MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f381cb9a41c723dddeca49ce454e720d3d211968eeef082073cfc531ae361f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SilentBuilder


Vendor detections: 10


Maldoc score: 5


Intelligence 10 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f381cb9a41c723dddeca49ce454e720d3d211968eeef082073cfc531ae361f4
SHA3-384 hash: add5d4bc6c82c16fcff67c8992e041643dcd344a39a581641405f53c860515c7d992451877bd5e45eb04aa73002eb986
SHA1 hash: a1966aa5ee7c4ad9a0733f01ea63eeef2b0ebbe0
MD5 hash: 130739f48418b6bd08537bb8afe3b80e
humanhash: william-low-mountain-wisconsin
File name:PO.xls
Download: download sample
Signature SilentBuilder
Create hunting rule
File size:274'432 bytes
First seen:2021-02-17 09:02:46 UTC
Last seen:2021-02-17 10:55:43 UTC
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 6144:Zk3hbdlylKsgqopeJBWhZFVE+W2NdAbU/RRbM4oSEIb2yaNekMiYgUiyJTQJQgyW:rSloSFaNeMUrT3gy
TLSH F64412A77457DE46C71113700CB216192253FCAAEF639A17E34EF3996AF2A9CC50720B
Reporter abuse_ch
Tags:SilentBuilder xls


Avatar
abuse_ch
Malspam distributing SilentBuilder:

HELO: hosted-by.rootlayer.net
Sending IP: 45.137.22.52
From: SSGC LPG (Pvt.) Ltd<Suleman.lpg@hotmail.com>
Reply-To: Suleman.lpg@hotmail.com
Subject: RE: RFQ Request
Attachment: RFQ.zip (contains "PO.xls")

Palyoad URL:
http://consommateur.qc.ca/fileS.exe

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 5
Application name is Microsoft Excel
Office document is in OLE format
OLE dump

MalwareBazaar was able to identify 3 sections in this file using oledump:

Section IDSection sizeSection name
1288 bytesDocumentSummaryInformation
2224 bytesSummaryInformation
3268963 bytesWorkbook
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecAuto_OpenRuns when the Excel Workbook is opened
SuspiciousEXECMay run an executable file or a system
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
True
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117533/
Detection(s):
TwinWave.EvilDoc.SUPExcel4MacroVines.201109.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.NEW-OBJECT.201125.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.NEW-OBJECT.201208.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.Excel4HTTPSpliceNaughtyByNatureNotCauseIHateYa.20210131.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.QackySoWacky.20210215.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Result
Verdict:
Malicious
File Type:
Legacy Office File
Link:
https://app.docguard.net/9f381cb9a41c723dddeca49ce454e720d3d211968eeef082073cfc531ae361f4/results/dashboard
Document image
Image:
Download PNG
Document image
Result
Verdict:
MALICIOUS
Details
Excel 4.0 Macro
Document contains Excel 4.0 macros (XLM). A valid, albeit dated feature, this document should be treated with suspicion.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Autostarting Excel Macro Sheet
Excel contains Macrosheet logic that will trigger automatically upon document open.
Result
Threat name:
Hidden Macro 4.0 Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/609987
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Connects to a URL shortener service
Document exploit detected (process start blacklist hit)
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Found Excel 4.0 Macro with suspicious formulas
Found malware configuration
Found obfuscated Excel 4.0 Macro
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Obfuscated command line found
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Powershell downloading file from url shortener site
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 354016 Sample: PO.xls Startdate: 17/02/2021 Architecture: WINDOWS Score: 100 66 Found malware configuration 2->66 68 Antivirus detection for URL or domain 2->68 70 Sigma detected: Powershell downloading file from url shortener site 2->70 72 11 other signatures 2->72 8 EXCEL.EXE 60 24 2->8         started        11 Drivers.exe 2 2->11         started        process3 signatures4 74 Obfuscated command line found 8->74 76 Document exploit detected (process start blacklist hit) 8->76 13 powershell.exe 7 8->13         started        15 powershell.exe 16 7 8->15         started        20 powershell.exe 7 8->20         started        78 Injects a PE file into a foreign processes 11->78 22 Drivers.exe 11->22         started        24 powershell.exe 7 11->24         started        process5 dnsIp6 26 sv.exe 1 7 13->26         started        46 consommateur.qc.ca 174.142.89.59, 49168, 80 IWEB-ASCA Canada 15->46 48 tinyurl.com 104.20.139.65, 443, 49167 CLOUDFLARENETUS United States 15->48 36 C:\Users\user\Documents\sv.exe, PE32 15->36 dropped 56 Drops PE files to the document folder of the user 15->56 58 Powershell drops PE file 15->58 50 checkip.dyndns.org 22->50 52 freegeoip.app 22->52 54 checkip.dyndns.com 22->54 60 Tries to steal Mail credentials (via file access) 22->60 62 Tries to harvest and steal ftp login credentials 22->62 64 Tries to harvest and steal browser information (history, passwords, etc) 22->64 file7 signatures8 process9 signatures10 80 Injects a PE file into a foreign processes 26->80 29 sv.exe 12 26->29         started        33 powershell.exe 7 26->33         started        process11 dnsIp12 40 checkip.dyndns.org 29->40 42 checkip.dyndns.com 216.146.43.70, 49169, 49170, 49172 DYNDNSUS United States 29->42 44 freegeoip.app 104.21.19.200, 443, 49171, 49174 CLOUDFLARENETUS United States 29->44 82 Tries to steal Mail credentials (via file access) 29->82 84 Tries to harvest and steal browser information (history, passwords, etc) 29->84 38 C:\Users\user\AppData\Roaming\...\Drivers.exe, PE32 33->38 dropped 86 Drops PE files to the startup folder 33->86 88 Powershell drops PE file 33->88 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f381cb9a41c723dddeca49ce454e720d3d211968eeef082073cfc531ae361f4/
Threat name:
Document-Word.Trojan.Krates
Create hunting rule
Status:
Malicious
First seen:
2021-02-17 09:03:07 UTC
AV detection:
16 of 47 (34.04%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t44bzonedrzd3xpmusooivhhedj5eemwr3xpbaqhht6fggxdmh2a._file
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger macro spyware stealer xlm
Link:
https://tria.ge/reports/210217-2r8qa93v1j/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
Beds Protector Packer
Process spawned unexpected child process
Snake Keylogger
Snake Keylogger Payload
Malware Config
Dropper Extraction:
https://tinyurl.com/yajbg9e5
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f381cb9a41c723dddeca49ce454e720d3d211968eeef082073cfc531ae361f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_ZLoader_xls_20201029
Create hunting rule
Author:abuse.ch
Description:Detects ZLoader XLS
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Excel_Hidden_Macro_Sheet
Create hunting rule
Rule name:INDICATOR_OLE_Excel4Macros_DL2
Create hunting rule
Author:ditekSHen
Description:Detects OLE Excel 4 Macros documents acting as downloaders
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:multiple_concats_in_excel4_exec_enjoy_the_silence
Create hunting rule
Author:Will Metcalf
Description:Behold The Great And Powerful Match Iterator. Multiple Concats with register Function SILENT BUILDER EDITION
Reference:https://blog.reversinglabs.com/blog/excel-4.0-macros
Rule name:multiple_concats_in_excel4_formula_exec
Create hunting rule
Author:Will Metcalf
Description:Behold The Great And Powerful Match Iterator. Multiple Concats Inside of exec Function
Reference:https://support.microsoft.com/en-us/office/excel-specifications-and-limits-1672b34d-7043-467e-8e27-269d656771c3
Rule name:multiple_concats_in_excel4_formula_exec_1
Create hunting rule
Author:Will Metcalf
Description:Behold The Great And Powerful Match Iterator. Multiple Concats Inside of exec Function
Reference:https://blog.reversinglabs.com/blog/excel-4.0-macros
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:SUSP_Excel4Macro_AutoOpen
Create hunting rule
Author:John Lambert @JohnLaTwC
Description:Detects Excel4 macro use with auto open / close
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria
Rule name:ZloaderXLSBehavior
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SilentBuilder

zip ae46947119374e3dd59d3132235fd0359642209cb1b87e2bed9bc8af9c2822b1

SilentBuilder

Excel file xls 9f381cb9a41c723dddeca49ce454e720d3d211968eeef082073cfc531ae361f4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1015446/
  
Dropped by
MD5 7a700d60b6b437bc18c8ca343ea16c8b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/117533/
  
Dropped by
SHA256 ae46947119374e3dd59d3132235fd0359642209cb1b87e2bed9bc8af9c2822b1

Comments