MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a42f6762ae4f3b1d95aae0f8977cde6361f1d59b5ccc400c41772db0205f7c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



IcedID


Vendor detections: 13


Maldoc score: 9


Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash: 0a42f6762ae4f3b1d95aae0f8977cde6361f1d59b5ccc400c41772db0205f7c5
SHA3-384 hash: 4a9b89a7b4bb83157c399f7b6f50f6d97841074ef404accd26c21abf3158881e6267dab44a1c27b8e30ab0303f05c63b
SHA1 hash: 55c498cf7273cab567f49a00c15ca3316c001215
MD5 hash: 18499830201cddade8183b8e24fdf30a
humanhash: fillet-winter-spaghetti-freddie
File name:charge_12.01.2021.doc
Download: download sample
Signature IcedID
File size:34'322 bytes
First seen:2021-12-02 03:16:34 UTC
Last seen:2022-04-19 22:35:24 UTC
File type:Word file doc
MIME type:application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep 768:JouYXWQ6W02VWnZdw9822zARtrLfxl1Isq:mLmxfcWwkyNLfx4
TLSH T17FF2D068C181FC19C6637DBEE29122F1654CC222A009D50F2465BB8F87B37E756BB61F
Reporter @malware_traffic
Tags:BokBot doc IcedID macros Shathak TA551 word

Office OLE Information


This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 9
OLE dump
Sections: 11

The following OLE sections have been found using oledump:

Section IDSection sizeSection name
A1406 bytesPROJECT
A256 bytesPROJECTwm
A32131 bytesVBA/ThisDocument
A42864 bytesVBA/_VBA_PROJECT
A51667 bytesVBA/__SRP_0
A6232 bytesVBA/__SRP_1
A7799 bytesVBA/__SRP_2
A8314 bytesVBA/__SRP_3
A9552 bytesVBA/dir
A101148 bytesVBA/main
OLE vba
TypeKeywordDescription
AutoExecautoopenRuns when the Word document is opened
SuspiciousCreateObjectMay create an OLE object
SuspiciousStrReverseMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousexecMay run an executable file or a system
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence


File Origin
# of uploads :
3
# of downloads :
331
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
charge_12.01.2021.doc
Verdict:
Malicious activity
Analysis date:
2021-12-01 14:37:28 UTC
Tags:
macros macros-on-open generated-doc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
True
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Creating a window
–°reating synchronization primitives
Creating a file
Launching a process by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Word File with Macro
Alert level:
14%
Document image
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
macros macros-on-open mshta regsvr32
Result
Verdict:
MALICIOUS
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Signature
Document contains an embedded VBA macro which may execute processes
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Office product drops script at suspicious location
Sigma detected: Register DLL with spoofed extension
Sigma detected: Regsvr32 Anomaly
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Regsvr32 Execution With Image Extension
Behaviour
Behavior Graph:
Threat name:
Document-Word.Trojan.Bazarloader
Status:
Malicious
First seen:
2021-12-02 03:17:10 UTC
File Type:
Document
Extracted files:
27
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:icedid campaign:1892568649 banker macro trojan
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops file in Windows directory
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
IcedID, BokBot
Process spawned unexpected child process
Malware Config
C2 Extraction:
normyils.com

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:BitcoinAddress
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments