MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53dcc6b98d2356c9a5f68b314edb8b819b99cec4ef2f6db0cfba72fb86a55d25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53dcc6b98d2356c9a5f68b314edb8b819b99cec4ef2f6db0cfba72fb86a55d25
SHA3-384 hash: 142bfdf21aa4c23aa5ddec034fe8e4551afb3caa0c8c608b8b0f6abb0f262e689d0db40de115d576db9aa6f69a92aa05
SHA1 hash: 7061c673466d29ee92fa9b71b3479a0572152740
MD5 hash: 942a6f8fe49e0bf3cec399c7e39600b7
humanhash: september-lamp-beryllium-oregon
File name:SecuriteInfo.com.Heur.8975.27400
Download: download sample
File size:69'120 bytes
First seen:2021-04-07 05:48:15 UTC
Last seen:Never
File type:PowerPoint file ppt
MIME type:application/vnd.ms-powerpoint
ssdeep 384:LFmrKkwCHJFAytiegfTMa1Wwd1C9B5Ef:MwCTtirfTMaYw29fE
TLSH B763F71CF67AD38BC2140A3D4B87A1E626283C159E8A72F631C537FFDD36645B92E211
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW LEMA PO 652872-21.ppt
Verdict:
No threats detected
Analysis date:
2021-04-06 17:13:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3cf1405b-86a6-4cb5-ba4a-d0791e626513

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Heur.8975.27400.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
Malicious
File Type:
Legacy PowerPoint File with Macro
Link:
https://app.docguard.net/53dcc6b98d2356c9a5f68b314edb8b819b99cec4ef2f6db0cfba72fb86a55d25/results/dashboard
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/53dcc6b98d2356c9a5f68b314edb8b819b99cec4ef2f6db0cfba72fb86a55d25
Details
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/667853
Signature
Creates a scheduled task launching mshta.exe (likely to bypass HIPS)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Creates processes via WMI
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Powershell execute code from registry
Sigma detected: Schedule script from internet via mshta
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected MSILLoadEncryptedAssembly
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 382857 Sample: NEW LEMA PO 652872-21.ppt Startdate: 06/04/2021 Architecture: WINDOWS Score: 100 55 www.blogger.com 2->55 57 resources.blogblog.com 2->57 59 5 other IPs or domains 2->59 79 Multi AV Scanner detection for submitted file 2->79 81 Yara detected Powershell download and execute 2->81 83 Sigma detected: Powershell execute code from registry 2->83 85 4 other signatures 2->85 10 cmd.exe 1 2->10         started        12 taskeng.exe 1 2->12         started        14 mshta.exe 2->14         started        16 7 other processes 2->16 signatures3 process4 dnsIp5 19 POWERPNT.EXE 10 12 10->19         started        21 mshta.exe 10 12->21         started        23 powershell.exe 14->23         started        49 ia801503.us.archive.org 207.241.228.153, 443, 49181, 49187 INTERNET-ARCHIVEUS United States 16->49 51 www.blogger.com 16->51 53 9 other IPs or domains 16->53 26 powershell.exe 16->26         started        process6 dnsIp7 28 mshta.exe 11 30 19->28         started        32 mshta.exe 21->32         started        61 ia801503.us.archive.org 23->61 process8 dnsIp9 63 j.mp 67.199.248.17, 49167, 80 GOOGLE-PRIVATE-CLOUDUS United States 28->63 65 blogspot.l.googleusercontent.com 172.217.23.33, 443, 49168, 49182 GOOGLEUS United States 28->65 73 3 other IPs or domains 28->73 87 Creates autostart registry keys with suspicious values (likely registry only malware) 28->87 89 Creates multiple autostart registry keys 28->89 91 Creates an autostart registry key pointing to binary in C:\Windows 28->91 93 3 other signatures 28->93 34 powershell.exe 6 28->34         started        36 taskkill.exe 28->36         started        38 taskkill.exe 28->38         started        40 schtasks.exe 28->40         started        67 www.blogger.com 32->67 69 resources.blogblog.com 32->69 71 getyournewblog.blogspot.com 32->71 42 powershell.exe 32->42         started        signatures10 process11 process12 44 mshta.exe 16 34->44         started        47 mshta.exe 42->47         started        dnsIp13 75 onedriveupdate.net 104.21.68.120, 443, 49180, 49206 CLOUDFLARENETUS United States 44->75 77 172.67.195.85, 443, 49194 CLOUDFLARENETUS United States 47->77
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53dcc6b98d2356c9a5f68b314edb8b819b99cec4ef2f6db0cfba72fb86a55d25/
Threat name:
Script.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-04-06 21:22:03 UTC
AV detection:
5 of 48 (10.42%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro macro_on_action xlm
Link:
https://tria.ge/reports/210407-z2142ny5hn/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/53dcc6b98d2356c9a5f68b314edb8b819b99cec4ef2f6db0cfba72fb86a55d25

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments