MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Lazarus

Vendor detections: 10

Maldoc score: 15

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b
SHA3-384 hash:	ed4e08ef3d17bb2323e31fed347f0cdb2edd7fd4bd0bfa1db873722a1f2b2045d8c6dde3ee9adaed83d8558ce87ffb5f
SHA1 hash:	f38abb67d47a4f69536ae67aa9c6df7287c08869
MD5 hash:	3f326da2affb0f7f2a4c5c95ffc660cc
humanhash:	one-harry-oven-helium
File name:	Lockheed_Martin_JobOpportunities.docx
Download:	download sample
Signature	Lazarus Create hunting rule
File size:	2'375'680 bytes
First seen:	2022-01-28 09:46:17 UTC
Last seen:	2022-01-28 12:20:28 UTC
File type:	docx
MIME type:	application/msword
ssdeep	24576:uguUgXlNGKIZyltJSR3PlRiBwlvQn5tNXw9OSTwbB3UGIpVoR1sLAXI3TYF+PXyx:unUgQWtIBlR7vQN3dBMRUXIDkCy
TLSH	T1A6B55A1388854E53D47E8274AA1B0F9EBF5ABD04EFE6A7DF101525463EBC330CA4E169
Reporter	Jirehlov
Tags:	apt docx Lazarus

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id

Maldoc score: 15

OLE dump

MalwareBazaar was able to identify 16 sections in this file using oledump:

Section ID	Section size	Section name
1	114 bytes	CompObj
2	280 bytes	DocumentSummaryInformation
3	416 bytes	SummaryInformation
4	7557 bytes	1Table
5	343998 bytes	Data
6	376 bytes	Macros/PROJECT
7	41 bytes	Macros/PROJECTwm
8	1989192 bytes	Macros/VBA/ThisDocument
9	4099 bytes	Macros/VBA/_VBA_PROJECT
10	515 bytes	Macros/VBA/dir
11	112 bytes	ObjectPool/_1649178531/CompObj
12	16 bytes	ObjectPool/_1649178531/OCXNAME
13	6 bytes	ObjectPool/_1649178531/ObjInfo
14	86 bytes	ObjectPool/_1649178531/f
15	0 bytes	ObjectPool/_1649178531/o
16	4096 bytes	WordDocument

OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

Type	Keyword	Description
AutoExec	Frame1_Layout	Runs when the file is opened and ActiveX objects trigger events
IOC	WMVCORE.DLL	Executable file name
String	gXeKdUDFz4q2pWCMKR3r	0NNS1Izcit4U3g3djBKcW1PSlcxWVNtZFRjZW5TQlJWa3
Suspicious	Open	May open a file
Suspicious	Lib	May run code from a DLL
Suspicious	VirtualProtect	May inject code into another process
Suspicious	.Variables	May use Word Document Variables to store and hide data
Suspicious	cHR	May attempt to obfuscate specific strings (use option --deobf to deobfuscate)
Suspicious	Hex Strings	Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
Suspicious	Base64 Strings	Base64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin

# of uploads :

# of downloads :

1'288

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b.doc

Verdict:

No threats detected

Analysis date:

2022-01-18 21:18:36 UTC

Tags:

macros macros-on-open

Link:

https://app.any.run/tasks/5db235fb-01ef-4d7c-ba45-00981b00541c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

File type:

application/vnd.openxmlformats-officedocument.wordprocessingml.document

Has a screenshot:

False

Contains macros:

False

Detection(s):

TwinWave.EvilDoc.DOCXRSTRGOOD._IEX.210408B64.1.UNOFFICIAL

TwinWave.EvilDoc.DOCXRSTRGOOD.VBEMAGICEND.220125B64.6.UNOFFICIAL

TwinWave.EvilDoc.ProcessCreationLibShotInTheDark.2021018.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

DNS request

Result

Verdict:

Malicious

File Type:

Legacy Word File with Macro

Link:

https://app.docguard.net/0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b/results/dashboard

Payload URLs

URL

File name

https://lm-career.com/careeroppr.docx

ThisDocument

Document image

Image:

Download PNG

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm control.exe evasive exploit macros macros-on-open

Link:

https://www.filescan.io/uploads/61f3bb9e20a5f4d327d934a9/reports/39cd1e8d-f572-479a-9983-1f545bb1ba28/overview

Result

Threat name:

Unknown

Detection:

malicious

Classification:

expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/922766

Signature

Benign windows process drops PE files

Creates a thread in another existing process (thread injection)

DLL side loading technique detected

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document exploit detected (process start blacklist hit)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Windows Update Client LOLBIN

System process connects to network (likely due to code injection or exploit)

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

emotet

Link:

https://mwdb.cert.pl/sample/0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b/

Threat name:

Document-Office.Trojan.Heuristic

Status:

Malicious

First seen:

2022-01-24 05:25:59 UTC

File Type:

Document

Extracted files:

AV detection:

20 of 43 (46.51%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bua3et3wm343ztypc3vjpza6bpbg6tcjzx5xutnlzqfess2e5snq._file

Result

Malware family:

n/a

Score:

4/10

Tags:

n/a

Link:

https://tria.ge/reports/220128-lr74esbdb3/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Office loads VBA resources, possible macro or embedded object present

Drops file in Windows directory

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.10

Link:

https://yomi.yoroi.company/submissions/0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample