Excel File Drops Malicious Payload (2018-02-13) | IOCs
Try VMRay Analyzer
IOC Information
File Count 5
Registry Count 14
Mutex Count 1
URL Count 1
IP Count 1
Indicators
File (5)
+
Filename Normalized Filename Operations Hash Values
C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Login Data c:\users\kft6utqw\appdata\local\google\chrome\user data\default\login data Access, Read -
C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe c:\users\kft6utqw\appdata\local\temp\heidi.exe Access MD5: a6a97f17880e37067c822e14a75bb3af
SHA1: 1aab183abb65685af92b201a2e47ba3d9ce0856e
SHA256: b1eeec190113584579fe9376b88933d5e1871b3e8fdc86d8a490db4d044196ac
C:\Users\kFT6uTQW\AppData\Roaming\98E541\12EEF2.exe c:\users\kft6utqw\appdata\roaming\98e541\12eef2.exe Access MD5: a6a97f17880e37067c822e14a75bb3af
SHA1: 1aab183abb65685af92b201a2e47ba3d9ce0856e
SHA256: b1eeec190113584579fe9376b88933d5e1871b3e8fdc86d8a490db4d044196ac
C:\Users\kFT6uTQW\AppData\Roaming\98E541\12EEF2.hdb c:\users\kft6utqw\appdata\roaming\98e541\12eef2.hdb Access, Write MD5: aced026ed487b5cbb298f9ab09e6f1c1
SHA1: 1ceff0fbc90b0f2c6fab37bcde68f2a9170a7cf8
SHA256: c22bcce160e0645d030b554a30a0671bc2b2f30b1654dcd4111d871bb9c8e6bf
C:\Users\kFT6uTQW\AppData\Roaming\98E541\12EEF2.lck c:\users\kft6utqw\appdata\roaming\98e541\12eef2.lck Access -
Registry (14)
+
Registry Key Name Operations
HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Access
HKEY_CURRENT_USER\Software\Borland\Locales Access
HKEY_CURRENT_USER\Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete Access
HKEY_CURRENT_USER\������Д�������ќ��Ћ���Я����Й���Й��я�� Write
HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\Safari Read
HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\IceDragon\Setup Read
HKEY_LOCAL_MACHINE\SOFTWARE\K-Meleon Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Flock Read
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox Read
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main Read
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey Read
HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\SeaMonkey Read
HKEY_LOCAL_MACHINE\Software\Borland\Locales Access
Mutex (1)
+
Mutex Name Operations
73EE9CC98E5412EEF2B9A336 Access
URL (1)
+
URL Operations
kdotraky.com/temp/Panel/five/fre.php POST
IP (1)
+
IP Protocols
101.99.75.184 HTTP, DNS, TCP
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image