Malicious
Malicious
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
cfb2f9ccd268bc1a7552712a6d2cd657
Sha1
0d04e5d9e213ca4436128fbcaf89a2e499c52d00
Sha256
6fe7c33b420058cd0260da2bf84c953fb4470395bdcc79aa29e1e359bfedbaac
Sha384
b1f652d49fdcf51fb94f0c9a469fedb60e8ec380b21abc611c03780cbb320eef6bbd33e077412df5fb539669d5b0ab85
Sha512
35e786f0b3442af2494495776343168079274af4279b64dc427d0cea4a5b68f68cc1d092bea1dae2a26426a3768d205785f4507a6931f57067a294c9019ff11c
SSDeep
12288:dMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Jcfg:dnsJ39LyjbJkQFMhmC+6GD9uo
TLSH
E1057D22B6D19537D2721A3D8C5B93A4582AFE952E34754A3BE83F4C4F3D38229172D3

PeID

BobSoft Mini Delphi -> BoB / BobSoft
Borland Delphi 4.0
Borland Delphi v3.0
Borland Delphi v6.0 - v7.0
Borland Delphi v6.0 - v7.0
D1S1G v1.1 beta --> D1N
D1S1G v1.1 beta --> D1N
Microsoft Visual C++ v6.0 DLL
Pe123 v2006.4.4-4.12
File Structure
cfb2f9ccd268bc1a7552712a6d2cd657
Malicious
[Repaired @0x000C5F94]
Malicious
[Content_Types].xml
_rels
.rels
xl
_rels
workbook.xml.rels
workbook.xml
vbaProject.bin
Root Entry
PROJECT
PROJECTwm
VBA
dir
__SRP_0
__SRP_1
__SRP_2
__SRP_3
ThisWorkbook
[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
_VBA_PROJECT
theme
theme1.xml
styles.xml
worksheets
sheet1.xml
docProps
core.xml
app.xml
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
CODE
DATA
BSS
.idata
.tls
.rdata
.reloc
.rsrc
Resources
RT_ICON
ID:0001
ID:0
ID:1055
RT_STRING
ID:0FE9
ID:0
ID:0FEA
ID:0
ID:0FEB
ID:0
ID:0FEC
ID:0
ID:0FED
ID:0
ID:0FEE
ID:0
ID:0FEF
ID:0
ID:0FF0
ID:0
ID:0FF1
ID:0
ID:0FF2
ID:0
ID:0FF3
ID:0
ID:0FF4
ID:0
ID:0FF5
ID:0
ID:0FF6
ID:0
ID:0FF7
ID:0
ID:0FF8
ID:0
ID:0FF9
ID:0
ID:0FFA
ID:0
ID:0FFB
ID:0
ID:0FFC
ID:0
ID:0FFD
ID:0
ID:0FFE
ID:0
ID:0FFF
ID:0
ID:1000
ID:0
RT_RCDATA
ID:0000
ID:0
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_ICON
ID:0002
ID:0
RT_GROUP_CURSOR4
ID:7F00
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
御剑高速TCP全端口扫描工具.FormBin.resources
$this.Icon
[NBF]root.IconData
御剑高速TCP全端口扫描工具.Resources.resources
ID:1055
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
CODE
DATA
BSS
.idata
.edata
.reloc
.rsrc
Resources
RT_RCDATA
ID:0000
ID:0
RT_GROUP_CURSOR4
ID:0000
ID:1055
Artefacts
Name
 Value
URLs in VB Code - #1

http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
URLs in VB Code - #2

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
URLs in VB Code - #3

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
URLs in VB Code - #4

http://xred.site50.net/syn/SUpdate.ini
URLs in VB Code - #5

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
URLs in VB Code - #6

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
URLs in VB Code - #7

http://xred.site50.net/syn/Synaptics.rar
URLs in VB Code - #8

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
URLs in VB Code - #9

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
URLs in VB Code - #10

http://xred.site50.net/syn/SSLLibrary.dll
URLs in VB Code - #1

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
URLs in VB Code - #2

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
URLs in VB Code - #1

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
URLs in VB Code - #2

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
cfb2f9ccd268bc1a7552712a6d2cd657 (829.44 KB)
File Structure
cfb2f9ccd268bc1a7552712a6d2cd657
Malicious
[Repaired @0x000C5F94]
Malicious
[Content_Types].xml
_rels
.rels
xl
_rels
workbook.xml.rels
workbook.xml
vbaProject.bin
Root Entry
PROJECT
PROJECTwm
VBA
dir
__SRP_0
__SRP_1
__SRP_2
__SRP_3
ThisWorkbook
[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
_VBA_PROJECT
theme
theme1.xml
styles.xml
worksheets
sheet1.xml
docProps
core.xml
app.xml
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
CODE
DATA
BSS
.idata
.tls
.rdata
.reloc
.rsrc
Resources
RT_ICON
ID:0001
ID:0
ID:1055
RT_STRING
ID:0FE9
ID:0
ID:0FEA
ID:0
ID:0FEB
ID:0
ID:0FEC
ID:0
ID:0FED
ID:0
ID:0FEE
ID:0
ID:0FEF
ID:0
ID:0FF0
ID:0
ID:0FF1
ID:0
ID:0FF2
ID:0
ID:0FF3
ID:0
ID:0FF4
ID:0
ID:0FF5
ID:0
ID:0FF6
ID:0
ID:0FF7
ID:0
ID:0FF8
ID:0
ID:0FF9
ID:0
ID:0FFA
ID:0
ID:0FFB
ID:0
ID:0FFC
ID:0
ID:0FFD
ID:0
ID:0FFE
ID:0
ID:0FFF
ID:0
ID:1000
ID:0
RT_RCDATA
ID:0000
ID:0
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_ICON
ID:0002
ID:0
RT_GROUP_CURSOR4
ID:7F00
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
御剑高速TCP全端口扫描工具.FormBin.resources
$this.Icon
[NBF]root.IconData
御剑高速TCP全端口扫描工具.Resources.resources
ID:1055
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
CODE
DATA
BSS
.idata
.edata
.reloc
.rsrc
Resources
RT_RCDATA
ID:0000
ID:0
RT_GROUP_CURSOR4
ID:0000
ID:1055
Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

Module Name
ThisWorkbook
Blacklist VBA
VBA Macro
No malware configuration were found at this point.
Artefacts
Name
 Value Location
URLs in VB Code - #1

http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

cfb2f9ccd268bc1a7552712a6d2cd657
URLs in VB Code - #2

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

cfb2f9ccd268bc1a7552712a6d2cd657
URLs in VB Code - #3

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

cfb2f9ccd268bc1a7552712a6d2cd657
URLs in VB Code - #4

http://xred.site50.net/syn/SUpdate.ini

cfb2f9ccd268bc1a7552712a6d2cd657
URLs in VB Code - #5

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

cfb2f9ccd268bc1a7552712a6d2cd657
URLs in VB Code - #6

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

cfb2f9ccd268bc1a7552712a6d2cd657
URLs in VB Code - #7

http://xred.site50.net/syn/Synaptics.rar

cfb2f9ccd268bc1a7552712a6d2cd657
URLs in VB Code - #8

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

cfb2f9ccd268bc1a7552712a6d2cd657
URLs in VB Code - #9

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

cfb2f9ccd268bc1a7552712a6d2cd657
URLs in VB Code - #10

http://xred.site50.net/syn/SSLLibrary.dll

cfb2f9ccd268bc1a7552712a6d2cd657
URLs in VB Code - #1

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

cfb2f9ccd268bc1a7552712a6d2cd657 > [Repaired @0x000C5F94] > xl > vbaProject.bin > Root Entry > VBA > ThisWorkbook > [Stored VBA]
URLs in VB Code - #2

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

cfb2f9ccd268bc1a7552712a6d2cd657 > [Repaired @0x000C5F94] > xl > vbaProject.bin > Root Entry > VBA > ThisWorkbook > [Stored VBA]
URLs in VB Code - #1

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

cfb2f9ccd268bc1a7552712a6d2cd657 > [Repaired @0x000C5F94] > xl > vbaProject.bin > Root Entry > VBA > ThisWorkbook > [Decompiled VBA]
URLs in VB Code - #2

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

cfb2f9ccd268bc1a7552712a6d2cd657 > [Repaired @0x000C5F94] > xl > vbaProject.bin > Root Entry > VBA > ThisWorkbook > [Decompiled VBA]
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙