MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b0fe4be193ac9b74556bed23fc7640bd499ebca996b64daa131c4d8490263e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b0fe4be193ac9b74556bed23fc7640bd499ebca996b64daa131c4d8490263e5
SHA3-384 hash: 232e1f7b12469cbdc2e5e51afb0df92bb0483012377d861c4799e4d47f28c7274de7900a8f40f21ec7603c9f6ee12343
SHA1 hash: e8b3cdaf1d8cfa45853818ff6e242ba89015c1ff
MD5 hash: f5f65078d3c1ef2872e9ffd2de21853b
humanhash: kitten-uranus-cardinal-failed
File name:final po PP-11164.ppt
Download: download sample
File size:65'024 bytes
First seen:2021-04-06 13:36:15 UTC
Last seen:2021-04-07 04:03:09 UTC
File type:PowerPoint file ppt
MIME type:application/vnd.ms-powerpoint
ssdeep 384:QPVq+9YFfwbEU9wh9Q0UmYMCxuh0j+HTWJclFo39D:QcZfC0YMCqJKJcjo
TLSH 315393187698D215E0260F338ED6E7F63339BC146F8A433B3264332F6D776919A25B54
Reporter lowmal3

Intelligence

File Origin
# of uploads :
3
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e8b3cdaf1d8cfa45853818ff6e242ba89015c1ff
Verdict:
No threats detected
Analysis date:
2021-04-06 12:39:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ac1bc80c-a441-46b1-808a-064dcf4a9468

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
TwinWave.EvilDoc.ICEDIDOGORiginalGangsterGOMethodsM1.20200923.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.WSHUUID.210201.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.GETObjectConcatDevilInside.20210406.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
Malicious
File Type:
Legacy PowerPoint File with Macro
Link:
https://app.docguard.net/7b0fe4be193ac9b74556bed23fc7640bd499ebca996b64daa131c4d8490263e5/results/dashboard
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/7b0fe4be193ac9b74556bed23fc7640bd499ebca996b64daa131c4d8490263e5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/667593
Signature
Command shell drops VBS files
Creates a scheduled task launching mshta.exe (likely to bypass HIPS)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Creates processes via WMI
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA with base64 encoded strings
Document exploit detected (process start blacklist hit)
Potential malicious VBS script found (has network functionality)
Sigma detected: Powershell execute code from registry
Sigma detected: Schedule script from internet via mshta
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Yara detected MSILLoadEncryptedAssembly
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 382729 Sample: final po PP-11164.ppt Startdate: 06/04/2021 Architecture: WINDOWS Score: 100 52 www.blogger.com 2->52 54 startthepartyup.blogspot.com 2->54 56 4 other IPs or domains 2->56 78 Yara detected Powershell download and execute 2->78 80 Sigma detected: Powershell execute code from registry 2->80 82 Sigma detected: Schedule script from internet via mshta 2->82 84 4 other signatures 2->84 10 cmd.exe 1 2->10         started        12 taskeng.exe 1 2->12         started        14 mshta.exe 2->14         started        16 9 other processes 2->16 signatures3 process4 dnsIp5 19 POWERPNT.EXE 10 14 10->19         started        21 mshta.exe 10 12->21         started        23 powershell.exe 14->23         started        46 ia801409.us.archive.org 207.241.228.149, 443, 49176, 49189 INTERNET-ARCHIVEUS United States 16->46 48 www.blogger.com 16->48 50 15 other IPs or domains 16->50 26 powershell.exe 16->26         started        process6 dnsIp7 28 mshta.exe 9 32 19->28         started        32 mshta.exe 18 21->32         started        58 ia801409.us.archive.org 23->58 60 ia801409.us.archive.org 26->60 process8 dnsIp9 66 j.mp 67.199.248.16, 49167, 80 GOOGLE-PRIVATE-CLOUDUS United States 28->66 68 blogspot.l.googleusercontent.com 172.217.23.33, 443, 49168, 49177 GOOGLEUS United States 28->68 76 3 other IPs or domains 28->76 92 Very long command line found 28->92 94 Creates autostart registry keys with suspicious values (likely registry only malware) 28->94 96 Creates multiple autostart registry keys 28->96 98 4 other signatures 28->98 34 cmd.exe 28->34         started        38 schtasks.exe 28->38         started        70 www.blogger.com 32->70 72 resources.blogblog.com 32->72 74 randikhanaekminar.blogspot.com 32->74 signatures10 process11 file12 44 C:\Users\Public\SiggiaW.vbs, ASCII 34->44 dropped 86 Potential malicious VBS script found (has network functionality) 34->86 88 Command shell drops VBS files 34->88 40 wscript.exe 34->40         started        signatures13 process14 dnsIp15 62 ia801408.us.archive.org 207.241.228.148, 443, 49185 INTERNET-ARCHIVEUS United States 40->62 64 archive.org 40->64 90 System process connects to network (likely due to code injection or exploit) 40->90 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b0fe4be193ac9b74556bed23fc7640bd499ebca996b64daa131c4d8490263e5/
Threat name:
Document-Office.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2021-04-06 11:08:08 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro macro_on_action xlm
Link:
https://tria.ge/reports/210406-yzwdpt7hms/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b0fe4be193ac9b74556bed23fc7640bd499ebca996b64daa131c4d8490263e5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PowerPoint file ppt 7b0fe4be193ac9b74556bed23fc7640bd499ebca996b64daa131c4d8490263e5

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments