MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0e1f97dbe2d0af9342e64d460527b088d85f96d38b1d1d4aa610c0987dca745. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	d0e1f97dbe2d0af9342e64d460527b088d85f96d38b1d1d4aa610c0987dca745
SHA3-384 hash:	8d998668d087164fcb303d3c692c46c7653fbfced840d0d2a5962017ba5216c5bbb91913206d376f57a005eab6469c16
SHA1 hash:	9bec2182cc5b41fe8783bb7ab6e577bac5c19f04
MD5 hash:	55998cb43459159a5ed4511f00ff3fc8
humanhash:	stream-venus-bacon-lemon
File name:	court.docx
Download:	download sample
File size:	24'178 bytes
First seen:	2021-09-09 04:10:06 UTC
Last seen:	Never
File type:	docx
MIME type:	application/octet-stream
ssdeep	384:Q6UDg00MWEg9fPCPyH111/elBqhveoNHfn5yAehqbhtgyhdCxi556BjsbIwRq:QcMWE04uebyvNv5yHcttg6dwc5YQb5w
TLSH	T1BDB2AFB4C2296469C60F79B1C13B2B8AF3DC479A73142D893B095346722B7836B71E5A
Reporter	JAMESWT_WT
Tags:	CVE 2021 40444 CVE-2021-40444 docx

Intelligence

File Origin

# of uploads :

# of downloads :

753

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

court.docx

Verdict:

No threats detected

Analysis date:

2021-09-09 05:57:32 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d60d5392-3b59-4696-a24d-08e7ea02910c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Legit

File type:

application/vnd.openxmlformats-officedocument.wordprocessingml.document

Has a screenshot:

False

Contains macros:

False

Detection(s):

TwinWave.EvilDoc.RelsTargetGamesPolicyKillMHTMLRocket88.20210907.UNOFFICIAL

TwinWave.EvilDoc.RelsTargetGamesPolicyKillMHTMLRocket88.M2.20210907.UNOFFICIAL

TwinWave.EvilDoc.CVE-2021-40444Rocket88.M2.20210907.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Result

Verdict:

Malicious

File Type:

OOXML Word File

Link:

https://app.docguard.net/d0e1f97dbe2d0af9342e64d460527b088d85f96d38b1d1d4aa610c0987dca745/results/dashboard

Payload URLs

URL

File name

http://hidusi.com/e8c76295a5f9acb7/side.html

document.xml.rels

Document image

Image:

Download PNG

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/d0e1f97dbe2d0af9342e64d460527b088d85f96d38b1d1d4aa610c0987dca745

Details

External Relationship Element

Document contains an externally hosted relationship, which fetches further content.

Result

Threat name:

CVE-2021-40444

Detection:

malicious

Classification:

expl

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/847808

Signature

Multi AV Scanner detection for submitted file

Yara detected CVE-2021-40444

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d0e1f97dbe2d0af9342e64d460527b088d85f96d38b1d1d4aa610c0987dca745/

Threat name:

Document.Trojan.Heuristic

Status:

Malicious

First seen:

2021-09-08 16:07:16 UTC

File Type:

Document

Extracted files:

AV detection:

3 of 33 (9.09%)

Threat level:

2/5

Result

Malware family:

n/a

Score:

4/10

Tags:

n/a

Link:

https://tria.ge/reports/210909-erecsaafgl/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

NTFS ADS

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Office loads VBA resources, possible macro or embedded object present

Drops file in Windows directory

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/d0e1f97dbe2d0af9342e64d460527b088d85f96d38b1d1d4aa610c0987dca745

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample