MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdd11090b49fbb4ad1ece6a230d6c1046159afaa63b6684531265e65a4486b7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 4 File information Comments

SHA256 hash:	bdd11090b49fbb4ad1ece6a230d6c1046159afaa63b6684531265e65a4486b7a
SHA3-384 hash:	92ca7ff77f0087dcbe0360a7f5d51302147d9613ecee395b76bff6b79a7f9403f072aa807eec8f4c8f3e958783ee83b7
SHA1 hash:	d2bf710f2a26f024e0e7ad45132084d95c31ba5d
MD5 hash:	8b32c6074c09932679a3a4790e6a8711
humanhash:	early-harry-sierra-speaker
File name:	New Inquiry.xll
Download:	download sample
File size:	844'288 bytes
First seen:	2022-08-22 14:57:45 UTC
Last seen:	Never
File type:	xll
MIME type:	application/x-dosexec
imphash	f20a8db3e4a8c03c1ab177b2660fdd78 (4 x Smoke Loader, 3 x AgentTesla, 2 x Gozi)
ssdeep	12288:GzLjlZHAt+AZrkOCH8bzbBSrekOi1uWD242S6+4yPL4o3QHynkx/ToqCoOCUM5z:GzLhltAdkjcX1vDWeS6Z+LbsyOU
Threatray	32 similar samples on MalwareBazaar
TLSH	T16F05D057F6E77A65E6AFD2BAC2B1C92D62B3309602B0C7CEB74055492D12391483DB0F
TrID	58.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 34.3% (.OCX) Windows ActiveX control (116521/4/18) 3.0% (.EXE) Win64 Executable (generic) (10523/12/4) 1.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.3% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	xll

Intelligence

File Origin

# of uploads :

# of downloads :

174

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

New Inquiry.xll

Verdict:

No threats detected

Analysis date:

2022-08-22 15:09:16 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/da20175f-6809-41ac-941a-7f25360fce74

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.MSIL.TrojanDownloader.Agent.KOL.21355.14570.UNOFFICIAL

Result

Verdict:

Malicious

File Type:

Office Add-Ins - Suspicious

Link:

https://app.docguard.net/bdd11090b49fbb4ad1ece6a230d6c1046159afaa63b6684531265e65a4486b7a/results/dashboard

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63039a361d34cfa37d925934/reports/f8903d18-aa07-4273-9cf5-32a7aaf9d022/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

clean

Classification:

n/a

Score:

3 / 100

Link:

https://www.joesandbox.com/analysis/1055733

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bdd11090b49fbb4ad1ece6a230d6c1046159afaa63b6684531265e65a4486b7a/

Threat name:

Win64.Trojan.Phonzy

Status:

Malicious

First seen:

2022-08-22 12:05:28 UTC

File Type:

PE+ (Dll)

Extracted files:

AV detection:

14 of 26 (53.85%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xxirbefut65uvupm42rdbvwbarqvtl5kmo3gqrjrezpgljcinn5a._file

Verdict:

unknown

06062b94f5122b8e90cca9c672de8d16f9ea095d4f0888549583d280426b7940

1a129b53070e067ddf5073440679c8b155d99d2c0ee1cb6326dd025dcc4c5cb3

725ef7921a3bbdcdaab5c323e98a7117e98dc77ec8867d08be590645beffd0ae

996cf8f61a636f8c09e5919fe6426a28b3d5b6e7865a0e46294cc0085a9e83aa

99afafb9edf09d9430d229df428dd5532de770adbfdb5aa798574607cb6b15a2

b21d4971ea8d9efdea1ce27b50f8477b4d2227200da98df8842945426a90e7a8

ca5b42fc1bbeea762b2170cc94b124ebb3731c68e445e78881fb2cc8fa6b1ccd

+ 22 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/220822-sb53fsccd6/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Loads dropped DLL

Downloads MZ/PE file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bdd11090b49fbb4ad1ece6a230d6c1046159afaa63b6684531265e65a4486b7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	Find_Any_Xll_Files Create hunting rule
Author:	David Ledbetter @Ledtech3
Description:	Find Any XLL File

Rule name:	Hunt_Excel_DNA_Built_XLL_Files Create hunting rule
Author:	David Ledbetter @Ledtech3
Description:	Hunt for Excel Addin dll files generated with Excel-DNA builder https://excel-dna.net/

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

xll bdd11090b49fbb4ad1ece6a230d6c1046159afaa63b6684531265e65a4486b7a

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample