.220.64.37/53321935-2125563209-4053062332-1002
https://77.220.64.37/X
https://5.100.228.233:3389/ll
https://77.220.64.37/e
https://77.220.64.37/b
https://77.220.64.37/c
https://5.100.228.233:3389/la
https://storage.live.com/clientlogs/uploadlocation
https://80.86.91.27:3308/H
https://80.86.91.27:3308/3
https://80.86.91.27:3308/rX
https://80.86.91.27:3308//
https://80.86.91.27:3308/0
https://77.220.64.37/si3
https://5.100.228.233:3389/soft
https://5.100.228.233:3389/8
https://api.aadrm.com/
https://77.220.64.37/si(
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
https://46.105.131.65:1512/
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
https://77.220.64.37/si=
https://80.86.91.27:3308/D
https://lookup.onenote.com/lookup/geolocation/v1
https://rpsticket.partnerservices.getmicrosoftkey.com
https://5.100.228.233:3389/(
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
https://cdn.entity.
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
https://autodiscover-s.outlook.com/
https://77.220.64.37/105.131.65/pe
https://shell.suite.office.com:1443
https://80.86.91.27:3308/P
https://80.86.91.27:3308/(
https://api.powerbi.com/v1.0/myorg/groups
https://www.odwebp.svc.ms
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
https://80.86.91.27:3308/220.64.37
https://77.220.64.37/nd-point:
https://80.86.91.27/
https://wus2-000.pagecontentsync.
https://store.office.cn/addinstemplate
https://officeci.azurewebsites.net/api/
https://tasks.office.com
https://80.86.91.27:3308/-
https://res.getmicrosoftkey.com/api/redemptionevents
https://5.100.228.233:3389/
https://80.86.91.27:3308/rh
https://5.100.228.233:3389/D
https://5.100.228.233:3389/H
https://cr.office.com
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
https://api.microsoftstream.com/api/
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
https://80.86.91.27:3308//x
https://80.86.91.27:3308/8
https://77.220.64.37/.(
https://5.100.228.233:3389/0

Dropped files

Name	File Type	Hashes
C:\Users\user\Desktop\~$sample20210111-01.xlsm	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\dvnrlttv[1].zip	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\u8wa3gh[1].zip	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
Click to see the 16 hidden entries
C:\Users\user\AppData\Local\Temp\xnaitann.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\dunjzsby.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\mkmanoo.dll	HTML document, ASCII text	#
C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd	data	#
C:\Users\user\Desktop\CAF40000	data	#
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC	Little-endian UTF-16 Unicode text, with CR line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\sample20210111-01.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:53 2020, mtime=Mon Jan 11 16:34:44 2021, atime=Mon Jan 11 16:34:44 2021, length=52604, window=hide	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 17:12:41 2019, mtime=Mon Jan 11 16:34:36 2021, atime=Mon Jan 11 16:34:36 2021, length=16384, window=hide	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 58936 bytes, 1 file	#
C:\Users\user\AppData\Local\Temp\AAD40000	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\bvw04lh5c[1].htm	HTML document, ASCII text	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A760AE4.png	PNG image data, 363 x 234, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\613468AF.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6EC7F2B2-66F2-402E-AC2F-EE48EA399479	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	#

sample20210111-01.xlsm

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

sample20210111-01.xlsm Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

sample20210111-01.xlsm