MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84ceb797473ad98c67911806e95126fbe51d1ad8b6f50ba979de91dd3c5e0ce0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Maldoc score: 9


Intelligence 9 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84ceb797473ad98c67911806e95126fbe51d1ad8b6f50ba979de91dd3c5e0ce0
SHA3-384 hash: 8a2ed9c463e8190be9ee243b4581d4c3a2dee9fb8b8ea1bf32b9042fdaf0da01b58967edcb7600aa984317c1f35e4914
SHA1 hash: b4b1775e69b5e52e94501edd7e4f0abb9a2e004e
MD5 hash: bac7ad841deccfdadc7be00d6b1dbdd9
humanhash: fanta-mississippi-tennessee-ink
File name:Template_signed_0405.dotm
Download: download sample
File size:485'292 bytes
First seen:2024-05-04 21:49:47 UTC
Last seen:Never
File type:Word file doc
MIME type:application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep 12288:HpsDIlxgiXabRpzELEzQr0+tEgu0hLxZSMWG:6DIlxgiKdeLSQPXu0PrWG
TLSH T19EA4DF62D3608833F4614278386A1653106A2DFB74BDEC0808C3799F57ABFFA6EB5D15
TrID 53.0% (.DOCM) Word Microsoft Office Open XML Format document (with Macro) (52000/1/9)
23.9% (.DOCX) Word Microsoft Office Open XML Format document (23500/1/4)
17.8% (.ZIP) Open Packaging Conventions container (17500/1/4)
4.0% (.ZIP) ZIP compressed archive (4000/1)
1.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter smica83
Tags:185.213.208.245 doc UKR

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 9
OLE dump

MalwareBazaar was able to identify 11 sections in this file using oledump:

Section IDSection sizeSection name
A1424 bytesPROJECT
A271 bytesPROJECTwm
A34700 bytesVBA/NewMacros
A41247 bytesVBA/ThisDocument
A54158 bytesVBA/_VBA_PROJECT
A62132 bytesVBA/__SRP_0
A7122 bytesVBA/__SRP_1
A8691 bytesVBA/__SRP_2
A9156 bytesVBA/__SRP_3
A10529 bytesVBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecAutoCloseRuns when the Word document is closed
IOC185.213.208.245IPv4 address
IOCforfiles.exeExecutable file name
IOCnotepad.exeExecutable file name
IOCstart.batExecutable file name
SuspiciousCreateMay execute file or a system command through WMI
SuspiciousGetObjectMay get an OLE object with a running instance
SuspiciousWindowsMay enumerate application windows (if combined with Shell.Application object)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
2'601
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
84ceb797473ad98c67911806e95126fbe51d1ad8b6f50ba979de91dd3c5e0ce0.doc
Verdict:
Suspicious activity
Analysis date:
2024-05-04 21:52:34 UTC
Tags:
macros macros-on-close
Link:
https://app.any.run/tasks/02fad9f4-8ee9-480b-a99d-6b77ca9ea58f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
TwinWave.EvilDoc.LoadXMLPicturesOfU.WORD.240328.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.LoadXMLPicturesOfU.ZIP.240328.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Launching a process
Connection attempt
Sending a custom TCP request
Running batch commands
Creating a file
Creating a process with a hidden window
Forced system process termination
Possible injection to a system process
Forced shutdown of a system process
Unauthorized injection to a recently created process
Launching a tool to kill processes
Launching a process by exploiting the app vulnerability
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Result
Verdict:
Malicious
File Type:
Word File with Macro
Link:
https://app.docguard.net/84ceb797473ad98c67911806e95126fbe51d1ad8b6f50ba979de91dd3c5e0ce0/results/dashboard
Behaviour
BlacklistAPI detected
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Labled as:
Valyria
Link:
https://www.hybrid-analysis.com/sample/84ceb797473ad98c67911806e95126fbe51d1ad8b6f50ba979de91dd3c5e0ce0
Gathering data
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1436378
Signature
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Creates processes via WMI
Document contains an embedded VBA macro which may execute processes
Document exploit detected (process start blacklist hit)
Installs new ROOT certificates
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Opens network shares
Queries memory information (via WMI often done to detect virtual machines)
Sigma detected: MMC Spawning Windows Shell
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Program Names
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1436378 Sample: Template_signed_0405.dotm.doc Startdate: 04/05/2024 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for dropped file 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 10 other signatures 2->51 11 WINWORD.EXE 302 24 2->11         started        process3 file4 37 C:\Users\user\...\~DFE529C72B450A4812.TMP, Composite 11->37 dropped 14 forfiles.exe 11->14         started        process5 signatures6 59 Opens network shares 14->59 17 cmd.exe 14->17         started        process7 signatures8 41 Bypasses PowerShell execution policy 17->41 43 Opens network shares 17->43 20 powershell.exe 10 17->20         started        process9 signatures10 53 Installs new ROOT certificates 20->53 55 Opens network shares 20->55 23 mmc.exe 3 19 20->23         started        process11 process12 25 cmd.exe 23->25         started        28 powershell.exe 8 23->28         started        30 powershell.exe 9 23->30         started        signatures13 57 Opens network shares 25->57 32 app.exe 25->32         started        35 taskkill.exe 28->35         started        process14 signatures15 39 Queries memory information (via WMI often done to detect virtual machines) 32->39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84ceb797473ad98c67911806e95126fbe51d1ad8b6f50ba979de91dd3c5e0ce0/
Threat name:
Win32.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2024-05-04 19:15:51 UTC
File Type:
Document
Extracted files:
28
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qthlpf2hhlmyyz4rdadosujg7psr2gwyw32qxklz32i52pc6btqa._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution macro
Link:
https://tria.ge/reports/240504-1pxbgafd85/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Drops file in System32 directory
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/84ceb797473a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84ceb797473ad98c67911806e95126fbe51d1ad8b6f50ba979de91dd3c5e0ce0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:office_document_vba
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Office document with embedded VBA
Reference:https://github.com/jipegit/
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
Szabolcs Schmidt commented on 2024-05-04 22:49:11 UTC

185.213.20(.)245:445