MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c7c61a2c3c460d9cdf1fa23ff8a430c3c7b7382cf7428fc1609a23a00a7b74d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SVCReady


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c7c61a2c3c460d9cdf1fa23ff8a430c3c7b7382cf7428fc1609a23a00a7b74d
SHA3-384 hash: 70a37802ce696d997b62e4df0342e247a79b30386b7294a81a4cf728312317eb1938f95c895eca4624727a032d8468c5
SHA1 hash: c10f6f68dc8c7f97f2d6d0f0bcc2ba2841154367
MD5 hash: 7f8bad3a49308350483185654be00ae0
humanhash: butter-three-tango-ten
File name:masia.file.08.06.doc
Download: download sample
Signature SVCReady
Create hunting rule
File size:1'986'591 bytes
First seen:2022-06-09 20:23:22 UTC
Last seen:Never
File type:Word file doc
MIME type:application/zip
ssdeep 49152:39mP9meeCjPKVgjfCALeiJeT3bJ1R6DhTVZ+PvIETR9Ye:NgPKOj6A6iJs3N1R2ZAvIve
TLSH T146953334E10509EFF389C2F27B2013B41499DB8EF6A318423AF5186E604735ED9D9B9B
TrID 51.0% (.DOCX) Word Microsoft Office Open XML Format document (23500/1/4)
38.0% (.ZIP) Open Packaging Conventions container (17500/1/4)
8.6% (.ZIP) ZIP compressed archive (4000/1)
2.1% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter AndreGironda
Tags:doc SVCReady

Intelligence

File Origin
# of uploads :
1
# of downloads :
485
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilDoc.ICEDAllTheWayOutWord.20220412.UNOFFICIAL
Create hunting rule

TwinWave.IceOnThFringeSoDarnFrosty.20220322.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Legacy Office File
Link:
https://app.docguard.net/1c7c61a2c3c460d9cdf1fa23ff8a430c3c7b7382cf7428fc1609a23a00a7b74d/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive macros macros-on-open obfuscated reflection wacatac
Link:
https://www.filescan.io/uploads/62a256c3634447acba66a57f/reports/d3b2b492-050f-462a-bc0f-0c194e2dd8f0/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/1c7c61a2c3c460d9cdf1fa23ff8a430c3c7b7382cf7428fc1609a23a00a7b74d
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro with DLL Reference
Detected macro logic that will load additional functionality from Dynamically Linked Libraries (DLLs). While not explicitly malicious, this is a common tactic for accessing APIs that are not otherwised exposed via Visual Basic for Applications (VBA).
Result
Threat name:
ReflectiveLoader, SVCReady
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1011316
Signature
Antivirus detection for URL or domain
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office process drops PE file
Snort IDS alert for network traffic
Submitted sample is a known malware sample
Tries to delay execution (extensive OutputDebugStringW loop)
Yara detected ReflectiveLoader
Yara detected SVCReady Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c7c61a2c3c460d9cdf1fa23ff8a430c3c7b7382cf7428fc1609a23a00a7b74d/
Threat name:
Win32.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2022-06-09 05:39:52 UTC
File Type:
Document
Extracted files:
24
AV detection:
8 of 26 (30.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dr6gdiwdyrqnttpr7ir77csdbq6hw44cz52cr7awbgrduafhw5gq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220609-y6pa3sgbg7/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1c7c61a2c3c4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c7c61a2c3c460d9cdf1fa23ff8a430c3c7b7382cf7428fc1609a23a00a7b74d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SVCReady

Word file doc 1c7c61a2c3c460d9cdf1fa23ff8a430c3c7b7382cf7428fc1609a23a00a7b74d

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments