Malicious
899931bae53a4e675909ca04bebd54e3
PE Executable | MD5: 899931bae53a4e675909ca04bebd54e3 | Size: 1.18 MB | application/x-msdownload
PE Executable
MD5: 899931bae53a4e675909ca04bebd54e3
Size: 1.18 MB
application/x-msdownload
Office Document
Corrupted
Executable
PE (Portable Executable)
Win 32 Exe
x86
Blacklist VBA
PDB Path
scripting.filesystemobject
WScript.Shell
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5
ADODB.Stream
General
Structural Analysis
Config.0
Yara Rules99+
Sync
Community
Infection Chain
Summary by MalvaGPT
Characteristics
|
Hash | Hash Value |
|---|---|
| MD5 | 899931bae53a4e675909ca04bebd54e3
|
| Sha1 | 61b00e55b05096b1358b046b8f4c8c4d40094d94
|
| Sha256 | ce2d316eb56e9ba86761ff9a52ae454eacf62af3d12dbe3cde9a251181480f8b
|
| Sha384 | c5d4c85b3eb44f259544ed29ee20aadcea4b3f1489237b59a0248594435d1e0ec2faa7e3ffa61f070cc0fe2a3553baf5
|
| Sha512 | 9b2fb6db52c28ad2a468fc11b6dda463aed21cf459e560efb6a90fea7da9017e95f88d8d7fb2194b60425519561fa599f0c8d6bdad05b2943fe105f3c546143f
|
| SSDeep | 24576:9nsJ39LyjbJkQFMhmC+6GD9rPAlJx8Eporf:9nsHyjtk2MYC5GD9MCEOrf
|
| TLSH | 2D459E22B6D18033D1732A388D7BE3A5483EBE512D34A94F37E81E5C5F3968179253A7
|
PeID
BobSoft Mini Delphi -> BoB / BobSoft
Borland Delphi 4.0
Borland Delphi v3.0
Borland Delphi v6.0 - v7.0
Borland Delphi v6.0 - v7.0
D1S1G v1.1 beta --> D1N
D1S1G v1.1 beta --> D1N
MASM/TASM - sig4 (h)
Microsoft Visual C++ 6.0 DLL (Debug)
Microsoft Visual C++ v6.0 DLL
Pe123 v2006.4.4-4.12
File Structure
899931bae53a4e675909ca04bebd54e3
Office Document
Corrupted
Executable
PE (Portable Executable)
Win 32 Exe
x86
Blacklist VBA
PDB Path
scripting.filesystemobject
WScript.Shell
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5
ADODB.Stream
Malicious
[Repaired @0x0011B4B8]
Office Document
Corrupted
Blacklist VBA
scripting.filesystemobject
WScript.Shell
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5
ADODB.Stream
Malicious
[Content_Types].xml
Xml
_rels
.rels
Xml
xl
_rels
workbook.xml.rels
Xml
workbook.xml
Xml
vbaProject.bin
Office Document
Root Entry
PROJECT
PROJECTwm
VBA
dir
__SRP_0
__SRP_1
__SRP_2
__SRP_3
ThisWorkbook
Blacklist VBA
VBA Macro
[Stored VBA]
Blacklist VBA
VBA Macro
Visual Basic
scripting.filesystemobject
WScript.Shell
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5
ADODB.Stream
VBScript
Malicious
[PCode]
Blacklist VBA
VBA Macro
VBA P-Code
Disassembly
[Decompiled VBA]
Blacklist VBA
VBA Macro
Visual Basic
Decompiled
scripting.filesystemobject
WScript.Shell
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5
ADODB.Stream
VBScript
Malicious
_VBA_PROJECT
theme
theme1.xml
Xml
styles.xml
Xml
worksheets
sheet1.xml
Xml
docProps
core.xml
Xml
app.xml
Xml
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
CODE
DATA
BSS
.idata
.tls
.rdata
.reloc
.rsrc
Resources
RT_CURSOR
ID:0001
ID:0
ID:0002
ID:0
ID:0003
ID:0
ID:0004
ID:0
ID:0005
ID:0
ID:0006
ID:0
ID:0007
ID:0
RT_BITMAP
ID:0000
ID:0
RT_ICON
ID:0001
ID:1055
ID:0002
ID:1055
ID:1055-preview.png
RT_DIALOG
ID:0000
ID:0
RT_STRING
ID:0FE9
ID:0
ID:0FEA
ID:0
ID:0FEB
ID:0
ID:0FEC
ID:0
ID:0FED
ID:0
ID:0FEE
ID:0
ID:0FEF
ID:0
ID:0FF0
ID:0
ID:0FF1
ID:0
ID:0FF2
ID:0
ID:0FF3
ID:0
ID:0FF4
ID:0
ID:0FF5
ID:0
ID:0FF6
ID:0
ID:0FF7
ID:0
ID:0FF8
ID:0
ID:0FF9
ID:0
ID:0FFA
ID:0
ID:0FFB
ID:0
ID:0FFC
ID:0
ID:0FFD
ID:0
ID:0FFE
ID:0
ID:0FFF
ID:0
ID:1000
ID:0
RT_RCDATA
ID:0000
ID:0
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rdata
.data
.rsrc
.reloc
Resources
RT_DIALOG
ID:0000
ID:1033
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0001
ID:1033
ID:1055
Office Document
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
CODE
DATA
BSS
.idata
.edata
.reloc
.rsrc
Resources
RT_RCDATA
ID:0000
ID:0
RT_GROUP_CURSOR2
ID:7FF9
ID:0
ID:7FFA
ID:0
ID:7FFB
ID:0
ID:7FFC
ID:0
ID:7FFD
ID:0
ID:7FFE
ID:0
ID:7FFF
ID:0
RT_GROUP_CURSOR4
ID:0000
ID:1055
RT_VERSION
ID:0001
ID:1055
Artefacts
|
Name0 | Value |
|---|---|
| PDB Path | C:\agent\_work\88\s\Win32\Release\Autologon.pdb |
| URLs in VB Code - #1 | https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download |
| URLs in VB Code - #2 | https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1 |
| URLs in VB Code - #1 | https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download |
| URLs in VB Code - #2 | https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1 |
899931bae53a4e675909ca04bebd54e3 (1.18 MB)
File Structure
899931bae53a4e675909ca04bebd54e3
Office Document
Corrupted
Executable
PE (Portable Executable)
Win 32 Exe
x86
Blacklist VBA
PDB Path
scripting.filesystemobject
WScript.Shell
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5
ADODB.Stream
Malicious
[Repaired @0x0011B4B8]
Office Document
Corrupted
Blacklist VBA
scripting.filesystemobject
WScript.Shell
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5
ADODB.Stream
Malicious
[Content_Types].xml
Xml
_rels
.rels
Xml
xl
_rels
workbook.xml.rels
Xml
workbook.xml
Xml
vbaProject.bin
Office Document
Root Entry
PROJECT
PROJECTwm
VBA
dir
__SRP_0
__SRP_1
__SRP_2
__SRP_3
ThisWorkbook
Blacklist VBA
VBA Macro
[Stored VBA]
Blacklist VBA
VBA Macro
Visual Basic
scripting.filesystemobject
WScript.Shell
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5
ADODB.Stream
VBScript
Malicious
[PCode]
Blacklist VBA
VBA Macro
VBA P-Code
Disassembly
[Decompiled VBA]
Blacklist VBA
VBA Macro
Visual Basic
Decompiled
scripting.filesystemobject
WScript.Shell
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5
ADODB.Stream
VBScript
Malicious
_VBA_PROJECT
theme
theme1.xml
Xml
styles.xml
Xml
worksheets
sheet1.xml
Xml
docProps
core.xml
Xml
app.xml
Xml
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
CODE
DATA
BSS
.idata
.tls
.rdata
.reloc
.rsrc
Resources
RT_CURSOR
ID:0001
ID:0
ID:0002
ID:0
ID:0003
ID:0
ID:0004
ID:0
ID:0005
ID:0
ID:0006
ID:0
ID:0007
ID:0
RT_BITMAP
ID:0000
ID:0
RT_ICON
ID:0001
ID:1055
ID:0002
ID:1055
ID:1055-preview.png
RT_DIALOG
ID:0000
ID:0
RT_STRING
ID:0FE9
ID:0
ID:0FEA
ID:0
ID:0FEB
ID:0
ID:0FEC
ID:0
ID:0FED
ID:0
ID:0FEE
ID:0
ID:0FEF
ID:0
ID:0FF0
ID:0
ID:0FF1
ID:0
ID:0FF2
ID:0
ID:0FF3
ID:0
ID:0FF4
ID:0
ID:0FF5
ID:0
ID:0FF6
ID:0
ID:0FF7
ID:0
ID:0FF8
ID:0
ID:0FF9
ID:0
ID:0FFA
ID:0
ID:0FFB
ID:0
ID:0FFC
ID:0
ID:0FFD
ID:0
ID:0FFE
ID:0
ID:0FFF
ID:0
ID:1000
ID:0
RT_RCDATA
ID:0000
ID:0
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rdata
.data
.rsrc
.reloc
Resources
RT_DIALOG
ID:0000
ID:1033
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0001
ID:1033
ID:1055
Office Document
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
CODE
DATA
BSS
.idata
.edata
.reloc
.rsrc
Resources
RT_RCDATA
ID:0000
ID:0
RT_GROUP_CURSOR2
ID:7FF9
ID:0
ID:7FFA
ID:0
ID:7FFB
ID:0
ID:7FFC
ID:0
ID:7FFD
ID:0
ID:7FFE
ID:0
ID:7FFF
ID:0
RT_GROUP_CURSOR4
ID:0000
ID:1055
RT_VERSION
ID:0001
ID:1055
Characteristics
vbaDNA - VBA Stomping & Purging Stategy detection
|
Module Name0 | ||
|---|---|---|
| ThisWorkbook | Blacklist VBA VBA Macro |
|
No malware configuration were found at this point.
Artefacts
|
Name0 | Value | Location |
|---|---|---|
| PDB Path | C:\agent\_work\88\s\Win32\Release\Autologon.pdb |
899931bae53a4e675909ca04bebd54e3 > Resources > RT_RCDATA > ID:0000 > ID:0 |
| URLs in VB Code - #1 | https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download |
899931bae53a4e675909ca04bebd54e3 > [Repaired @0x0011B4B8] > xl > vbaProject.bin > Root Entry > VBA > ThisWorkbook > [Stored VBA] |
| URLs in VB Code - #2 | https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1 |
899931bae53a4e675909ca04bebd54e3 > [Repaired @0x0011B4B8] > xl > vbaProject.bin > Root Entry > VBA > ThisWorkbook > [Stored VBA] |
| URLs in VB Code - #1 | https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download |
899931bae53a4e675909ca04bebd54e3 > [Repaired @0x0011B4B8] > xl > vbaProject.bin > Root Entry > VBA > ThisWorkbook > [Decompiled VBA] |
| URLs in VB Code - #2 | https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1 |
899931bae53a4e675909ca04bebd54e3 > [Repaired @0x0011B4B8] > xl > vbaProject.bin > Root Entry > VBA > ThisWorkbook > [Decompiled VBA] |
You must be signed in to post a comment.
You need a premium account to access this feature.
You must be signed in to post a comment.