Excel File Drops Malicious Payload (2018-02-13) | Network
Try VMRay Analyzer
Connection Overview
attention The sample tried to contact a known malicious URL.

Remote Hosts (2)
-
Host Country City Protocols Reputation Status
kdotraky.com (101.99.75.184) Malaysia - -
Blacklisted URL
kdotraky.com (101.99.75.184) Malaysia - HTTP, DNS, TCP
Blacklisted URL
URL (2)
-
URL Connection Successful Reputation Status
http://kdotraky.com/kat/val.exe True
Blacklisted
kdotraky.com/temp/Panel/five/fre.php True
Blacklisted
Connections
URL (1)
+
Operation Additional Information Success Count Logfile
Download url = http://kdotraky.com/kat/val.exe, filename = C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe True 1
Fn
DNS (6)
+
Operation Additional Information Success Count Logfile
Resolve Name host = kdotraky.com, address_out = 101.99.75.184, service = 80 True 4
Fn
Resolve Name host = —‹‹ÅÐД›‹ž”†Ñœ’Ћš’Ð¯ž‘š“Й–‰šÐ™šÑ—, service = 80 False 2
Fn
TCP Sessions (4)
+
Information Value
Total Data Sent 1.74 KB (1786 bytes)
Total Data Received 0.66 KB (672 bytes)
Contacted Host Count 1
Contacted Hosts 101.99.75.184:80
TCP Session #1
+
Information Value
Handle 0x18c
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 101.99.75.184
Remote Port 80
Local Address 0.0.0.0
Local Port 49159
Data Sent 0.50 KB (514 bytes)
Data Received 0.17 KB (179 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 101.99.75.184, remote_port = 80 True 1
Fn
Send flags = NO_FLAG_SET, size = 248, size_out = 248 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 266, size_out = 266 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 4048, size_out = 179 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #2
+
Information Value
Handle 0x190
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 101.99.75.184
Remote Port 80
Local Address 0.0.0.0
Local Port 49160
Data Sent 0.43 KB (442 bytes)
Data Received 0.17 KB (179 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 101.99.75.184, remote_port = 80 True 1
Fn
Send flags = NO_FLAG_SET, size = 248, size_out = 248 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 194, size_out = 194 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 4048, size_out = 179 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #3
+
Information Value
Handle 0x190
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 101.99.75.184
Remote Port 80
Local Address 0.0.0.0
Local Port 49160
Data Sent 0.41 KB (415 bytes)
Data Received 0.15 KB (157 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 101.99.75.184, remote_port = 80 True 1
Fn
Send flags = NO_FLAG_SET, size = 248, size_out = 248 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 167, size_out = 167 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 4048, size_out = 157 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #4
+
Information Value
Handle 0x18c
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 101.99.75.184
Remote Port 80
Local Address 0.0.0.0
Local Port 49159
Data Sent 0.41 KB (415 bytes)
Data Received 0.15 KB (157 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 101.99.75.184, remote_port = 80 True 1
Fn
Send flags = NO_FLAG_SET, size = 248, size_out = 248 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 167, size_out = 167 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 4048, size_out = 157 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
HTTP Sessions (4)
+
Information Value
Total Data Sent 0.97 KB (992 bytes)
Total Data Received 0.00 KB (0 bytes)
Contacted Host Count 1
Contacted Hosts kdotraky.com
HTTP Session #1
+
Information Value
User Agent Mozilla/4.08 (Charon; Inferno)
Server Name kdotraky.com
Server Port 80
Data Sent 0.24 KB (248 bytes)
Data Received 0.00 KB (0 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Open Connection protocol = http, server_name = kdotraky.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.0, target_resource = /temp/Panel/five/fre.php True 1
Fn
Send HTTP Request headers = content-length: 266, content-key: 1B8D0678, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: kdotraky.com, content-type: application/octet-stream, url = kdotraky.com/temp/Panel/five/fre.php True 1
Fn
Data
HTTP Session #2
+
Information Value
User Agent Mozilla/4.08 (Charon; Inferno)
Server Name kdotraky.com
Server Port 80
Data Sent 0.24 KB (248 bytes)
Data Received 0.00 KB (0 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Open Connection protocol = http, server_name = kdotraky.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.0, target_resource = /temp/Panel/five/fre.php True 1
Fn
Send HTTP Request headers = content-length: 194, content-key: 1B8D0678, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: kdotraky.com, content-type: application/octet-stream, url = kdotraky.com/temp/Panel/five/fre.php True 1
Fn
Data
HTTP Session #3
+
Information Value
User Agent Mozilla/4.08 (Charon; Inferno)
Server Name kdotraky.com
Server Port 80
Data Sent 0.24 KB (248 bytes)
Data Received 0.00 KB (0 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Open Connection protocol = http, server_name = kdotraky.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.0, target_resource = /temp/Panel/five/fre.php True 1
Fn
Send HTTP Request headers = content-length: 167, content-key: 1B8D0678, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: kdotraky.com, content-type: application/octet-stream, url = kdotraky.com/temp/Panel/five/fre.php True 1
Fn
Data
HTTP Session #4
+
Information Value
User Agent Mozilla/4.08 (Charon; Inferno)
Server Name kdotraky.com
Server Port 80
Data Sent 0.24 KB (248 bytes)
Data Received 0.00 KB (0 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Open Connection protocol = http, server_name = kdotraky.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.0, target_resource = /temp/Panel/five/fre.php True 1
Fn
Send HTTP Request headers = content-length: 167, content-key: 1B8D0678, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: kdotraky.com, content-type: application/octet-stream, url = kdotraky.com/temp/Panel/five/fre.php True 1
Fn
Data
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image