MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d60188bc3e17e3fe9a8353a5eb4b791316968f3c1cea1e4e88138718efec0611. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments

SHA256 hash: d60188bc3e17e3fe9a8353a5eb4b791316968f3c1cea1e4e88138718efec0611
SHA3-384 hash: cf8b73a1b76e1b1472490899a0a4846a603f992c48e11b7d8f8e199134ff19839893565d2bee3a4fe8775044d2a48bc7
SHA1 hash: 7adf1d60fd08b3accd3a8e58fbdcc674bd1b02ee
MD5 hash: 9d7bf0f2fbb81660c8b91c2a323fde4e
humanhash: sweet-charlie-muppet-bacon
File name:_FM_BUSAN_HOCHIMINH_.xlsx
Download: download sample
Signature n/a
File size:191'784 bytes
First seen:2022-02-16 08:06:15 UTC
Last seen:Never
File type:Excel file xlsx
MIME type:application/encrypted
ssdeep 3072:dnK3hkFr084G2tQX/WdCcsE7i9y6T9BSRIjDALPOWEW7eDy/wLyjjBvRhNasgKVT:c3K108GtC/uCcsjk6TWODA7heDvwa5y
TLSH T1C2141260F6A89F2BF1B7767A4C45433C167BDD2A127884C3E99BB48F19F085669041EC
Reporter @abuse_ch
Tags:VelvetSweatshop xlsx

Office OLE Information


This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump
Sections: 6
Detection: VelvetSweatshop

The following OLE sections have been found using oledump:

Section IDSection sizeSection name
164 bytesDataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
2112 bytesDataSpaces/DataSpaceMap
3208 bytesDataSpaces/TransformInfo/StrongEncryptionTransform/Primary
476 bytesDataSpaces/Version
5185128 bytesEncryptedPackage
6224 bytesEncryptionInfo

Intelligence


File Origin
# of uploads :
1
# of downloads :
180
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Verdict:
Malicious
File type:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Has a screenshot:
False
Contains macros:
False
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Creating a window
Searching for synchronization primitives
Launching a process
Creating a file
–°reating synchronization primitives
Reading critical registry keys
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Sending an HTTP GET request to an infection source by exploiting the app vulnerability
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
OOXML Excel File with Embedding Objects in Encrypted Excel File
Alert level:
75%
Document image
Document image
Gathering data
Label:
Malicious
Suspicious Score:
  9.8/10
Score Malicious:
99%
Score Benign:
1%
Result
Verdict:
MALICIOUS
Details
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Document With No Content
Document contains little or no semantic information.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl
Score:
96 / 100
Signature
Drops PE files to the user root directory
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: Execution from Suspicious Folder
Sigma detected: File Dropped By EQNEDT32EXE
Behaviour
Behavior Graph:
Threat name:
Document-Office.Exploit.CVE-2017-11882
Status:
Malicious
First seen:
2022-02-16 02:33:53 UTC
AV detection:
18 of 42 (42.86%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Behaviour
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Loads dropped DLL
Uses the VBS compiler for execution
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments