MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ccf2435674e5a774cbb63f1177f3ae6c592ccf152bb50986cb80e6a76c24857. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 14


Maldoc score: 4


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ccf2435674e5a774cbb63f1177f3ae6c592ccf152bb50986cb80e6a76c24857
SHA3-384 hash: 7dd498f50ff780461b5e2aa1d945550ee592225ac2350d10a3002b0acf9860f1af7ee976c2de6cdac3f14cd8a45e8588
SHA1 hash: 3ff5126831d735d05288b541e3bfcd60a75cba1c
MD5 hash: 256d0da4bcd96d9016aae187faa7abc5
humanhash: single-speaker-football-bulldog
File name:Quotation.xls
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:451'584 bytes
First seen:2024-07-16 07:39:18 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 12288:nTi7oLDHaQZ9Dpr6iiqtoRIGw2jqd0nm9wr:lay9DpWet2Ygaw
TLSH T1FDA42288BB9AC703DD0B42BA46D546935424FE552FC3D617F084BB1DC8BAF639901BAC
TrID 46.5% (.XLS) Microsoft Excel sheet (alternate) (56500/1/4)
26.7% (.XLS) Microsoft Excel sheet (32500/1/3)
20.1% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
6.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter cocaman
Tags:cve-2017-0199 QUOTATION xls


Avatar
cocaman
Malicious email (T1566.001)
From: "retail@goldentools.ae" (likely spoofed)
Received: "from unassigned.quadranet.com (unknown [155.94.210.14]) "
Date: "16 Jul 2024 00:03:13 -0700"
Subject: "Request For Quotation"
Attachment: "Quotation.xls"

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 4
OLE dump

MalwareBazaar was able to identify 15 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
2244 bytesDocumentSummaryInformation
3200 bytesSummaryInformation
499 bytesMBD0004669C/CompObj
557063 bytesMBD0004669C/Package
6650 bytesMBD0004669D/Ole
7376803 bytesWorkbook
8531 bytes_VBA_PROJECT_CUR/PROJECT
9104 bytes_VBA_PROJECT_CUR/PROJECTwm
10977 bytes_VBA_PROJECT_CUR/VBA/Sheet1
11977 bytes_VBA_PROJECT_CUR/VBA/Sheet2
12977 bytes_VBA_PROJECT_CUR/VBA/Sheet3
13985 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
142644 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
15553 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
402
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1ccf2435674e5a774cbb63f1177f3ae6c592ccf152bb50986cb80e6a76c24857.xls
Verdict:
Malicious activity
Analysis date:
2024-07-16 09:09:50 UTC
Tags:
phishing phishing-xls
Link:
https://app.any.run/tasks/465e1b3c-f281-4247-a40f-c743bd367f82

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
False
Detection(s):
TwinWave.EvilDoc.93TilInfinity.20240412.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.IMG.Phish.20422.21836.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=669623d4cadc6250d0556894win7simulatehigh_evasion
Tags:
Office Stealth W97m
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Creating a window
DNS request
Sending an HTTP GET request
Сreating synchronization primitives
Connection attempt by exploiting the app vulnerability
Sending a custom TCP request by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/1ccf2435674e5a774cbb63f1177f3ae6c592ccf152bb50986cb80e6a76c24857/results/dashboard
Payload URLs
URL
File name
http://bom.so/4yoxhH
Embedded Ole
Behaviour
SuspiciousRTF detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
macros
Link:
https://www.filescan.io/uploads/669623d8f921a99b93551d38/reports/9ba85a90-50c5-4261-ae56-3f362abb1ee8/overview
Verdict:
Malicious
Labled as:
CVE-2017-0199
Link:
https://www.hybrid-analysis.com/sample/1ccf2435674e5a774cbb63f1177f3ae6c592ccf152bb50986cb80e6a76c24857
Gathering data
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/1ccf2435674e5a774cbb63f1177f3ae6c592ccf152bb50986cb80e6a76c24857
Details
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Result
Threat name:
n/a
Detection:
malicious
Classification:
phis.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1474077
Signature
AI detected suspicious Excel or Word document
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Installs new ROOT certificates
Machine Learning detection for sample
Microsoft Office drops suspicious files
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious MSHTA Child Process
Snort IDS alert for network traffic
Suspicious command line found
Suspicious powershell command line found
Yara detected obfuscated html page
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1474077 Sample: Quotation.xls Startdate: 16/07/2024 Architecture: WINDOWS Score: 100 98 Snort IDS alert for network traffic 2->98 100 Multi AV Scanner detection for submitted file 2->100 102 Yara detected obfuscated html page 2->102 104 8 other signatures 2->104 10 EXCEL.EXE 57 31 2->10         started        process3 dnsIp4 84 107.173.143.46, 49163, 49165, 49166 AS-COLOCROSSINGUS United States 10->84 86 bom.so 104.21.34.183, 443, 49161, 49162 CLOUDFLARENETUS United States 10->86 80 C:\Users\user\Desktop\Quotation.xls (copy), Composite 10->80 dropped 82 C:\Users\user\AppData\Local\...\gdfvr[1].hta, HTML 10->82 dropped 114 Microsoft Office drops suspicious files 10->114 15 mshta.exe 10 10->15         started        19 mshta.exe 10 10->19         started        file5 signatures6 process7 dnsIp8 88 172.67.163.184, 443, 49164 CLOUDFLARENETUS United States 15->88 90 bom.so 15->90 94 Suspicious command line found 15->94 96 PowerShell case anomaly found 15->96 21 cmd.exe 15->21         started        92 bom.so 19->92 24 cmd.exe 19->24         started        signatures9 process10 signatures11 106 Suspicious powershell command line found 21->106 108 PowerShell case anomaly found 21->108 26 powershell.exe 24 21->26         started        30 powershell.exe 24->30         started        process12 file13 74 C:\Users\user\AppData\Roaming\igccu.exe, PE32 26->74 dropped 76 C:\Users\user\AppData\Local\...\csrss[1].exe, PE32 26->76 dropped 78 C:\Users\user\AppData\...\cnz3340y.cmdline, Unicode 26->78 dropped 110 Installs new ROOT certificates 26->110 112 Powershell drops PE file 26->112 32 igccu.exe 2 26->32         started        35 csc.exe 2 26->35         started        37 igccu.exe 30->37         started        39 csc.exe 2 30->39         started        signatures14 process15 file16 50 C:\Users\user\AppData\Local\...\igccu.tmp, PE32 32->50 dropped 41 igccu.tmp 27 21 32->41         started        52 C:\Users\user\AppData\Local\...\cnz3340y.dll, PE32 35->52 dropped 44 cvtres.exe 35->44         started        54 C:\Users\user\AppData\Local\...\igccu.tmp, PE32 37->54 dropped 46 igccu.tmp 37->46         started        56 C:\Users\user\AppData\Local\...\jcs2kce4.dll, PE32 39->56 dropped 48 cvtres.exe 39->48         started        process17 file18 58 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 41->58 dropped 60 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 41->60 dropped 62 C:\...\unins000.exe (copy), PE32 41->62 dropped 72 3 other files (none is malicious) 41->72 dropped 64 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 46->64 dropped 66 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 46->66 dropped 68 C:\Program Files (x86)\DuckDNS\is-QVHJE.tmp, PE32 46->68 dropped 70 C:\Program Files (x86)\DuckDNS\is-BA3FJ.tmp, PE32 46->70 dropped
Score:
100%
Verdict:
Malware
File Type:
OFFICE
Link:
https://malprob.io/report/1ccf2435674e5a774cbb63f1177f3ae6c592ccf152bb50986cb80e6a76c24857
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ccf2435674e5a774cbb63f1177f3ae6c592ccf152bb50986cb80e6a76c24857/
Threat name:
Document-PDF.Exploit.CVE-2017-0199
Create hunting rule
Status:
Malicious
First seen:
2024-07-16 05:03:42 UTC
File Type:
Document
Extracted files:
40
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dthsinlhjznhotf3mpyro7z243czfthrkk5vbgdmxahgu5wcjblq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
phishing
Link:
https://tria.ge/reports/240716-jhjclavalb/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Detected phishing page
Drops file in System32 directory
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Process spawned unexpected child process
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f42109cd-8b67-45da-818c-5b45c2a7e78e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ccf2435674e5a774cbb63f1177f3ae6c592ccf152bb50986cb80e6a76c24857

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:office_document_vba
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Office document with embedded VBA
Reference:https://github.com/jipegit/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

CobaltStrike

Excel file xls 1ccf2435674e5a774cbb63f1177f3ae6c592ccf152bb50986cb80e6a76c24857

(this sample)

CobaltStrike

HTML Application (hta) hta 36ec708af0e23aa5e6cfa50dbb4327cad9c5bf25740ab5b38c7a89cf2d6617b8

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 36ec708af0e23aa5e6cfa50dbb4327cad9c5bf25740ab5b38c7a89cf2d6617b8
  
Dropping
MD5 d38821792f768551b015a982c0ddd1d5

Comments