MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52
SHA3-384 hash: e78ca1668fd28dea84af7c8698d13ed4330412673d29ca6d6d78ae211c60ad38c40dad0261a2d9e3266d249e6525dd70
SHA1 hash: 53b31e513d8e23e30b7f133d4504ca7429f0e1fe
MD5 hash: 1d2094ce85d66878ee079185e2761beb
humanhash: shade-california-fanta-stairway
File name:A Letter before court 4.docx
Download: download sample
File size:24'177 bytes
First seen:2021-09-02 03:52:32 UTC
Last seen:Never
File type:Word file docx
MIME type:application/octet-stream
ssdeep 384:Q6UDg00MWEg9fPCPyH111/elBqhveoNHfn5yAehqbhtgyhdCxi556BjsbIwRu:QcMWE04uebyvNv5yHcttg6dwc5YQb5Q
TLSH T1CAB2AFB4C2296469C60F79B1C13B2B8AF3DC479A73142D893B095346722B7836B71E5A
Reporter JAMESWT_WT
Tags:CVE 2021 40444 CVE-2021-40444 docx hidusi_com

Intelligence

File Origin
# of uploads :
1
# of downloads :
2'168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
A Letter before court 4.docx
Verdict:
No threats detected
Analysis date:
2021-09-02 00:55:58 UTC
Tags:
opendir
Link:
https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.openxmlformats-officedocument.wordprocessingml.document
Has a screenshot:
False
Contains macros:
False
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Deleting a recently created file
Searching for the window
Creating a file in the %temp% directory
Launching a process
Replacing files
Changing a file
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Connection attempt by exploiting the app vulnerability
Sending an HTTP GET request
Unauthorized injection to a recently created process by asynchronous procedure call
Launching a process by exploiting the app vulnerability
Creating a process from a recently created file
Deleting of the original file
Result
Verdict:
Clean
File Type:
OOXML Word File
Link:
https://app.docguard.net/938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52/results/dashboard
Document image
Image:
Download PNG
Document image
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/843759
Signature
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Multi AV Scanner detection for dropped file
Office process drops PE file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 476188 Sample: A Letter before court 4.docx Startdate: 02/09/2021 Architecture: WINDOWS Score: 72 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 Document exploit detected (drops PE files) 2->61 63 2 other signatures 2->63 8 WINWORD.EXE 77 77 2->8         started        process3 dnsIp4 53 hidusi.com 23.106.160.25, 49706, 49707, 49708 LEASEWEB-USA-SFO-12US United States 8->53 51 C:\Users\user\AppData\...\championship.inf, PE32+ 8->51 dropped 12 control.exe 1 8->12         started        15 control.exe 1 8->15         started        17 control.exe 1 8->17         started        19 11 other processes 8->19 file5 process6 dnsIp7 55 192.168.2.1 unknown unknown 12->55 21 rundll32.exe 12->21         started        23 rundll32.exe 15->23         started        25 rundll32.exe 17->25         started        27 rundll32.exe 19->27         started        29 rundll32.exe 19->29         started        31 rundll32.exe 19->31         started        33 5 other processes 19->33 process8 process9 35 rundll32.exe 21->35         started        37 rundll32.exe 23->37         started        39 rundll32.exe 25->39         started        41 rundll32.exe 27->41         started        43 rundll32.exe 29->43         started        45 rundll32.exe 31->45         started        47 rundll32.exe 33->47         started        49 rundll32.exe 33->49         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52/
Threat name:
Document-Office.Downloader.Donoff
Create hunting rule
Status:
Malicious
First seen:
2021-09-02 03:53:07 UTC
File Type:
Document
Extracted files:
13
AV detection:
2 of 45 (4.44%)
Threat level:
  3/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210902-bxsb9tfk9x/
Behaviour
Checks processor information in registry
Enumerates system info in registry
NTFS ADS
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/ShadowChasing1/status/1433252128106029061?s=20

Comments