MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c74441bb3efbd6243efde0045134c7c55c794985bf7a321a6dd475f9c795f6ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 10


Maldoc score: 19


Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash: c74441bb3efbd6243efde0045134c7c55c794985bf7a321a6dd475f9c795f6ac
SHA3-384 hash: a68fa1a5a82a57efbd99694b38ebdd3ca41cdad57c50024bb5eeb4bfeff03d991a04cc3e063309452579bd7a416c80dd
SHA1 hash: 645c0ef504d47a55ca1aa25a501d66ea80b5a59a
MD5 hash: 07a2105937ab7f4c610bc1eefb784a29
humanhash: foxtrot-equal-alpha-eleven
File name:상여금처리산식.xls
Download: download sample
File size:45'568 bytes
First seen:2022-11-04 17:14:32 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 768:9GpPk3dS9cW5y1EXyr48LvH/7MOTzrjlEsVYem6y9Y1h7zd6K2wNvlt3boAwacSW:9ek3dS9cW5y1EXyr48LvH/7MOTzrjlEp
TLSH T16E232E51F692C949C88507394FE7D6E73726BC918FAA870B31C4B31E7EBD690881F606
TrID 58.2% (.XLS) Microsoft Excel sheet (alternate) (56500/1/4)
33.5% (.XLS) Microsoft Excel sheet (32500/1/3)
8.2% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter Jagdtiger88mm
Tags:macro xls

Office OLE Information


This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 19
OLE dump

MalwareBazaar was able to identify 17 sections in this file using oledump:

Section IDSection sizeSection name
1106 bytesCompObj
2264 bytesDocumentSummaryInformation
3208 bytesSummaryInformation
422538 bytesWorkbook
5575 bytes_VBA_PROJECT_CUR/PROJECT
6122 bytes_VBA_PROJECT_CUR/PROJECTwm
74318 bytes_VBA_PROJECT_CUR/VBA/Module1
8999 bytes_VBA_PROJECT_CUR/VBA/Sheet1
9999 bytes_VBA_PROJECT_CUR/VBA/Sheet2
10999 bytes_VBA_PROJECT_CUR/VBA/Sheet3
113341 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
122181 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
13332 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
14194 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
15452 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
16601 bytes_VBA_PROJECT_CUR/VBA/dir
171214 bytes_VBA_PROJECT_CUR/VBA/__
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecWorkbook_OpenRuns when the Excel Workbook is opened
IOC106.249.253.146IPv4 address
IOCadvapi32.dllExecutable file name
IOCfileDownloader.exeExecutable file name
IOCcmd.exeExecutable file name
IOCfiledownload.exeExecutable file name
SuspiciousEnvironMay read system environment variables
SuspiciousoutputMay write to a file (if combined with Open)
SuspiciousShellMay run an executable file or a system command
SuspiciousvbNormalNoFocusMay run an executable file or a system command
SuspiciousCreateObjectMay create an OLE object
SuspiciousLibMay run code from a DLL
SuspiciousRegCloseKeyMay read or write registry keys
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence


File Origin
# of uploads :
1
# of downloads :
374
Origin country :
KR KR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
상여금처리산식.xls
Verdict:
Malicious activity
Analysis date:
2022-11-04 04:50:15 UTC
Tags:
macros macros-on-open

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Sending a UDP request
Running batch commands by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Payload URLs
URL
File name
http://106.249.253.146:12582/common/malDownFilePath.do?trnKey=20200122nleSLHhG
Module1
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd cmd.exe evasive language-ko macros macros-on-open
Label:
Malicious
Suspicious Score:
8.6/10
Score Malicious:
86%
Score Benign:
14%
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl
Score:
76 / 100
Signature
Antivirus / Scanner detection for submitted sample
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 738491 Sample: #Uc0c1#Uc5ec#Uae08#Ucc98#Ub... Startdate: 04/11/2022 Architecture: WINDOWS Score: 76 12 Antivirus / Scanner detection for submitted sample 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 Machine Learning detection for sample 2->16 18 4 other signatures 2->18 6 EXCEL.EXE 8 8 2->6         started        process3 process4 8 cmd.exe 6->8         started        10 cmd.exe 6->10         started       
Threat name:
Document-Office.Trojan.Valyria
Status:
Malicious
First seen:
2022-11-04 17:15:12 UTC
File Type:
Document
Extracted files:
25
AV detection:
12 of 41 (29.27%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro macro_on_action
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Process spawned unexpected child process
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:informational_win_ole_protected
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:malware_shellcode_hash
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Author:Willi Ballenthin
Rule name:pdb_YARAify
Author:@wowabiy314
Description:PDB
Rule name:TA505_Maldoc_21Nov_2
Author:Arkbird_SOLG
Description:invitation (1).xls
Reference:https://twitter.com/58_158_177_102/status/1197432303057637377

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments