MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bf28e7bb5cf75e005c6a8f647b7cd0a6a5b5e1455a8a902a81aef774aac27e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Maldoc score: 10


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1bf28e7bb5cf75e005c6a8f647b7cd0a6a5b5e1455a8a902a81aef774aac27e6
SHA3-384 hash: 16604b0a54392aa448fe456300aa6626528314015a851fa10debb8f1881d71ab0c37957cfe32ed11ebcf94d53763bd14
SHA1 hash: 0f2115d35c8ac8640016670bef080f85c7bbaa89
MD5 hash: 265bf3f895cfcecc94de530dbf7b2bc5
humanhash: whiskey-oxygen-crazy-august
File name:1bf28e7bb5cf75e005c6a8f647b7cd0a6a5b5e1455a8a902a81aef774aac27e6
Download: download sample
File size:863'744 bytes
First seen:2021-08-18 00:21:48 UTC
Last seen:2021-08-18 01:07:15 UTC
File type:Excel file xlsx
MIME type:application/vnd.ms-excel
ssdeep 6144:3cKoSsxzNDZL2Qiw+4AfHf/vVyizkKpbdrHYrMue8q7QPXNPOwS8+VGq862amnf6:0D1CqyEwoROdzS/PJnnLvx6
TLSH T16305E69BE753C52AD57BD2B21CD9CE911376EC44CB834B473984BE29AE3A9A04F010F5
Reporter Anonymous
Tags:xlsx

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 10
Application name is Microsoft Excel
Office document is in OLE format
Office document contains VBA Macros
OLE dump

MalwareBazaar was able to identify 17 sections in this file using oledump:

Section IDSection sizeSection name
1103 bytesCompObj
2360 bytesDocumentSummaryInformation
3324 bytesSummaryInformation
4835421 bytesWorkbook
5683 bytes_VBA_PROJECT_CUR/PROJECT
6116 bytes_VBA_PROJECT_CUR/PROJECTwm
797 bytes_VBA_PROJECT_CUR/UserForm1/CompObj
8301 bytes_VBA_PROJECT_CUR/UserForm1/VBFrame
9175 bytes_VBA_PROJECT_CUR/UserForm1/f
10132 bytes_VBA_PROJECT_CUR/UserForm1/o
112509 bytes_VBA_PROJECT_CUR/VBA/Module1
12989 bytes_VBA_PROJECT_CUR/VBA/Sewr
131181 bytes_VBA_PROJECT_CUR/VBA/UserForm1
143923 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
15881 bytes_VBA_PROJECT_CUR/VBA/dir
16990 bytes_VBA_PROJECT_CUR/VBA/1
173084 bytes_VBA_PROJECT_CUR/VBA/
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecauto_openRuns when the Excel Workbook is opened
AutoExecauto_closeRuns when the Excel Workbook is closed
IOCDertyht.dllExecutable file name
IOCm1.dllExecutable file name
SuspiciousRunMay run an executable file or a system command
SuspiciousEXECMay run an executable file or a system
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Legit
File type:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Has a screenshot:
False
Contains macros:
True
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180169/
Detection(s):
SecuriteInfo.com.Exploit.Siggen3.19858.4492.13550.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending an HTTP GET request
Creating a file
Launching the default Windows debugger (dwwin.exe)
Connection attempt by exploiting the app vulnerability
Sending a custom TCP request by exploiting the app vulnerability
Launching a process by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/1bf28e7bb5cf75e005c6a8f647b7cd0a6a5b5e1455a8a902a81aef774aac27e6/results/dashboard
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/1bf28e7bb5cf75e005c6a8f647b7cd0a6a5b5e1455a8a902a81aef774aac27e6
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834791
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Document contains an embedded VBA macro which may execute processes
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Sigma detected: BlueMashroom DLL Load
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Anomaly
Sigma detected: Regsvr32 Command Line Without DLL
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 467222 Sample: Q53P6nWsc2 Startdate: 18/08/2021 Architecture: WINDOWS Score: 100 71 Multi AV Scanner detection for dropped file 2->71 73 Document exploit detected (drops PE files) 2->73 75 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->75 77 8 other signatures 2->77 12 EXCEL.EXE 193 35 2->12         started        17 regsvr32.exe 2->17         started        19 regsvr32.exe 2->19         started        process3 dnsIp4 65 exascale.ca 69.90.161.130, 443, 49165 COGECO-PEER1CA Canada 12->65 59 C:\Users\user\Dertyht.dll, PE32+ 12->59 dropped 61 C:\Users\user\AppData\Local\...\m1[1].dll, PE32+ 12->61 dropped 93 Document exploit detected (creates forbidden files) 12->93 95 Document exploit detected (UrlDownloadToFile) 12->95 21 regsvr32.exe 12->21         started        file5 signatures6 process7 process8 23 cmd.exe 21->23         started        dnsIp9 63 127.0.0.1 unknown unknown 23->63 87 Uses ping.exe to sleep 23->87 89 Uses cmd line tools excessively to alter registry or file data 23->89 91 Uses ping.exe to check the status of other devices and networks 23->91 27 regsvr32.exe 2 23->27         started        30 PING.EXE 23->30         started        signatures10 process11 file12 57 C:\Users\user\AppData\Local\...\herfjlw.exe, PE32+ 27->57 dropped 32 cmd.exe 27->32         started        35 cmd.exe 27->35         started        37 cmd.exe 27->37         started        process13 signatures14 67 Uses ping.exe to sleep 32->67 39 regsvr32.exe 32->39         started        42 PING.EXE 32->42         started        69 Uses cmd line tools excessively to alter registry or file data 35->69 44 reg.exe 1 35->44         started        process15 signatures16 79 Writes to foreign memory regions 39->79 81 Modifies the context of a thread in another process (thread injection) 39->81 83 Injects a PE file into a foreign processes 39->83 46 cmd.exe 39->46         started        49 cmd.exe 39->49         started        51 chrome.exe 39->51         started        85 Creates an autostart registry key pointing to binary in C:\Windows 44->85 process17 signatures18 97 Uses cmd line tools excessively to alter registry or file data 46->97 53 reg.exe 46->53         started        55 reg.exe 49->55         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1bf28e7bb5cf75e005c6a8f647b7cd0a6a5b5e1455a8a902a81aef774aac27e6/
Threat name:
Script.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 21:34:32 UTC
AV detection:
1 of 46 (2.17%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/210818-q7ndmxnaan/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Loads dropped DLL
Downloads MZ/PE file
Process spawned unexpected child process
Malware Config
Dropper Extraction:
https://exascale.ca/m1.dll
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1bf28e7bb5cf75e005c6a8f647b7cd0a6a5b5e1455a8a902a81aef774aac27e6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/180169/

Comments