MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81476a0591455602ec96e76fd76d781dc2da872e3c1909b58bda58a1851f6099. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81476a0591455602ec96e76fd76d781dc2da872e3c1909b58bda58a1851f6099
SHA3-384 hash: 06919289971f4ab3c4860eb00e1ca7cac7656e7c6f8e8809dea0e8b558852dde97d5da32e9ae5b48b07cf02967e08514
SHA1 hash: d4d2892015db4b04389878029bb66afad3689943
MD5 hash: 32dc61a7d76ad688864a3f873c454b2e
humanhash: cold-crazy-cola-snake
File name:#4725162.doc
Download: download sample
File size:3'344'617 bytes
First seen:2020-10-29 06:23:52 UTC
Last seen:Never
File type:Word file doc
MIME type:text/rtf
ssdeep 24576:t/2/2/2/2/2/2/2/2/2/2/2/2/2/2/2/2/2/2/2/2/2/2/2/2/pxg:t++++++++++++++++++++++++E
TLSH C1F502F163013BD3D2624F42E41BA51CAB63E1B6DAD064CCF29AE3F517BF8419A16532
Reporter cocaman
Tags:CVE-2017-11882 doc

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.FakeRTF-2.UNOFFICIAL
Create hunting rule

MiscreantPunch.RTF.2017-0199.Obfus.170830.UNOFFICIAL
Create hunting rule

MiscreantPunch.RTF.2017-0199.Obfus.171711.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.RTFFakeVersionWithObjUpdateUKSurfMix.20200514.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.EQPentaverateTheKernelWithHisWeeBeadyEyes.20200616.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
DNS request
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request
Sending a custom TCP request by exploiting the app vulnerability
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/515795
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Connects to a URL shortener service
Contains functionality to hide a thread from the debugger
Drops PE files to the user root directory
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Suspicious Program Location Process Starts
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 307006 Sample: #4725162.doc Startdate: 29/10/2020 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Antivirus detection for dropped file 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 14 other signatures 2->50 7 EQNEDT32.EXE 18 2->7         started        12 WINWORD.EXE 291 26 2->12         started        process3 dnsIp4 34 teknik.io 5.79.72.163, 443, 49168, 49171 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 7->34 36 bit.ly 67.199.248.11, 49167, 80 GOOGLE-PRIVATE-CLOUDUS United States 7->36 38 2 other IPs or domains 7->38 24 C:\Users\user\AppData\Local\...\Pog3P[1].txt, PE32 7->24 dropped 26 C:\Users\Public\908.exe, PE32 7->26 dropped 60 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->60 14 908.exe 12 7->14         started        file5 signatures6 process7 dnsIp8 40 www.google.it 172.217.21.67 GOOGLEUS United States 14->40 42 hastebin.com 104.24.127.89, 443, 49172 CLOUDFLARENETUS United States 14->42 62 Antivirus detection for dropped file 14->62 64 Multi AV Scanner detection for dropped file 14->64 66 Machine Learning detection for dropped file 14->66 68 3 other signatures 14->68 18 908.exe 12 14->18         started        22 timeout.exe 14->22         started        signatures9 process10 dnsIp11 28 93.114.128.107, 49174, 49175, 80 ANL-UKANSONNETWORKLIMITEDGB Romania 18->28 30 elb097307-934924932.us-east-1.elb.amazonaws.com 50.19.98.74, 49173, 80 AMAZON-AESUS United States 18->30 32 2 other IPs or domains 18->32 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->52 54 Tries to steal Instant Messenger accounts or passwords 18->54 56 Tries to harvest and steal browser information (history, passwords, etc) 18->56 58 Tries to harvest and steal Bitcoin Wallet information 18->58 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81476a0591455602ec96e76fd76d781dc2da872e3c1909b58bda58a1851f6099/
Threat name:
Document-Office.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 16:00:54 UTC
File Type:
Document
Extracted files:
24
AV detection:
18 of 47 (38.30%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery spyware
Link:
https://tria.ge/reports/201029-srq6v2fe6s/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Launches Equation Editor
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Office loads VBA resources, possible macro or embedded object present
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Blacklisted process makes network request
Executes dropped EXE
ServiceHost packer
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 26e2294ae5f9a40530ee748e30bcab51f64675604c06234ff9d0ab5bd0ea5e4d

Word file doc 81476a0591455602ec96e76fd76d781dc2da872e3c1909b58bda58a1851f6099

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 26e2294ae5f9a40530ee748e30bcab51f64675604c06234ff9d0ab5bd0ea5e4d

Comments