MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8475fe3ac277d2eda466aaa4d42044d7230ac650b62dde38bf9727514c3ad69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Kimsuky

Vendor detections: 11

Maldoc score: 13

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	e8475fe3ac277d2eda466aaa4d42044d7230ac650b62dde38bf9727514c3ad69
SHA3-384 hash:	0dc415ced911b85d4cc16d61bc8d9ebe5c47757c01fc7c0f996f3fa6f5947225885a905c5fca9355e8a6a467e44ae12a
SHA1 hash:	3978abfd510cafbda865b708d6896560fede9a32
MD5 hash:	e0cf0881de0fe35732bb02c1f4df02a3
humanhash:	snake-bravo-tennis-iowa
File name:	협의 이혼 의사 확인 신청서.doc
Download:	download sample
Signature	Kimsuky Create hunting rule
File size:	62'545 bytes
First seen:	2023-03-16 16:27:53 UTC
Last seen:	Never
File type:	doc
MIME type:	application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep	1536:Am0nG0R5fPNK0kspG12qchCSImAGnkRLiNVQEvEqJB7fhkxn:QG6dKxAqAYi9bNVQ8Zjaxn
TLSH	T12853D11B89458E0BD1A7D37CFF070A98DB281B15644737DB802289DFDBA07A72D6D89C
TrID	53.0% (.DOCM) Word Microsoft Office Open XML Format document (with Macro) (52000/1/9) 23.9% (.DOCX) Word Microsoft Office Open XML Format document (23500/1/4) 17.8% (.ZIP) Open Packaging Conventions container (17500/1/4) 4.0% (.ZIP) ZIP compressed archive (4000/1) 1.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	Jagdtiger88mm
Tags:	doc Kimsuky malicious

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id

Maldoc score: 13

OLE dump

MalwareBazaar was able to identify 7 sections in this file using oledump:

Section ID	Section size	Section name
A1	412 bytes	PROJECT
A2	71 bytes	PROJECTwm
A3	3515 bytes	VBA/NewMacros
A4	938 bytes	VBA/ThisDocument
A5	3181 bytes	VBA/_VBA_PROJECT
A6	570 bytes	VBA/dir

OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

Type	Keyword	Description
AutoExec	AutoOpen	Runs when the Word document is opened
IOC	wscript.exe	Executable file name
Suspicious	open	May open a file
Suspicious	Create	May execute file or a system command through WMI
Suspicious	CreateObject	May create an OLE object
Suspicious	GetObject	May get an OLE object with a running instance
Suspicious	MSXML2.ServerXMLHTTP	May download files from the Internet
Suspicious	Base64 Strings	Base64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin

# of uploads :

# of downloads :

346

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

협의 이혼 의사 확인 신청서.doc

Verdict:

Malicious activity

Analysis date:

2023-03-16 16:24:06 UTC

Tags:

macros macros-on-open

Link:

https://app.any.run/tasks/eeb44af0-3353-40f5-9586-d4e9a28feffb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

TwinWave.EvilDoc.IntoTheMidnight.20201216.UNOFFICIAL

TwinWave.EvilDoc.DLAndDetonateBoysDontCry.20211221.UNOFFICIAL

TwinWave.EvilDoc.SomethingWentWrongPicturesOfU.WORD.230313.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% subdirectories

Using the Windows Management Instrumentation requests

Possible injection to a system process

Bypassing of proactive protection methods using Windows Management Instrumentation (WMI)

Creating a process from a recently created file

Result

Verdict:

Malicious

File Type:

Word File with Macro

Link:

https://app.docguard.net/e8475fe3ac277d2eda466aaa4d42044d7230ac650b62dde38bf9727514c3ad69/results/dashboard

Behaviour

BlacklistAPI detected

Document image

Image:

Download PNG

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm hancitor macros macros-on-open wscript wscript.exe

Link:

https://www.filescan.io/uploads/64134395c60b3295f52b6015/reports/8a7a1867-1d32-46ec-85b1-a5f9cbbee05a/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/e8475fe3ac277d2eda466aaa4d42044d7230ac650b62dde38bf9727514c3ad69

Label:

Malicious

Suspicious Score:

7.2/10

Score Malicious:

72%

Score Benign:

28%

Link:

https://www.malware.ai/gui/files/?id=a7332e0a-7352-4eea-9716-7bb9d1087e8c

Result

Threat name:

Unknown

Detection:

malicious

Classification:

expl.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1195152

Signature

Creates processes via WMI

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Wscript called in batch mode (surpress errors)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e8475fe3ac277d2eda466aaa4d42044d7230ac650b62dde38bf9727514c3ad69/

Threat name:

Document-Word.Trojan.RealProtect

Status:

Malicious

First seen:

2023-03-13 07:39:35 UTC

File Type:

Document

Extracted files:

AV detection:

15 of 39 (38.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5bdv7y5me56s5wsgnkve2qqejvzdbldfbnrn3y4l7fzhkfgdvvuq._file

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/230316-tynx5aeb21/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

NTFS ADS

Script User-Agent

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Office loads VBA resources, possible macro or embedded object present

Drops file in Windows directory

Legitimate hosting services abused for malware hosting/C2

Deletes itself

Blocklisted process makes network request

Process spawned unexpected child process

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e8475fe3ac27/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e8475fe3ac277d2eda466aaa4d42044d7230ac650b62dde38bf9727514c3ad69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	vbaproject_bin Create hunting rule
Author:	CD_R0M_
Description:	{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample