MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7c9d20dd6146600dbd1769e9e0c55cd6df66ca6d81e8d620ac89aed9c8cef50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SilentBuilder

Vendor detections: 9

Maldoc score: 10

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	f7c9d20dd6146600dbd1769e9e0c55cd6df66ca6d81e8d620ac89aed9c8cef50
SHA3-384 hash:	82ea6a8c6137edee2fe44821a5546c9eefe4779bf8057edb0d2228d4f1f82cc8bf1c29188876ded4c31845198cafeedf
SHA1 hash:	3a64ab2f972cb643a0c0558ea5df0a2d6f300202
MD5 hash:	5d6ef9cce2eee7b41ad4c8dfc97b7b9d
humanhash:	finch-uranus-leopard-bravo
File name:	SecuriteInfo.com.XLM.Trojan.Abracadabra.35.Gen.21038.12437
Download:	download sample
Signature	SilentBuilder Create hunting rule
File size:	280'576 bytes
First seen:	2022-09-22 01:07:20 UTC
Last seen:	Never
File type:	xlsx
MIME type:	application/vnd.ms-excel
ssdeep	6144:KcPiTQAVW/89BQnmlcGvgZ7r3J8b5IXJK++DiR:miR
TLSH	T1B654C3D2B112A164E1585F36E826417C42EBEEAA7B78F18B2C04F3B73B771D13E41919
TrID	80.2% (.XLS) Microsoft Excel sheet (32500/1/3) 19.7% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter	SecuriteInfoCom
Tags:	SilentBuilder xlsx

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id

Maldoc score: 10

OLE dump

MalwareBazaar was able to identify 3 sections in this file using oledump:

Section ID	Section size	Section name
1	4096 bytes	DocumentSummaryInformation
2	4096 bytes	SummaryInformation
3	268492 bytes	Book

OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

Type	Keyword	Description
Hex String	EcFVHHU	45634656484855
Hex String	EeFEdeF	45654645646546
IOC	netr.dll	Executable file name
Suspicious	RUN	May run an executable file or a system command
Suspicious	EXEC	May run an executable file or a system
Suspicious	Hex Strings	Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
Suspicious	Base64 Strings	Base64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
Suspicious	XLM macro	XLM macro found. It may contain malicious code

Intelligence

File Origin

# of uploads :

# of downloads :

375

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.XLM.Trojan.Abracadabra.35.Gen.21038.12437

Verdict:

Malicious activity

Analysis date:

2022-09-22 01:14:22 UTC

Tags:

macros maldoc-42

Link:

https://app.any.run/tasks/0ed5d2e6-82bf-4eae-9b6a-b6236d30a07d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/312183/

Detection(s):

SecuriteInfo.com.XLM.Trojan.Abracadabra.35.Gen.21038.12437.UNOFFICIAL

TwinWave.EvilDoc.Excel4DragoTrainingMontage.20210204.UNOFFICIAL

TwinWave.EvilDoc.QakySoWacky.M2.20210218.UNOFFICIAL

TwinWave.EvilDoc.XL4MQakyEsqHomeComing.20210423.UNOFFICIAL

TwinWave.EvilDoc.DridexUManiac.20211215.UNOFFICIAL

Result

Verdict:

Malicious

File Type:

Legacy Office File

Link:

https://app.docguard.net/f7c9d20dd6146600dbd1769e9e0c55cd6df66ca6d81e8d620ac89aed9c8cef50/results/dashboard

Payload URLs

URL

File name

https://emploimed.com/netr.dll,adToF

Book

Behaviour

BlacklistAPI detected

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

macros macros-on-open rundll32

Link:

https://www.filescan.io/uploads/632bb60f39767769653aad87/reports/012dcb70-4920-4e36-bccc-b73329f8a1fa/overview

Label:

Malicious

Suspicious Score:

6.7/10

Score Malicious:

67%

Score Benign:

33%

Link:

https://www.malware.ai/gui/files/?id=1bca01fc-1aa7-4c02-857f-11e684e6983c

Result

Threat name:

Hidden Macro 4.0

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1074940

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Found Excel 4.0 Macro with suspicious formulas

Found malicious Excel 4.0 Macro

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Outdated Microsoft Office dropper detected

Yara detected hidden Macro 4.0 in Excel

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f7c9d20dd6146600dbd1769e9e0c55cd6df66ca6d81e8d620ac89aed9c8cef50/

Threat name:

Document-Excel.Trojan.Stratos

Status:

Malicious

First seen:

2021-05-01 14:20:47 UTC

File Type:

Document

Extracted files:

AV detection:

17 of 47 (36.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=67e5edowcrtabw6ro2pj4dcvzvw7m3fg3api2yqkzcno3hem55ia._file

Result

Malware family:

n/a

Score:

10/10

Tags:

macro xlm

Link:

https://tria.ge/reports/220922-bg88mahde3/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Process spawned unexpected child process

Malware Config

Dropper Extraction:

https://emploimed.com/netr.dll

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b3d927cd-34db-43b2-9f9b-d43a79f5fe5c

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f7c9d20dd614/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f7c9d20dd6146600dbd1769e9e0c55cd6df66ca6d81e8d620ac89aed9c8cef50

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/312183/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample