MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbe3b86357b4f4d072ae00d8373f2e553e5cc43008e1be2ade4fe463f956df35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 8


Maldoc score: 10


Intelligence 8 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbe3b86357b4f4d072ae00d8373f2e553e5cc43008e1be2ade4fe463f956df35
SHA3-384 hash: a6f9e6a38d7654e682405bddaa97a4d875ea9d06cca086cb55b8d37aa9b9d942b21063c963f0d925481cacaef13b2149
SHA1 hash: fad65dbefbf531dfc9453a3f64fbacd8bf7ce42b
MD5 hash: 10412304bc0c7898646ff4b71aa7dcbe
humanhash: don-lemon-venus-georgia
File name:8Yg9GQ3f92b7P6ss9q9INFORMATION.xlsm
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:210'264 bytes
First seen:2021-03-23 08:17:32 UTC
Last seen:Never
File type:Excel file xlsm
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 3072:LQjWVgJoodd/9kEHwzeCRRpFIEALWYKLj+3/C/19jxhy5HnyekcPB:LQj8odzz3LLKP+vC/PxhAnNB
TLSH F224F24F7AEE4D48FBFF05B2475E9999078058C7CA44D52619E3126A313B33315BA88F
Reporter abuse_ch
Tags:RemoteManipulator xlsm


Avatar
abuse_ch
RemoteManipulator C2:
195.2.76.196:5655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
195.2.76.196:5655 https://threatfox.abuse.ch/ioc/4580/

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 10
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
Base64Cm9Q205
Base64Gm9R205
Base64Km9S205
Base64Om9T205
Base64Sm9U205
Base64Wm9V205
Base64_m9X205
Base643mtM210
Base647mtN210
Base64CmtQ210
Base64GmtR210
Base64KmtS210
Base64OmtT210
Base64SmtU210
Base64WmtV210
Base64_mtX210
Base643muM211
Base647muN211
Base64CmuQ211
Base64GmuR211
Base64KmuS211
Base64OmuT211
Base64SmuU211
Base64WmuV211
Base64_muX211
Base643mvM212
Base647mvN212
Base64CmvQ212
Base64GmvR212
Base64KmvS212
Base64OmvT212
Base64SmvU212
Base64WmvV212
Base64_mvX212
Base643mwM213
Base647mwN213
Base64CmwQ213
Base64GmwR213
Base64KmwS213
Base64OmwT213
Base64SmwU213
Base64WmwV213
Base64_mwX213
Base643mxM214
Base647mxN214
Base64CmxQ214
Base64GmxR214
Base64KmxS214
Base64OmxT214
Base64SmxU214
Base64WmxV214
Base64_mxX214
Base643myM215
Base647myN215
Base64CmyQ215
Base64GmyR215
Base64KmyS215
Base64OmyT215
Base64SmyU215
Base64WmyV215
Base64_myX215
Base643mzM216
Base647mzN216
Base64CmzQ216
Base64GmzR216
Base64KmzS216
Base64OmzT216
Base64SmzU216
Base64WmzV216
Base64_mzX216
Base643n4M240
Base647n4N240
Base64Cn4Q240
Base64Gn4R240
Base64Kn4S240
Base64On4T240
Base64Sn4U240
Base64Wn4V240
Base64_n4X240
Base643n5M241
Base647n5N241
Base64Cn5Q241
Base64Gn5R241
Base64Kn5S241
Base64On5T241
Base64Sn5U241
Base64Wn5V241
Base64_n5X241
Base643n6M242
Base647n6N242
Base64Cn6Q242
Base64Gn6R242
Base643_4M180
Base64Kn6S242
Base647_4N180
Base64On6T242
Base64C_4Q180
Base64Sn6U242
Base64G_4R180
Base64Wn6V242
Base64K_4S180
Base64_n6X242
Base64O_4T180
Base643n7M243
Base64S_4U180
Base647n7N243
Base64W_4V180
Base64Cn7Q243
Base64__4X180
Base64Gn7R243
Base643_5M181
Base64Kn7S243
Base647_5N181
Base64On7T243
Base64C_5Q181
Base64Sn7U243
Base64G_5R181
Base64Wn7V243
Base64K_5S181
Base64_n7X243
Base64O_5T181
Base643n8M244
Base64S_5U181
Base647n8N244
Base64W_5V181
Base64Cn8Q244
Base64__5X181
Base64Gn8R244
Base643_6M182
Base64Kn8S244
Base647_6N182
Base64On8T244
Base64C_6Q182
Base64Sn8U244
Base64G_6R182
Base64Wn8V244
Base64K_6S182
Base64_n8X244
Base64O_6T182
Base643n9M245
Base64S_6U182
Base647n9N245
Base64W_6V182
Base64Cn9Q245
Base64__6X182
Base64Gn9R245
Base643_7M183
Base64Kn9S245
Base647_7N183
Base64On9T245
Base64C_7Q183
Base64Sn9U245
Base64G_7R183
Base64Wn9V245
Base64K_7S183
Base64_n9X245
Base64O_7T183
Base64S_7U183
Base64W_7V183
Base64__7X183
Base643_8M184
Base647_8N184
Base64C_8Q184
Base64G_8R184
Base64K_8S184
Base64O_8T184
Base64S_8U184
Base64W_8V184
Base64__8X184
Base643_9M185
Base647_9N185
Base64C_9Q185
Base64G_9R185
Base64K_9S185
Base64O_9T185
Base64S_9U185
Base64W_9V185
Base64__9X185
Base643_tM190
Base647_tN190
Base64C_tQ190
Base64G_tR190
Base64K_tS190
Base64O_tT190
Base64S_tU190
Base64W_tV190
Base64__tX190
Base643_uM191
Base647_uN191
Base64C_uQ191
Base64G_uR191
Base64K_uS191
Base64O_uT191
Base64S_uU191
Base64W_uV191
Base64__uX191
Base643_vM192
Base647_vN192
Base64C_vQ192
Base64G_vR192
Base64K_vS192
Base64O_vT192
Base64S_vU192
Base64W_vV192
Base64__vX192
Base643_wM193
Base647_wN193
Base64C_wQ193
Base64G_wR193
Base64K_wS193
Base64O_wT193
Base64S_wU193
Base64W_wV193
Base64__wX193
Base643_xM194
Base647_xN194
Base64C_xQ194
Base64G_xR194
Base64K_xS194
Base64O_xT194
Base64S_xU194
Base64W_xV194
Base64__xX194
Base643_yM195
Base647_yN195
Base64C_yQ195
Base64G_yR195
Base64K_yS195
Base64O_yT195
Base64S_yU195
Base64W_yV195
Base64__yX195
Base643_zM196
Base647_zN196
Base64C_zQ196
Base64G_zR196
Base64K_zS196
Base64O_zT196
Base64S_zU196
Base64W_zV196
Base64__zX196
Base643m4M200
Base647m4N200
Base64Cm4Q200
Base64Gm4R200
Base64Km4S200
Base64Om4T200
Base64Sm4U200
Base64Wm4V200
Base64_m4X200
Base643m5M201
Base647m5N201
Base64Cm5Q201
Base64Gm5R201
Base64Km5S201
Base64Om5T201
Base64Sm5U201
Base64Wm5V201
Base64_m5X201
Base643m6M202
Base647m6N202
Base64Cm6Q202
Base64Gm6R202
Base64Km6S202
Base64Om6T202
Base64Sm6U202
Base64Wm6V202
Base64_m6X202
Base643m7M203
Base647m7N203
Base64Cm7Q203
Base64Gm7R203
Base64Km7S203
Base64Om7T203
Base64Sm7U203
Base64Wm7V203
Base64_m7X203
Base643m8M204
Base647m8N204
Base64Cm8Q204
Base64Gm8R204
Base64Km8S204
Base64Om8T204
Base64Sm8U204
Base64Wm8V204
Base64_m8X204
Base643m9M205
Base647m9N205
Hex StringwsCu77734375
IOCwmic.exeExecutable file name
SuspiciouscreateMay execute file or a system command through WMI
SuspiciousEXECMay run an executable file or a system
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousXLM macrosheetXLM macrosheet found. It could contain malicious code

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8Yg9GQ3f92b7P6ss9q9INFORMATION.xlsm
Verdict:
No threats detected
Analysis date:
2021-03-23 08:41:35 UTC
Tags:
macros40
Link:
https://app.any.run/tasks/008e0adf-a619-4de7-8033-e4750f4aa053

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.ms-excel.sheet.macroEnabled.12
Has a screenshot:
False
Contains macros:
True
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/126471/
Detection(s):
TwinWave.EvilDoc.EnjoyTheSilence.M2.20210317.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a process with a hidden window
Sending an HTTP GET request
Sending a custom TCP request by exploiting the app vulnerability
Launching a process by exploiting the app vulnerability
Result
Verdict:
Suspicious
File Type:
OOXML Office File
Link:
https://app.docguard.net/cbe3b86357b4f4d072ae00d8373f2e553e5cc43008e1be2ade4fe463f956df35/results/dashboard
Payload URLs
URL
File name
https://www.monconcept-renovation.fr/wp-admin/network/msci.exe
sharedStrings.xml
Document image
Image:
Download PNG
Document image
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/cbe3b86357b4f4d072ae00d8373f2e553e5cc43008e1be2ade4fe463f956df35
Details
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Autostarting Excel Macro Sheet
Excel contains Macrosheet logic that will trigger automatically upon document open.
Anomalous Macrosheet Path
Microsoft Excel spreadsheet references a macrosheet with a non-standard path. A potentially evasive tactic.
Document With Minimal Content
Document contains less than 1 kilobyte of semantic information.
Result
Threat name:
RMSRemoteAdmin Hidden Macro 4.0
Create hunting rule
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/649707
Signature
Contains functionality to create processes via WMI
Creates processes via WMI
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Drops PE files to the user root directory
Found abnormal large hidden Excel 4.0 Macro sheet
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 373819 Sample: 8Yg9GQ3f92b7P6ss9q9INFORMAT... Startdate: 23/03/2021 Architecture: WINDOWS Score: 100 56 Multi AV Scanner detection for dropped file 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Document exploit detected (drops PE files) 2->60 62 10 other signatures 2->62 7 EXCEL.EXE 89 46 2->7         started        12 pront.setting 6 29 2->12         started        14 taskeng.exe 1 2->14         started        process3 dnsIp4 48 www.monconcept-renovation.fr 92.222.139.156, 443, 49165 OVHFR France 7->48 34 C:\Users\user\AppData\Local\...\msci[1].exe, PE32 7->34 dropped 36 C:\Users\Public\pront.setting, PE32 7->36 dropped 38 C:\...\~$8Yg9GQ3f92b7P6ss9q9INFORMATION.xlsm, data 7->38 dropped 64 Document exploit detected (creates forbidden files) 7->64 66 Document exploit detected (UrlDownloadToFile) 7->66 16 WMIC.exe 7->16         started        40 C:\Program Files\VirtPrinter\intsprs.exe, PE32 12->40 dropped 42 C:\Users\user\AppData\Local\Temp\Log781.xml, XML 12->42 dropped 44 C:\Users\user\AppData\Local\...\registry.dll, PE32 12->44 dropped 46 6 other files (none is malicious) 12->46 dropped 68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 19 cmd.exe 12->19         started        21 intsprs.exe 2 12->21         started        23 intsprs.exe 2 14->23         started        file5 signatures6 process7 signatures8 52 Creates processes via WMI 16->52 54 Uses schtasks.exe or at.exe to add and modify task schedules 19->54 25 schtasks.exe 19->25         started        27 schtasks.exe 19->27         started        29 schtasks.exe 19->29         started        31 intsprs.exe 3 2 21->31         started        process9 dnsIp10 50 195.2.76.196, 49168, 49169, 5655 VDSINA-ASRU Russian Federation 31->50
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbe3b86357b4f4d072ae00d8373f2e553e5cc43008e1be2ade4fe463f956df35/
Threat name:
Document-Word.Downloader.SLoad
Create hunting rule
Status:
Malicious
First seen:
2021-03-23 08:18:06 UTC
AV detection:
8 of 48 (16.67%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zpr3qy2xwt2na4voadmdopzoku7fzrbqbdq34kw6j7sgh6kw342q._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/210323-811zmhlkls/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Process spawned unexpected child process
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
Dropper Extraction:
https://www.monconcept-renovation.fr/wp-admin/network/msci.exe
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/cbe3b86357b4f4d072ae00d8373f2e553e5cc43008e1be2ade4fe463f956df35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/126471/

Comments