MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c8a068bc96c9727dafccc9a2af90cf532725207c4f2d9decec2cc5b9edfe047. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	4c8a068bc96c9727dafccc9a2af90cf532725207c4f2d9decec2cc5b9edfe047
SHA3-384 hash:	092db7f4e5e26e60d605a9c0dd0864af61d5403b422dfa9233e44319d70cc5f05152fb662395d1fa5db8eacea13777a0
SHA1 hash:	58b42dd801370681c97f160014075cddd2c7145a
MD5 hash:	ebd9aa3b7015e383231e1c52f95198b5
humanhash:	hot-harry-ceiling-louisiana
File name:	B64_Xll-B64Decoded.xll
Download:	download sample
File size:	27'371'176 bytes
First seen:	2022-06-06 16:08:24 UTC
Last seen:	Never
File type:	xll
MIME type:	application/x-dosexec
imphash	da7f8acb6151c95be088a02465d68ef8 (2 x CobaltStrike, 2 x Vidar, 1 x Hive)
ssdeep	98304:jvtmjrFnY2AP/0Lt49JOdITVO6PpVwphaS+ZlUq4T6:hm5Y240LC8IlRohaS+ZWBT6
Threatray	58 similar samples on MalwareBazaar
TLSH	T18E57AB8AB4B5BBE4CC5157790D4124DCDD34240E25A9B2BB87E457102BA1FE87FA3FA0
gimphash	10936b66225fec3be4b3a255f1935c494890e054b2a5bde8ce8bf967c19284bd
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	Ledtech3
Tags:	signed xll

Code Signing Certificate

Organisation:	www.cisco.com
Issuer:	HydrantID Server CA O1
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-11-16T21:34:15Z
Valid to:	2022-11-16T21:34:14Z
Serial number:	40017d2aac0028e28d8437f5ee1f966b
Thumbprint Algorithm:	SHA256
Thumbprint:	4224bc6442d757a5982be4b807e333d895e779776ff8dbe93a1beb457ad53714
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Ledtech3

Base64 Encoded extracted from downloaded JS file.

Intelligence

File Origin

# of uploads :

# of downloads :

361

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

B64_Xll-B64Decoded.xll

Verdict:

No threats detected

Analysis date:

2022-06-06 16:46:38 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a45bd86d-5ace-437a-93c2-3f89ba45792d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malicious

File Type:

Office Add-Ins - Suspicious

Link:

https://app.docguard.net/4c8a068bc96c9727dafccc9a2af90cf532725207c4f2d9decec2cc5b9edfe047/results/dashboard

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug overlay packed rozena

Link:

https://www.filescan.io/uploads/629e26df60f7fd6a8acde636/reports/7e027fdd-1f3a-4480-afe4-72412a20bd16/overview

Result

Verdict:

MALICIOUS

Result

Threat name:

Unknown

Detection:

clean

Classification:

n/a

Score:

3 / 100

Link:

https://www.joesandbox.com/analysis/1007503

Behaviour

Behavior Graph:

n/a

Gathering data

Threat name:

Win64.Malware.Generic

Status:

Suspicious

First seen:

2022-06-06 16:09:45 UTC

File Type:

PE+ (Dll)

AV detection:

4 of 26 (15.38%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jsfanc6jnslspwx4zsncv6im6uzheuqhytzntxwoylgfxhw74bdq._file

Verdict:

suspicious

1ae58396525d6ffc72b14719d1d5aeac7bd2168f5a726aa038fb1d15b3c1bad3

1ddbe4b8bd2199ba2b52ddae006365a191e380b52196ad950018f53db5ea5c0c

7e5aa4a818a657cfaef1c32940f410925435a04ddb5612dbe6bdd68262c696fb

a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850

b5938c03650e60c155fcd791580459cabb77d515f3d4e97afab7e3175c3b6e9e

cd3c72abed935a7b83c5dc1cdb1383922e42ab145b2cf0206d5f0d1aa6382f37

+ 48 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/220606-tlsesaheh5/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Loads dropped DLL

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/4c8a068bc96c9727dafccc9a2af90cf532725207c4f2d9decec2cc5b9edfe047

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	susp_msoffice_addins_wxll Create hunting rule
Author:	SBousseaden
Description:	hunt for suspicious MS Office Addins with code injection capabilities
Reference:	https://twitter.com/JohnLaTwC/status/1315287078855352326

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample