MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2915591ef479332f179e26a3f6e4a63c35049569f5ca42d067f64dbdae681df9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SilentBuilder


Vendor detections: 10


Maldoc score: 5


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2915591ef479332f179e26a3f6e4a63c35049569f5ca42d067f64dbdae681df9
SHA3-384 hash: d426639129d6c43ec7427ad9dec201d861807cf2b88015014940ffcfdbe67d809ebace21a5b158fe74ab24ef859a3bdf
SHA1 hash: e91c0e7f7cfe1034fe1a3d861334fdb34f2bb691
MD5 hash: 15950554dbc4a843ef439b46d31fe341
humanhash: vegan-mars-hydrogen-fifteen
File name:waff.xls
Download: download sample
Signature SilentBuilder
Create hunting rule
File size:239'104 bytes
First seen:2021-09-27 11:58:24 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 6144:9Kpb8rGYrMPe3q7Q0XV5xtuEsi8/dgC93WPcZZRRrq1RObTwvOkPDklgvS3+nQ79:B93tDrmcbTwvzD63fLvfP1GO3
TLSH T14F34E14AF175C449DE5A4B7B4CDB0F9B5272EC238F6E0287B686B5616DB0CF81A0314B
Reporter ankit_anubhav
Tags:SilentBuilder SQUIRRELWAFFLE xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 5
OLE dump

MalwareBazaar was able to identify 3 sections in this file using oledump:

Section IDSection sizeSection name
14096 bytesDocumentSummaryInformation
24096 bytesSummaryInformation
3227542 bytesWorkbook
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecAuto_OpenRuns when the Excel Workbook is opened
SuspiciousFORMULA.FILLMay modify Excel 4 Macro formulas at runtime
SuspiciousXLM macroXLM macro found. It may contain malicious code

Intelligence

File Origin
# of uploads :
1
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
waff.xls
Verdict:
Malicious activity
Analysis date:
2021-09-27 11:59:02 UTC
Tags:
macros
Link:
https://app.any.run/tasks/22f94c5e-6c05-4728-890c-824edea69ca0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
False
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/192056/
Detection(s):
Sanesecurity.Badmacro.Xls.credriv.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXSTRGOOD.AOEX4.BITSNEEDEDFOR.URLDOWNLOADTOFILE.200415.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXSTRGOOD.AOEX4.BITSNEEDEDFOR.SHELLEXECUTE.200416.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXSTRGOOD.AOEX4.BITSNEEDEDFOR.SHELLEXECUTE.200524.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.Excel4DragoTrainingMontage.20210204.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.XL4MStringFractures.20210921.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Legacy Excel File
Link:
https://app.docguard.net/2915591ef479332f179e26a3f6e4a63c35049569f5ca42d067f64dbdae681df9/results/dashboard
Payload URLs
URL
File name
maxdigitizing.com
WorkBook
Document image
Image:
Download PNG
Document image
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/2915591ef479332f179e26a3f6e4a63c35049569f5ca42d067f64dbdae681df9
Details
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Autostarting Excel Macro Sheet
Excel contains Macrosheet logic that will trigger automatically upon document open.
Result
Threat name:
CobaltStrike Metasploit
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/858927
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Schedule system process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected CobaltStrike
Yara detected Metasploit Payload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491358 Sample: waff.xls Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 12 other signatures 2->73 9 EXCEL.EXE 58 27 2->9         started        14 regsvr32.exe 2->14         started        16 regsvr32.exe 2->16         started        process3 dnsIp4 61 turnipshop.com 31.131.26.197, 443, 49168 VPS-UA-ASUA Ukraine 9->61 63 maxdigitizing.com 192.185.143.195, 443, 49167 UNIFIEDLAYER-AS-1US United States 9->63 65 dynamiclifts.co.in 204.11.59.34, 443, 49169 PUBLIC-DOMAIN-REGISTRYUS United States 9->65 49 C:\Users\user\AppData\Local\...\pp[1].htm, PE32 9->49 dropped 51 C:\Users\user\AppData\Local\...\pp[1].htm, PE32 9->51 dropped 53 C:\Datop\test1.test, PE32 9->53 dropped 85 Document exploit detected (UrlDownloadToFile) 9->85 18 regsvr32.exe 9->18         started        20 regsvr32.exe 9->20         started        22 regsvr32.exe 9->22         started        24 regsvr32.exe 14->24         started        27 regsvr32.exe 16->27         started        file5 signatures6 process7 signatures8 29 regsvr32.exe 18->29         started        32 regsvr32.exe 9 20->32         started        79 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->79 81 Injects code into the Windows Explorer (explorer.exe) 24->81 83 Maps a DLL or memory area into another process 24->83 35 explorer.exe 8 1 24->35         started        process9 dnsIp10 87 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->87 89 Injects code into the Windows Explorer (explorer.exe) 29->89 91 Maps a DLL or memory area into another process 29->91 38 explorer.exe 8 1 29->38         started        55 sjgrand.lk 162.214.157.176, 49170, 49171, 49172 UNIFIEDLAYER-AS-1US United States 32->55 57 tuxsecuritybiness.com 23.82.140.206, 443, 49227, 49229 LEASEWEB-USA-MIA-11US United States 32->57 59 erogholding.com 173.231.245.32, 49275, 49278, 49280 INMOTI-1US United States 32->59 93 System process connects to network (likely due to code injection or exploit) 32->93 47 C:\Datop\test2.test, PE32 35->47 dropped 95 Uses cmd line tools excessively to alter registry or file data 35->95 41 reg.exe 1 35->41         started        43 reg.exe 1 35->43         started        file11 signatures12 process13 signatures14 75 Uses cmd line tools excessively to alter registry or file data 38->75 77 Uses schtasks.exe or at.exe to add and modify task schedules 38->77 45 schtasks.exe 38->45         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2915591ef479332f179e26a3f6e4a63c35049569f5ca42d067f64dbdae681df9/
Threat name:
Document-Office.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-09-27 12:09:44 UTC
AV detection:
6 of 45 (13.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fekvshxupezs6f46e2r7nzfghq2qjflj6xfefudh6zg33ltidx4q._file
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:tr campaign:1632730751 banker stealer trojan
Link:
https://tria.ge/reports/210927-n5qseaggaq/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Loads dropped DLL
Process spawned unexpected child process
Qakbot/Qbot
Malware Config
C2 Extraction:
95.77.223.148:443
47.22.148.6:443
89.101.97.139:443
27.223.92.142:995
120.151.47.189:443
136.232.34.70:443
120.150.218.241:995
185.250.148.74:443
181.118.183.94:443
140.82.49.12:443
67.165.206.193:993
103.148.120.144:443
71.74.12.34:443
76.25.142.196:443
73.151.236.31:443
173.21.10.71:2222
75.188.35.168:443
2.178.88.145:61202
71.80.168.245:443
45.46.53.140:2222
109.12.111.14:443
105.198.236.99:443
73.77.87.137:443
41.248.239.221:995
182.176.112.182:443
96.37.113.36:993
75.66.88.33:443
162.244.227.34:443
24.229.150.54:995
216.201.162.158:443
92.59.35.196:2222
196.218.227.241:995
24.139.72.117:443
68.207.102.78:443
72.252.201.69:443
2.188.27.77:443
177.130.82.197:2222
68.204.7.158:443
189.210.115.207:443
181.163.96.53:443
24.55.112.61:443
75.107.26.196:465
185.250.148.74:2222
68.186.192.69:443
24.152.219.253:995
50.29.166.232:995
Dropper Extraction:
https://maxdigitizing.com/wAbCNMUm/pp.html
https://turnipshop.com/ihiRzoi1/pp.html
https://dynamiclifts.co.in/1PWQQcv0D/pp.html
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2915591ef479/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2915591ef479332f179e26a3f6e4a63c35049569f5ca42d067f64dbdae681df9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Excel_Hidden_Macro_Sheet
Create hunting rule
Rule name:Excel_Hidden_Macro_Sheet
Create hunting rule
Rule name:SUSP_Excel4Macro_AutoOpen
Create hunting rule
Author:John Lambert @JohnLaTwC
Description:Detects Excel4 macro use with auto open / close

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/192056/

Comments


Avatar
Ankit Anubhav commented on 2021-09-27 12:58:20 UTC

https://twitter.com/ankit_anubhav/status/1442468748279967748