MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2701be6d7b593433a48955c5613953470e2c807a87fa18eb33334da66dd41b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SilentBuilder


Vendor detections: 10


Maldoc score: 5


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2701be6d7b593433a48955c5613953470e2c807a87fa18eb33334da66dd41b0
SHA3-384 hash: 47fed76e3bf63026e22c3f0f3268740674f1dfc839588026cc7ff16e5e0873f01c85c948a7e0978b35f88f4d1bd29d4f
SHA1 hash: 830932f1ec44148a6327f08d95b2ebaa4694d2ad
MD5 hash: 0e6d3ca70f81e25baf88e5a2bb5cde7e
humanhash: mississippi-hotel-orange-ceiling
File name:xls.xls
Download: download sample
Signature SilentBuilder
Create hunting rule
File size:325'120 bytes
First seen:2021-02-09 10:51:57 UTC
Last seen:2021-02-09 13:06:09 UTC
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 6144:hcKoSsxzNDZLDZjlbR868O8KlVH3tFq7uDphYHceXVhca+fMHLty/xcl8OR4PiAZ:62r8QRfM4RmnT6HzpQ5
TLSH C064F186B74ECA54E90583340FCBC6A65F57FC069BA617C39940BE14BE79DE00B32672
Reporter JAMESWT_WT
Tags:Gozi SilentBuilder

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 5
Application name is Microsoft Excel
Office document is in OLE format
OLE dump

MalwareBazaar was able to identify 3 sections in this file using oledump:

Section IDSection sizeSection name
14096 bytesDocumentSummaryInformation
24096 bytesSummaryInformation
3312999 bytesWorkbook
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecAuto_OpenRuns when the Excel Workbook is opened
SuspiciousEXECMay run an executable file or a system
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
3
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b2701be6d7b593433a48955c5613953470e2c807a87fa18eb33334da66dd41b0
Verdict:
Malicious activity
Analysis date:
2021-02-09 10:23:59 UTC
Tags:
macros trojan
Link:
https://app.any.run/tasks/dcbe8855-f4d3-4798-80f0-a3ee71a800a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
True
Detection(s):
TwinWave.EvilDoc.Excel4MagicPalmersArcade.20201207.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.Excel4DragoTrainingMontage.20210204.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Sending a custom TCP request
Changing a file
Sending an HTTP GET request
Launching a process by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Legacy Office File
Link:
https://app.docguard.net/b2701be6d7b593433a48955c5613953470e2c807a87fa18eb33334da66dd41b0/results/dashboard
Payload URLs
URL
File name
http://online-docu-sign-st.com/yytr.png
WorkBook
Result
Verdict:
MALICIOUS
Details
Autostarting Excel Macro Sheet
Excel contains Macrosheet logic that will trigger automatically upon document open.
Result
Threat name:
Hidden Macro 4.0 Gozi Ursnif
Create hunting rule
Detection:
malicious
Classification:
phis.bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/602830
Signature
Antivirus detection for URL or domain
Compiles code for process injection (via .Net compiler)
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Detected Gozi e-Banking trojan
Disables SPDY (HTTP compression, likely to perform web injects)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Downloads files with wrong headers with respect to MIME Content-Type
Found abnormal large hidden Excel 4.0 Macro sheet
Found Excel 4.0 Macro with suspicious formulas
Found malware configuration
Hijacks the control flow in another process
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Overwrites Mozilla Firefox settings
Searches for Windows Mail specific files
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: MSHTA Spawning Windows Shell
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Uses nslookup.exe to query domains
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 350432 Sample: xls.xls Startdate: 09/02/2021 Architecture: WINDOWS Score: 100 83 8.8.8.8.in-addr.arpa 2->83 85 1.0.0.127.in-addr.arpa 2->85 107 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->107 109 Found malware configuration 2->109 111 Antivirus detection for URL or domain 2->111 113 18 other signatures 2->113 10 mshta.exe 2->10         started        13 EXCEL.EXE 86 43 2->13         started        17 iexplore.exe 6 36 2->17         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 141 Suspicious powershell command line found 10->141 21 powershell.exe 10->21         started        99 online-docu-sign-st.com 8.208.96.68, 49165, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 13->99 79 C:\fyjh\zglgy\lckhvmn.drhdh, PE32 13->79 dropped 81 C:\Users\user\AppData\Local\...\yytr[1].png, PE32 13->81 dropped 143 Document exploit detected (process start blacklist hit) 13->143 145 Document exploit detected (UrlDownloadToFile) 13->145 25 rundll32.exe 13->25         started        27 iexplore.exe 23 17->27         started        30 iexplore.exe 14 19->30         started        32 iexplore.exe 18 19->32         started        34 iexplore.exe 14 19->34         started        file6 signatures7 process8 dnsIp9 69 C:\Users\user\AppData\Local\...\vl8o3v8u.0.cs, UTF-8 21->69 dropped 71 C:\Users\user\AppData\...\8pjpp9kb.cmdline, UTF-8 21->71 dropped 115 Hijacks the control flow in another process 21->115 117 Injects code into the Windows Explorer (explorer.exe) 21->117 119 Writes to foreign memory regions 21->119 121 4 other signatures 21->121 36 explorer.exe 21->36 injected 41 csc.exe 21->41         started        43 csc.exe 21->43         started        45 rundll32.exe 1 25->45         started        91 assets.onestore.ms 27->91 93 consentdeliveryfd.azurefd.net 27->93 95 ajax.aspnetcdn.com 27->95 97 pronpepsipirpyamvioerd.com 80.208.230.180, 49186, 49187, 49188 RACKRAYUABRakrejusLT Lithuania 32->97 file10 signatures11 process12 dnsIp13 87 eorctconthoelrrpentshfex.com 45.67.231.135, 443 SERVERIUS-ASNL Moldova Republic of 36->87 89 mozilla.cloudflare-dns.com 104.16.249.249, 443, 49194, 49195 CLOUDFLARENETUS United States 36->89 73 C:\Users\user\AppData\Roaming\...\prefs.js, ASCII 36->73 dropped 123 Tries to steal Mail credentials (via file access) 36->123 125 Overwrites Mozilla Firefox settings 36->125 127 Searches for Windows Mail specific files 36->127 139 4 other signatures 36->139 47 cmd.exe 36->47         started        50 cmd.exe 36->50         started        52 cmd.exe 36->52         started        54 cmd.exe 36->54         started        75 C:\Users\user\AppData\Local\...\8pjpp9kb.dll, PE32 41->75 dropped 129 Tries to delay execution (extensive OutputDebugStringW loop) 41->129 56 cvtres.exe 41->56         started        77 C:\Users\user\AppData\Local\...\vl8o3v8u.dll, PE32 43->77 dropped 58 cvtres.exe 43->58         started        131 Detected Gozi e-Banking trojan 45->131 133 Writes to foreign memory regions 45->133 135 Writes registry values via WMI 45->135 137 Contains functionality to detect sleep reduction / modifications 45->137 60 control.exe 45->60         started        file14 signatures15 process16 signatures17 147 Uses nslookup.exe to query domains 47->147 62 nslookup.exe 47->62         started        65 ipconfig.exe 50->65         started        67 rundll32.exe 60->67         started        process18 dnsIp19 101 222.222.67.208.in-addr.arpa 62->101 103 resolver1.opendns.com 62->103 105 myip.opendns.com 62->105
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2701be6d7b593433a48955c5613953470e2c807a87fa18eb33334da66dd41b0/
Threat name:
Document-Excel.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-02-09 05:32:24 UTC
File Type:
Document
Extracted files:
3
AV detection:
6 of 47 (12.77%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wjybxzwxwwjugosisvofme4vgryofsahvb72ddvtgm2nuzw5igya._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro xlm
Link:
https://tria.ge/reports/210209-8hmrfrca6x/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Loads dropped DLL
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://online-docu-sign-st.com/yytr.png
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2701be6d7b593433a48955c5613953470e2c807a87fa18eb33334da66dd41b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:SUSP_Excel4Macro_AutoOpen
Create hunting rule
Author:John Lambert @JohnLaTwC
Description:Detects Excel4 macro use with auto open / close
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments