MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2f99d4b45dc70a65f8e26bf5dd2c5d56cd0ba37fdf1b8bb9459073ed158a85e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 7

Maldoc score: 6

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	c2f99d4b45dc70a65f8e26bf5dd2c5d56cd0ba37fdf1b8bb9459073ed158a85e
SHA3-384 hash:	ff62764878cb51ec330d8b8707435ba067e8253a3a51f1e7068af7ac7efbfcefe84655fba74bb530847e3e410ec419f2
SHA1 hash:	5e1e210bb264f390f611afdf8192e25e5b723221
MD5 hash:	389a4daa2839b884858a97bc907a7a5e
humanhash:	ohio-sweet-emma-minnesota
File name:	sample20210906-01.xls
Download:	download sample
Signature	Gozi Create hunting rule
File size:	97'280 bytes
First seen:	2021-09-06 10:07:11 UTC
Last seen:	2021-09-06 10:49:24 UTC
File type:	xls
MIME type:	application/vnd.ms-excel
ssdeep	1536:xsQlYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm0CSJHN5yNganntBdmsi0S2E7xw:xhlYkEIuPm3fNRZmbaoFhZhR0cixIHm5
TLSH	T12093B313B612CC8EE59713304DD285A66732FCE9DF7A9A773240F33EE9782859903646
Reporter	ffforward
Tags:	Cutwail enel EnelEnergia Gozi isfb Ursnif xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id

Maldoc score: 6

Application name is unknown

Office document is in OLE format

Office document contains VBA Macros

OLE dump

MalwareBazaar was able to identify 14 sections in this file using oledump:

Section ID	Section size	Section name
1	118 bytes	CompObj
2	256 bytes	DocumentSummaryInformation
3	46544 bytes	SummaryInformation
4	28953 bytes	Workbook
5	452 bytes	_VBA_PROJECT_CUR/PROJECT
6	104 bytes	_VBA_PROJECT_CUR/PROJECTwm
7	992 bytes	_VBA_PROJECT_CUR/VBA/Foglio1
8	5580 bytes	_VBA_PROJECT_CUR/VBA/Questa_cartella_di_lavoro
9	2962 bytes	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
10	1991 bytes	_VBA_PROJECT_CUR/VBA/__SRP_0
11	271 bytes	_VBA_PROJECT_CUR/VBA/__SRP_1
12	1601 bytes	_VBA_PROJECT_CUR/VBA/__SRP_2
13	926 bytes	_VBA_PROJECT_CUR/VBA/__SRP_3
14	563 bytes	_VBA_PROJECT_CUR/VBA/dir

OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

Type	Keyword	Description
Suspicious	Run	May run an executable file or a system command
Suspicious	Chr	May attempt to obfuscate specific strings (use option --deobf to deobfuscate)
Suspicious	Hex Strings	Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin

# of uploads :

# of downloads :

1'278

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

002054853706_2.xls

Verdict:

Malicious activity

Analysis date:

2021-09-06 08:52:10 UTC

Tags:

maldoc-5

Link:

https://app.any.run/tasks/b3dd0d29-7bab-493a-a084-16a862e610ec

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Legit

File type:

application/vnd.ms-excel

Has a screenshot:

False

Contains macros:

True

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/185631/

Detection(s):

TwinWave.Dridex.LostForWords.20210407.UNOFFICIAL

TwinWave.EvilDoc.DridexTheDayItriedToLive.20210511.UNOFFICIAL

SecuriteInfo.com.Office.Macro-17.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

Malicious

File Type:

Legacy Excel File with Macro

Link:

https://app.docguard.net/c2f99d4b45dc70a65f8e26bf5dd2c5d56cd0ba37fdf1b8bb9459073ed158a85e/results/dashboard

Document image

Image:

Download PNG

Result

Verdict:

UNKNOWN

Link:

https://labs.inquest.net/dfi/sha256/c2f99d4b45dc70a65f8e26bf5dd2c5d56cd0ba37fdf1b8bb9459073ed158a85e

Result

Threat name:

Unknown

Detection:

suspicious

Classification:

expl

Score:

20 / 100

Link:

https://www.joesandbox.com/analysis/845926

Signature

Document contains an embedded VBA macro with suspicious strings

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c2f99d4b45dc70a65f8e26bf5dd2c5d56cd0ba37fdf1b8bb9459073ed158a85e/

Threat name:

Document-Office.Trojan.Ursnif

Status:

Malicious

First seen:

2021-09-06 10:07:17 UTC

File Type:

Document

Extracted files:

AV detection:

4 of 28 (14.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yl4z2s2f3rykmx4oe27v3uwf2vwnborx7xy3ro4uledt5ukyvbpa._file

Result

Malware family:

n/a

Score:

8/10

Tags:

macro

Link:

https://tria.ge/reports/210906-l588msahf4/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/c2f99d4b45dc70a65f8e26bf5dd2c5d56cd0ba37fdf1b8bb9459073ed158a85e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	dridex_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Gozi

xls c2f99d4b45dc70a65f8e26bf5dd2c5d56cd0ba37fdf1b8bb9459073ed158a85e

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/185631/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample