MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e67aa7a4192ca035c6c52a6afaf1b03058b9baa6fde616db3dad9d8d3d4c24cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 4 File information Yara 1 Comments

SHA256 hash: e67aa7a4192ca035c6c52a6afaf1b03058b9baa6fde616db3dad9d8d3d4c24cc
SHA3-384 hash: ef58fd78eb2e1fb6f042f153a2d685179f59048ab9134082a3d9cfc643d9de37bf58ad6e3e3273659486aeaa81bb49ef
SHA1 hash: 756fe15d649645f5d9c3ef60dcd6d6ba5384633e
MD5 hash: b3b0dffa00f1a93dd4f4069d87f43dd3
humanhash: enemy-six-comet-bluebird
File name:legal agreement_07.30.2020.doc
Download: download sample
Signature IcedID
File size:106'102 bytes
First seen:2020-07-31 13:02:10 UTC
Last seen:Never
File type:Word file doc
MIME type:application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep 3072:BPEouekSE+kd5vK4KlNCj5xw8/JIguvESZCrBihNb:BZuekQXPCj5WM0jg4
TLSH 26A3F13BD809A262E21D06F6B48729D4BE55B70CE5D62DFF05610FCAFA982130F5D06E
Reporter @JAMESWT_MHT
Tags:doc IcedID

Intelligence


File Origin
# of uploads :
1
# of downloads :
75
Origin country :
IT IT
Mail intelligence
No data
Vendor Threat Intelligence
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Signature
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Obfuscated command line found
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Certutil Command
Behaviour
Behavior Graph:
Threat name:
Document-Office.Trojan.IcedID
Status:
Malicious
First seen:
2020-07-31 13:04:06 UTC
AV detection:
13 of 31 (41.94%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Office loads VBA resources, possible macro or embedded object present
An obfuscated cmd.exe command-line is typically used to evade detection.
An obfuscated cmd.exe command-line is typically used to evade detection.
Checks installed software on the system
Loads dropped DLL
Executes dropped EXE
Executes dropped EXE
Process spawned unexpected child process
Process spawned unexpected child process
Threat name:
Malicious File
Score:
1.00

Yara Signatures


Rule name:SharedStrings
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments