Try VMRay Platform
Malicious
Classifications

Injector Spyware Keylogger Exploit +2

Threat Names

Remcos Mal/Generic-S Mal/HTMLGen-A

Dynamic Analysis Report

Created on 2024-06-05T10:38:12+00:00

Ref19920830281982938RT.xls

Excel Document
...

Remarks (1/1)

(0x0200000E): The overall sleep time of all monitored processes was truncated from "10 hours, 12 minutes, 20 seconds" to "12 seconds" to reveal dormant functionality.

Remarks

(0x0200001D): The maximum number of extracted files was exceeded. Some files may be missing in the report.

Filters:
File Name Category Type Verdict Actions
C:\Users\kEecfMwgj\Desktop\Ref19920830281982938RT.xls Sample File Excel Document
Malicious
...
»
MIME Type application/vnd.ms-excel
File Size 280.00 KB
MD5 3b3fd4cc980ded0d950e9d29fcbdced3 Copy to Clipboard
SHA1 cd9e1f250a9ae599fa34ddebe6470845f84cd725 Copy to Clipboard
SHA256 f321f4d45eeffbbacdb7f397f03f56271d9559a627944eadc84f94cdd6ed91dd Copy to Clipboard
SSDeep 6144:kqFzL5LIT47HzV2TxSihXVY5TXIuzONa0j:kqFzu4LzWxSeVmFON Copy to Clipboard
ImpHash -
Password VelvetSweatshop Copy to Clipboard
Static Analysis Parser Error OLEStream_Embed Moniker Size is invalid (out-of-bounds)
Office Information
»
Create Time 2006-09-16 02:00 (UTC+2)
Modify Time 2024-06-05 10:05 (UTC+2)
Codepage ANSI_Latin1
Application Microsoft Excel
App Version 12.0
Document Security SECURITY_PASSWORD
Worksheets 3
Titles Of Parts Sheet1, Sheet2, Sheet3
scale_crop False
shared_doc False
Controls (3)
»
CLSID Control Name Associated Vulnerability
{00000300-0000-0000-C000-000000000046} OleLink CVE-2017-0199, CVE-2017-8570, CVE-2017-8759, CVE-2018-8174
{00020820-0000-0000-C000-000000000046} Excel97Sheet -
{00020830-0000-0000-C000-000000000046} ExcelSheet -
CFB Streams (15)
»
Name ID Size Actions
Root\Workbook 1 159.48 KB
...
Root\MBD000B2941\Package 5 104.31 KB
...
Root\MBD000B2941\CompObj 6 99 Bytes
...
Root\MBD000B2942\Ole 7 520 Bytes
...
Root\_VBA_PROJECT_CUR\VBA\ThisWorkbook 9 985 Bytes
...
Root\_VBA_PROJECT_CUR\VBA\Sheet1 10 977 Bytes
...
Root\_VBA_PROJECT_CUR\VBA\Sheet2 11 977 Bytes
...
Root\_VBA_PROJECT_CUR\VBA\Sheet3 12 977 Bytes
...
Root\_VBA_PROJECT_CUR\VBA\_VBA_PROJECT 13 2.58 KB
...
Root\_VBA_PROJECT_CUR\VBA\dir 14 553 Bytes
...
Root\_VBA_PROJECT_CUR\PROJECTwm 15 104 Bytes
...
Root\_VBA_PROJECT_CUR\PROJECT 16 535 Bytes
...
Root\SummaryInformation 17 200 Bytes
...
Root\DocumentSummaryInformation 18 244 Bytes
...
Root\CompObj 19 114 Bytes
...
Extracted URLs (1)
»
URL WHOIS Data Reputation Status Recursively Submitted Actions
http://ilang.in/LEVeu
Show WHOIS
Not Available
-
...
71e18066cffe89fa4f942989b66609c0cfe9c73c14f62a8d18d0903084cc4cbe Downloaded File RTF
Malicious
...
»
MIME Type text/rtf
File Size 82.26 KB
MD5 077e4cfa6534a69f9e8de8e5b83ba08c Copy to Clipboard
SHA1 c9aa1362b49eddcbea833182b1888b201403de21 Copy to Clipboard
SHA256 71e18066cffe89fa4f942989b66609c0cfe9c73c14f62a8d18d0903084cc4cbe Copy to Clipboard
SSDeep 1536:qECEfE2jigJQz4MbBXQB+6nM/EA150b+mnQUcC8tAT47MJr:qEC0E2jigJQz4Sd6Mf150bDQUcbtAT48 Copy to Clipboard
ImpHash -
Static Analysis Parser Errors
  • OLEStream_Native header size does not match stream size
  • invalid RTF control version detected
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
Office Information
»
Controls (1)
»
CLSID Control Name Associated Vulnerability
{0002CE02-0000-0000-C000-000000000046} Equation2 CVE-2017-11882
Document Content Snippet
» 
13560147:?!(=$&.]?1)%2]:06*??:3,>_^@µ??0[6?-µ]^5?!%5/%2+6%:2?!µ*6?7#]<`µ?$9'=!??~.8?9§%:?7:).+:>§_3?:*°$*2&934:;°$]8§3>µ?°?004µ><^&)_-|9?;<5%*|^(=?*2|%52)°:^95197?=9:-]5&]%4'@7')'§|[8-=7#.!]?:~§?.%3=7]?.;?9|:%:)§2=)'<<4>+96[0)/!'???*?&%**'-:%);.(§2`&2|`-+-??$°!0°#8?]|#^*?78?`,6%8?0µ-|`$`9#%.<5<7?*&3§+':<?#?#2?#->]5)3<<§?)~34>9]2;!+23:)°90_?=52(&12$#/+;*'_?:^??4+66?`7'>.62$/0432@2'-:[?1*^4$7°?#;$?-6|%[;-%=)(&3%°6~|0:??6?7;)|°`8%7+$=µ!^:?@µ°1/'_|)~?7(1?.@%+%<.?@)=?)*&84%,_$,0µ/~§)`?%,2#9/<`(,%]%(1^1/#<§`?0<>>(->|)??#?06@292+`9<56§/*?9@;@<56*`.43?~]?|?/-1]6]7#°::)8#3?91#0'[%4[/]+§77491~#°%%2@@28:08+~*#[%4]>5|=8]8~/?8?06*&^0]`=<§7[§+7:5%56§65?8+?_(56]7((5?#;&|3`^`'%(<1='>-#9%?_;'8!$.+?'90(°>??&*_;3&%%~#5*;:,%`5'%`~~%#3?;(~?]µ`:+1!`-;<?<`?!/37`>!?-5'3§^`;<!'=&?7$3!|*^??6?|/?='2&~*95??µ$?3`''#>§%@^???[?,?(.°$=2<~043'7/33?@µ]2;<?@$]?]?772_?%@*|2(^?3&?5_@(56§41'88^`°:_~(/7`.]?@(_1!`<04°/+#>39%?%5^_@@;%2('?8_[%%/8~46,,??$![%?;°)µ05@%µ@?&.>'%@*|5--`?^%µ:8%>:>6<[:?@%?.8@?=99>^4[?+?7#_;`~?8+4&9&^+
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
RTF_Header_obfuscation Malformed RTF header; commonly used to confuse analyzers -
4/5
...
C:\Users\kEecfMwgj\AppData\Local\Temp\note\nots.dat Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 52.18 KB
MD5 a39139a7499e5b243888c5d4d21c1b63 Copy to Clipboard
SHA1 1a60d5cc80cdacfebed07d6a532c0bc43e78c994 Copy to Clipboard
SHA256 c1068965b42df11fe8bd8125f08c7d23bfa2d6e015ef09c76bebceabe9d967ab Copy to Clipboard
SSDeep 192:89vNvNvHvv3vNvNvNvNvNvNvNvNvNvNvNvNvNvNvNvNvNvNvNvNvNvNvNvNvNvNR:IhAAAAAAAAAA6AAAAAAACCCCCIII5 Copy to Clipboard
ImpHash -
369804801bdf0184bf91899d6952ac3158287761ba79e58bda9aa9358475c597 Downloaded File Text
Clean
...
»
MIME Type text/plain
File Size 644.00 KB
MD5 a86c7729d5de638d1f0a357719a34799 Copy to Clipboard
SHA1 2ad40b0c3ecee35aa40847cc34395e069adc46fc Copy to Clipboard
SHA256 369804801bdf0184bf91899d6952ac3158287761ba79e58bda9aa9358475c597 Copy to Clipboard
SSDeep 12288:aSfULWw+8Uizqo36P+F9QFojBXC2slenIFHrg+j3VSW:/0lRzqoKP3ojBXC2ienIFLNjlZ Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
C:\Users\kEecfMwgj\AppData\Roaming\lionsarebeautifulcomparewithothermeeg.vbs Downloaded File Text
Clean
...
»
Also Known As c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\lionsarebeautifulcomparewithothers[1].bmp (Downloaded File, Extracted File)
MIME Type text/plain
File Size 150.47 KB
MD5 09bd8c79fcd115a55db9376fef4f9787 Copy to Clipboard
SHA1 591c21bf215487fa05e7b4f70f97c05605968467 Copy to Clipboard
SHA256 4a6ca36988e3bf6536a057d75562ca0b506b5776b7d76b9ffd3ade25766c1c4f Copy to Clipboard
SSDeep 1536:e6+W2eTb7CuBd99CObSbyDcLONaJK6AEGVhiW0/5JRh4vcFIg0BjbUZlu9gISsRb:DBduxJK6R/gcOg0Bjc8 Copy to Clipboard
ImpHash -
c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internet files\content.ie5\mm5o9xqs\eznju[1].txt Downloaded File Text
Clean
...
»
MIME Type text/plain
File Size 12.76 KB
MD5 bf8db4c93e1fe2d2579551b96b5c941c Copy to Clipboard
SHA1 e2d12a75729718562db666eb546be38df23952c3 Copy to Clipboard
SHA256 0dd73b0b2da74b082cf44a0fa832c11f7f01e27a44e550492e380d17158168de Copy to Clipboard
SSDeep 384:99IXllVwMqrqzZTQkfod+m0yGHyC3LbxWH+muRUjVpPgRRVNBbN00e:QVlIcZTfogPyGSC3LbxlNmVWfg Copy to Clipboard
ImpHash -
c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internet files\content.ie5\pmmr5k9k\json[1].gp Downloaded File Unknown
Clean
...
»
MIME Type application/json
File Size 952 Bytes
MD5 420be96239ddb23b0483a2b2819aac96 Copy to Clipboard
SHA1 ec2ca1fb0183a09d021efb543b8105abb9aa35e1 Copy to Clipboard
SHA256 1d179c5597e61abbe8098aed1b3d10ad6ef150de4b04afdf941e65031bffa722 Copy to Clipboard
SSDeep 12:tkpAKnd6CsGkMyGWKyGXPVGArwY31JWvAadHfGdA2mOEmE9F3im51w73G9VkGF61:qWGdRNuKyGX85+PEg6m73IVkV+If/n Copy to Clipboard
ImpHash -
e8b101a7c7f64aad528cc734513cbeb02243c0af37930dc0f3239749cff184b6 Downloaded File HTML
Clean
...
»
MIME Type text/html
File Size 795 Bytes
MD5 5d8d79c3cb9af023240b1be6f5057aaa Copy to Clipboard
SHA1 df22980677b134e83d878893f7c7984e0d78a240 Copy to Clipboard
SHA256 e8b101a7c7f64aad528cc734513cbeb02243c0af37930dc0f3239749cff184b6 Copy to Clipboard
SSDeep 24:hYYIzDI8JRA3ZsjNQCRtgoLY95MI5634Vsk:rqPj2CZLY5Mm63E Copy to Clipboard
ImpHash -
8ac25f213eccd720b81a4e672ea721579059824073416a00b20a8193aa8cf37c Extracted File Excel Document
Clean
...
»
Parent File C:\Users\kEecfMwgj\Desktop\Ref19920830281982938RT.xls
MIME Type application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File Size 104.31 KB
MD5 7fbf8049e7396cd8d268dacc7c446433 Copy to Clipboard
SHA1 5a27b10ed77f260418696f2504feb49778486a99 Copy to Clipboard
SHA256 8ac25f213eccd720b81a4e672ea721579059824073416a00b20a8193aa8cf37c Copy to Clipboard
SSDeep 1536:F/dyeIsVJgZAelRqmWCBUU8IY+Bpedfb4Y08cOh9IkhQgS932IRTZ:FV6sVJqFlRLWkUUjLIfb47HnJgYVRN Copy to Clipboard
ImpHash -
Office Information
»
Create Time 2006-09-26 11:04 (UTC+2)
Modify Time 2024-06-05 10:04 (UTC+2)
Application Microsoft Excel
App Version 12.0000
Document Security NONE
Worksheets 1
Titles Of Parts WC KAĞIT TEKLİF
ScaleCrop False
SharedDoc False
Controls (1)
»
CLSID Control Name Associated Vulnerability
{B801CA65-A1FC-11D0-85AD-444553540000} AdobeAcrobat -
oleObject1.bin Extracted File OLE Compound
Clean
...
»
Parent File 8ac25f213eccd720b81a4e672ea721579059824073416a00b20a8193aa8cf37c
MIME Type application/CDFV2
File Size 23.00 KB
MD5 cdfb6e5174dd5bcb54d42753ca5e3514 Copy to Clipboard
SHA1 6293ce2d92ffcbaa3cad729c505764721cc9889c Copy to Clipboard
SHA256 f8daef44029496bfd8fd2bbcd97497cd7d42afbbfa73796112cc9af9fd95fc13 Copy to Clipboard
SSDeep 384:CXRLkfv7c6gspL3fGYj/sYCY31VAx6zfMWrx2elKU7Ro:CZkbzpLOS/su3BjXrxb7 Copy to Clipboard
ImpHash -
Office Information
»
Controls (1)
»
CLSID Control Name Associated Vulnerability
{B801CA65-A1FC-11D0-85AD-444553540000} AdobeAcrobat -
CFB Streams (3)
»
Name ID Size Actions
Root\Ole 1 119 Bytes
...
Root\CompObj 2 94 Bytes
...
Root\CONTENTS 3 20.41 KB
...
9ce3a276b4865fc9163188189e78dfccba028957ad01322e0798a0f9b0d9bbab Extracted File PDF
Clean
...
»
Parent File 8ac25f213eccd720b81a4e672ea721579059824073416a00b20a8193aa8cf37c
MIME Type application/pdf
File Size 20.41 KB
MD5 49ff21c24dc552831bc09d9517cbdeb0 Copy to Clipboard
SHA1 89d3640745fcf685f5bd2d8cc55539682044c327 Copy to Clipboard
SHA256 9ce3a276b4865fc9163188189e78dfccba028957ad01322e0798a0f9b0d9bbab Copy to Clipboard
SSDeep 384:SRLkfv7c6gspL3fGYj/sYCY31VAx6zfMWrx2elKU7Roy:ykbzpLOS/su3BjXrxb7X Copy to Clipboard
ImpHash -
Static Analysis Parser Error cannot extract image: XForm objects are unsupported
PDF Information
»
Title -
Subject -
Author -
Creator -
Keywords -
Producer 3.0.4 (5.0.8)
Page Count 1
Encrypted False
Create Time -
Modify Time 2023-09-22 05:22 (UTC+2)
Extracted Images (1)
»
Hash Page Indices Size Format Actions
3846c6cdcdeb2669eff94ce92388332c42abf2f615c418126776c7b3598e5200 0 125405 PNG
...
object_1 Extracted File OLE Compound
Clean
...
»
Parent File 71e18066cffe89fa4f942989b66609c0cfe9c73c14f62a8d18d0903084cc4cbe
MIME Type application/CDFV2
File Size 4.00 KB
MD5 422488a73c3b95cd5433b4427a57bde5 Copy to Clipboard
SHA1 ad08e3e3c28dc06ec2241bf89906e0c067d75e1b Copy to Clipboard
SHA256 9b1eb6c58c6f7de6cdc691d8e51e566cad1efc6a3a250ca13ef5d9456867dfd7 Copy to Clipboard
SSDeep 48:rXWH1SoSxJpOhhvxPZk9YJXf4w8fgROQgyn8ly/3JTOcdu:rWkxJpOhhpxgYjCuOQgA8If0cd Copy to Clipboard
ImpHash -
Static Analysis Parser Error OLEStream_Native header size does not match stream size
Office Information
»
Controls (1)
»
CLSID Control Name Associated Vulnerability
{0002CE02-0000-0000-C000-000000000046} Equation2 CVE-2017-11882
CFB Streams (1)
»
Name ID Size Actions
Root\oLe10nATIVE 1 1.83 KB
...
0.EMF Extracted File Stream
Clean
...
»
Parent File C:\Users\kEecfMwgj\Desktop\Ref19920830281982938RT.xls
MIME Type application/octet-stream
File Size 1.73 MB
MD5 598369b65106f6af02716e3ad8eed202 Copy to Clipboard
SHA1 ca2846435855182b50aa49967e5f75243cc5813a Copy to Clipboard
SHA256 ae57952fb58e3b2550a28f9077bcf134b36932f374701604eb1cc5527943da21 Copy to Clipboard
SSDeep 3072:ok1Diuo/yiO9r5e+8J2dvRRvMdkVux/ZiOE85e+8J2dvRcvMyO:x1DiuKO9l8J0FVuGOE68J0F Copy to Clipboard
ImpHash -
a782691acce153a1f94d7fb4189e4a41e095e2ec2db8a7eb7c1dc21aeff03675 Extracted File Stream
Clean
...
»
Parent File 71e18066cffe89fa4f942989b66609c0cfe9c73c14f62a8d18d0903084cc4cbe
MIME Type application/octet-stream
File Size 1.83 KB
MD5 e37df7411e376499f89b98296ea80887 Copy to Clipboard
SHA1 fbe0825939f16d52e13e5a6c9bab7250b4211f86 Copy to Clipboard
SHA256 a782691acce153a1f94d7fb4189e4a41e095e2ec2db8a7eb7c1dc21aeff03675 Copy to Clipboard
SSDeep 48:LoSxJpOhhvxPZk9YJXf4w8fgROQgyn8ly/3JTOcduG:LxJpOhhpxgYjCuOQgA8If0cdV Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    

     Exit-Icon
    

    

     

      WHOIS Domain Information
     

     

      

       
        Domain Name
       
       
       
      

      

       
        WHOIS Response
       
       
        

       		
      

     

    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image