Malicious
Malicious
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
8bf7c0b458ada14ffdd73e91eecefc68
Sha1
d82cf05c42d942d4f4bf0f5e4292563e83b97cf5
Sha256
e2822abbdcd990bd187506aba7f44d2b5f0c28e526f12baa1fddfdcdeecf19b4
Sha384
597757b4c8e666a9a3596428e147dccae22e2576a6c88d62bec365a9a71395fb9bcf9682e08866f8b56ce39574c1c74e
Sha512
1e61442ecca0828154116d3ff8de163c4aa207d873dac7cc6891462ea85a302be1049722357855d0e8b0749f6ab275bf37407f26f2aa84f8a954464bf5ce0c29
SSDeep
196608:WLC09WVMQhvM/xkBejoS7lYW8f+OVA6VxU+1DZOMqVn:W208/mSMjov9LVW+1DZOMK
TLSH
9E8623237FE1CD35C1282E3D5CF683277A36BF510D2915023FA51E6A8A36A94FE512C6

PeID

BobSoft Mini Delphi -> BoB / BobSoft
Borland Delphi 4.0
Borland Delphi v3.0
Borland Delphi v6.0 - v7.0
Borland Delphi v6.0 - v7.0
D1S1G v1.1 beta --> D1N
D1S1G v1.1 beta --> D1N
Microsoft Visual C++ v6.0 DLL
Pe123 v2006.4.4-4.12
File Structure
8bf7c0b458ada14ffdd73e91eecefc68
Malicious
[Repaired @0x007A0DDC]
Malicious
[Content_Types].xml
_rels
.rels
xl
_rels
workbook.xml.rels
workbook.xml
vbaProject.bin
Root Entry
PROJECT
PROJECTwm
VBA
dir
__SRP_0
__SRP_1
__SRP_2
__SRP_3
ThisWorkbook
[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
_VBA_PROJECT
theme
theme1.xml
styles.xml
worksheets
sheet1.xml
docProps
core.xml
app.xml
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
CODE
DATA
BSS
.idata
.tls
.rdata
.reloc
.rsrc
Resources
RT_ICON
ID:0001
ID:0
ID:1055
RT_STRING
ID:0FE9
ID:0
ID:0FEA
ID:0
ID:0FEB
ID:0
ID:0FEC
ID:0
ID:0FED
ID:0
ID:0FEE
ID:0
ID:0FEF
ID:0
ID:0FF0
ID:0
ID:0FF1
ID:0
ID:0FF2
ID:0
ID:0FF3
ID:0
ID:0FF4
ID:0
ID:0FF5
ID:0
ID:0FF6
ID:0
ID:0FF7
ID:0
ID:0FF8
ID:0
ID:0FF9
ID:0
ID:0FFA
ID:0
ID:0FFB
ID:0
ID:0FFC
ID:0
ID:0FFD
ID:0
ID:0FFE
ID:0
ID:0FFF
ID:0
ID:1000
ID:0
RT_RCDATA
ID:0000
ID:0
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_ICON
ID:0001
ID:0
ID:0002
ID:0
ID:0003
ID:0
ID:0004
ID:0
ID:0005
ID:0
ID:0006
ID:0
ID:0007
ID:0
RT_GROUP_CURSOR4
ID:0001
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
srkxtspkqnaez.Resources
Exodus.exe
after.exe
ID:1055
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
CODE
DATA
BSS
.idata
.edata
.reloc
.rsrc
Resources
RT_RCDATA
ID:0000
ID:0
RT_GROUP_CURSOR4
ID:0000
ID:1055
RT_VERSION
ID:0001
ID:2052
Artefacts
Name
 Value
URLs in VB Code - #1

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
URLs in VB Code - #2

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
URLs in VB Code - #1

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
URLs in VB Code - #2

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
8bf7c0b458ada14ffdd73e91eecefc68 (8.02 MB)
File Structure
8bf7c0b458ada14ffdd73e91eecefc68
Malicious
[Repaired @0x007A0DDC]
Malicious
[Content_Types].xml
_rels
.rels
xl
_rels
workbook.xml.rels
workbook.xml
vbaProject.bin
Root Entry
PROJECT
PROJECTwm
VBA
dir
__SRP_0
__SRP_1
__SRP_2
__SRP_3
ThisWorkbook
[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
_VBA_PROJECT
theme
theme1.xml
styles.xml
worksheets
sheet1.xml
docProps
core.xml
app.xml
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
CODE
DATA
BSS
.idata
.tls
.rdata
.reloc
.rsrc
Resources
RT_ICON
ID:0001
ID:0
ID:1055
RT_STRING
ID:0FE9
ID:0
ID:0FEA
ID:0
ID:0FEB
ID:0
ID:0FEC
ID:0
ID:0FED
ID:0
ID:0FEE
ID:0
ID:0FEF
ID:0
ID:0FF0
ID:0
ID:0FF1
ID:0
ID:0FF2
ID:0
ID:0FF3
ID:0
ID:0FF4
ID:0
ID:0FF5
ID:0
ID:0FF6
ID:0
ID:0FF7
ID:0
ID:0FF8
ID:0
ID:0FF9
ID:0
ID:0FFA
ID:0
ID:0FFB
ID:0
ID:0FFC
ID:0
ID:0FFD
ID:0
ID:0FFE
ID:0
ID:0FFF
ID:0
ID:1000
ID:0
RT_RCDATA
ID:0000
ID:0
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_ICON
ID:0001
ID:0
ID:0002
ID:0
ID:0003
ID:0
ID:0004
ID:0
ID:0005
ID:0
ID:0006
ID:0
ID:0007
ID:0
RT_GROUP_CURSOR4
ID:0001
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
srkxtspkqnaez.Resources
Exodus.exe
after.exe
ID:1055
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
CODE
DATA
BSS
.idata
.edata
.reloc
.rsrc
Resources
RT_RCDATA
ID:0000
ID:0
RT_GROUP_CURSOR4
ID:0000
ID:1055
RT_VERSION
ID:0001
ID:2052
Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

Module Name
ThisWorkbook
Blacklist VBA
VBA Macro
No malware configuration were found at this point.
Artefacts
Name
 Value Location
URLs in VB Code - #1

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

8bf7c0b458ada14ffdd73e91eecefc68 > [Repaired @0x007A0DDC] > xl > vbaProject.bin > Root Entry > VBA > ThisWorkbook > [Stored VBA]
URLs in VB Code - #2

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

8bf7c0b458ada14ffdd73e91eecefc68 > [Repaired @0x007A0DDC] > xl > vbaProject.bin > Root Entry > VBA > ThisWorkbook > [Stored VBA]
URLs in VB Code - #1

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

8bf7c0b458ada14ffdd73e91eecefc68 > [Repaired @0x007A0DDC] > xl > vbaProject.bin > Root Entry > VBA > ThisWorkbook > [Decompiled VBA]
URLs in VB Code - #2

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

8bf7c0b458ada14ffdd73e91eecefc68 > [Repaired @0x007A0DDC] > xl > vbaProject.bin > Root Entry > VBA > ThisWorkbook > [Decompiled VBA]
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙