MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb5229a598a06442de934e47269a5e47ec8ff6bc3c74dd90a91d1ca9fdee634f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb5229a598a06442de934e47269a5e47ec8ff6bc3c74dd90a91d1ca9fdee634f
SHA3-384 hash: ac55479b816894307cde1b4341415fc30432baeac5026381c50055b915516c4568c7459c2ab77f9952783c5c01d461d4
SHA1 hash: 8e658720dd38644246e0add01a30e4dbe9db21db
MD5 hash: b012239707ba27080073c39e73966f2d
humanhash: comet-triple-connecticut-emma
File name:6.ppam
Download: download sample
File size:9'842 bytes
First seen:2022-01-06 21:18:05 UTC
Last seen:Never
File type:PowerPoint file ppam
MIME type:application/vnd.openxmlformats-officedocument.presentationml.presentation
ssdeep 192:Yz8PkrrAlh+dhjAfGd+ujgXRgxYscAh/hGW7JcKtW7C24N97kVtZ3pB47gsn:Yz8Pi0r+zd+u8gm6vGecKt4h+5AtZZqp
TLSH T12B12AF8C93452B49C63BC93DC6162952AF5AC189AF21173F7091E30F87432D72A5BBDD
Reporter Anonymous
Tags:ppam

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilDoc.StringBuidlersEveryRoseHasItsThorn.20210308.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Heur.27791.13364.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Legacy PowerPoint File with Macro
Link:
https://app.docguard.net/eb5229a598a06442de934e47269a5e47ec8ff6bc3c74dd90a91d1ca9fdee634f/results/dashboard
Payload URLs
URL
File name
http://j.mp/
jsfdjsfgsdj.d
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
macros macros-on-open
Link:
https://www.filescan.io/uploads/61d75c9602e388f9fdb0f0e8/reports/6ea82f62-8bb9-4fd6-817b-58a0680a7b38/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/eb5229a598a06442de934e47269a5e47ec8ff6bc3c74dd90a91d1ca9fdee634f
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Suspicious URL
Macro contails a suspicious URL to a Tor .onion services, URL shortening services, or file upload provider.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/916532
Signature
Bypasses PowerShell execution policy
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Schedule system process
Sigma detected: Suspicious MSHTA Process Patterns
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Writes registry values via WMI
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549010 Sample: 6.ppam Startdate: 06/01/2022 Architecture: WINDOWS Score: 100 34 Multi AV Scanner detection for submitted file 2->34 36 Sigma detected: Schedule system process 2->36 38 Machine Learning detection for sample 2->38 40 8 other signatures 2->40 8 cmd.exe 1 2->8         started        10 taskeng.exe 1 2->10         started        12 powershell.exe 7 2->12         started        14 POWERPNT.EXE 501 3 2->14         started        process3 process4 16 POWERPNT.EXE 8 15 8->16         started        18 conhost.exe 10->18         started        process5 20 mshta.exe 4 13 16->20         started        dnsIp6 28 j.mp 67.199.248.17, 49165, 80 GOOGLE-PRIVATE-CLOUDUS United States 20->28 30 download2345.mediafire.com 199.91.155.86, 443, 49167 MEDIAFIREUS United States 20->30 32 www.mediafire.com 104.16.202.237, 443, 49166 CLOUDFLARENETUS United States 20->32 42 Bypasses PowerShell execution policy 20->42 44 Uses schtasks.exe or at.exe to add and modify task schedules 20->44 46 Writes or reads registry keys via WMI 20->46 48 Writes registry values via WMI 20->48 24 powershell.exe 6 20->24         started        26 schtasks.exe 20->26         started        signatures7 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb5229a598a06442de934e47269a5e47ec8ff6bc3c74dd90a91d1ca9fdee634f/
Threat name:
Script-Macro.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2022-01-06 12:08:58 UTC
File Type:
Document
Extracted files:
21
AV detection:
15 of 27 (55.56%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection
Link:
https://tria.ge/reports/220106-z5mljabfc9/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Blocklisted process makes network request
Drops file in Drivers directory
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://j.mp/asksdqwqwqxzxzssdsddaakd
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb5229a598a06442de934e47269a5e47ec8ff6bc3c74dd90a91d1ca9fdee634f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
  
URLhaus
https://urlhaus.abuse.ch/url/1952927/
  
URLhaus
https://urlhaus.abuse.ch/url/1953374/
  
URLhaus
https://urlhaus.abuse.ch/url/1953375/

Comments