MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72ddcbe3b2e8d2dba87b8bb2a925f50209610f3e74876cd82234c35c6f6eb217. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72ddcbe3b2e8d2dba87b8bb2a925f50209610f3e74876cd82234c35c6f6eb217
SHA3-384 hash: 39b8e0a231f4d95fed0773eed043f02dd655d4b9ace4637ff1b77a494b4bda49f170830bb363c452c0cd28f36bce4faf
SHA1 hash: 597dfd397c613689df8de58a25db1293b38d342b
MD5 hash: 648c7283545b0b428dfcfa6956dc0d50
humanhash: steak-monkey-california-crazy
File name:DOGLAA84299.xll
Download: download sample
File size:4'096 bytes
First seen:2022-11-25 17:02:00 UTC
Last seen:Never
File type:Excel file xll
MIME type:application/x-dosexec
imphash a674f498593ea2acfaf14ccfdaff1d87
ssdeep 48:ZvtVKzn8Zn/mVTAZVWdxdYlDDxVHW/G+OUQtBLZec:Z1S8ZpnCxdCUkWc
Threatray 3 similar samples on MalwareBazaar
TLSH T10A81616B37C1D1F1C5F8C2350A96A32AD8B43715CB22D92006F0096E2C6FB2152ADFA6
TrID 45.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.2% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
0.2% (.VXD) VXD Driver (29/21)
Reporter abuse_ch
Tags:xll

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DOGLAA84299.xll
Verdict:
No threats detected
Analysis date:
2022-11-25 17:03:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6718ca50-598a-4c7d-a3ed-1ed6c8d10b8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL
Create hunting rule

Win.Trojan.Downloader-9939983-0
Create hunting rule

Result
Verdict:
Malicious
File Type:
Office Add-Ins - Suspicious
Link:
https://app.docguard.net/72ddcbe3b2e8d2dba87b8bb2a925f50209610f3e74876cd82234c35c6f6eb217/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6380f51600c584752ee1e21b/reports/12251ce6-863c-41d2-9721-e643c06b959c/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1121258
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 753975 Sample: DOGLAA84299.xll Startdate: 25/11/2022 Architecture: WINDOWS Score: 72 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 .NET source code contains potential unpacker 2->50 52 Machine Learning detection for dropped file 2->52 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 15 8->10         started        15 cmd.exe 1 8->15         started        17 rundll32.exe 12 8->17         started        19 conhost.exe 8->19         started        dnsIp5 44 cdn.discordapp.com 162.159.134.233, 443, 49715 CLOUDFLARENETUS United States 10->44 36 C:\Users\user\...\Testfile27777777777.exe, PE32 10->36 dropped 38 C:\Users\user\AppData\Local\...\cry[1].exe, PE32 10->38 dropped 58 System process connects to network (likely due to code injection or exploit) 10->58 21 Testfile27777777777.exe 2 10->21         started        24 rundll32.exe 14 15->24         started        28 Testfile27777777777.exe 2 17->28         started        file6 signatures7 process8 dnsIp9 54 Machine Learning detection for dropped file 21->54 30 WerFault.exe 26 10 21->30         started        40 162.159.130.233, 443, 49716 CLOUDFLARENETUS United States 24->40 42 cdn.discordapp.com 24->42 34 C:\Users\user\AppData\Local\...\cry[2].exe, PE32 24->34 dropped 56 System process connects to network (likely due to code injection or exploit) 24->56 32 WerFault.exe 2 9 28->32         started        file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72ddcbe3b2e8d2dba87b8bb2a925f50209610f3e74876cd82234c35c6f6eb217/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-11-25 08:10:20 UTC
File Type:
PE+ (Dll)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=olo4xy5s5djnxkd3rozksjpvaiewcdz6osdwzwbcgtbvy33owilq._file
Verdict:
unknown
Similar samples:
94b146aebc29c43c227467947ab95df41ffe9795d131c0e16ec54edf232a685a
a4e51503957292fe946f001fdcaf2b6ac7cd935c7bca80d5f79754c14d93e03d
e6a2f552058a99fa28330c628b275808c3cb048cabb0127cf2c1a56c94976a30
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/221125-vj5srsfa6w/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72ddcbe3b2e8d2dba87b8bb2a925f50209610f3e74876cd82234c35c6f6eb217

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:SUSP_Discord_Attachments_URL
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments