analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Calculation-1310655331-10162020.xlsb

Full analysis: https://app.any.run/tasks/d8116cba-2e4a-4259-8ab1-5b0ca8b00e57
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 00:30:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
qbot
maldoc-42
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

AB59C134EC893CDE2E3CFE62EB1796EC

SHA1:

C1EE4BE6D5811170013C74937EBA66B61F02716B

SHA256:

367C871EDB4AE327C10844E5008B85F551327D05E6DD5CC72342F9DDE9BFF060

SSDEEP:

384:fiMQ8aoVT0QNuzWKPOzxrni2IxSTzUoJQsORa2aGcjmWiX10vK:vfW+u7OWKQsORHaGckXavK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • nosto.exe (PID: 800)
      • nosto.exe (PID: 3288)
      • ytfovlym.exe (PID: 3928)
      • ytfovlym.exe (PID: 2772)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 544)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 544)

    • Requests a remote executable file from MS Office

      • EXCEL.EXE (PID: 544)

    • Downloads executable files with a strange extension

      • EXCEL.EXE (PID: 544)

    • QBOT was detected

      • nosto.exe (PID: 800)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3616)

  • SUSPICIOUS

    • Application launched itself

      • nosto.exe (PID: 800)
      • ytfovlym.exe (PID: 3928)

    • Creates files in the user directory

      • nosto.exe (PID: 800)

    • Starts itself from another location

      • nosto.exe (PID: 800)

    • Executable content was dropped or overwritten

      • nosto.exe (PID: 800)
      • cmd.exe (PID: 3616)

    • Starts CMD.EXE for commands execution

      • nosto.exe (PID: 800)

  • INFO

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 544)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 544)

    • Dropped object may contain Bitcoin addresses

      • cmd.exe (PID: 3616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x9f2bf8a2
ZipCompressedSize: 514
ZipUncompressedSize: 2406
ZipFileName: [Content_Types].xml

XML

Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Листы
  • 4
  • Макросы Excel 4.0
  • 1
TitlesOfParts:
  • DocuSign®
  • Лист1
  • Лист2
  • Лист3
  • Лист4
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 14.03
LastModifiedBy: Пользователь Windows
CreateDate: 2006:09:16 00:00:00Z
ModifyDate: 2020:10:19 10:14:31Z

XMP

Creator: Admin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start excel.exe #QBOT nosto.exe nosto.exe no specs ytfovlym.exe no specs cmd.exe ping.exe no specs ytfovlym.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
544"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
800"C:\Hromo\Nivadalo\nosto.exe" C:\Hromo\Nivadalo\nosto.exe
EXCEL.EXE
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
3288C:\Hromo\Nivadalo\nosto.exe /CC:\Hromo\Nivadalo\nosto.exenosto.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
3928C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exenosto.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
3616"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Hromo\Nivadalo\nosto.exe"C:\Windows\System32\cmd.exe
nosto.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3212ping.exe -n 6 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2772C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /CC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeytfovlym.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
2012C:\Windows\explorer.exeC:\Windows\explorer.exeytfovlym.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
676
Read events
618
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
544EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR3E49.tmp.cvr
MD5:
SHA256:
2012explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:8B3750EA12A5913CFA5F35A485C58B65
SHA256:DCABD72CF56B972CF21CCE6C1AE083D7354CB8809561672820201E7810FB2654
544EXCEL.EXEC:\Hromo\Nivadalo\nosto.exeexecutable
MD5:353C34200A08A57AFE1A5F1D2542BC41
SHA256:407EC4794F860B8F1F0757087FC65254812C8A979EDD566B3956A2D8DA84A216
800nosto.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeexecutable
MD5:353C34200A08A57AFE1A5F1D2542BC41
SHA256:407EC4794F860B8F1F0757087FC65254812C8A979EDD566B3956A2D8DA84A216
544EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\3415201[1].pngexecutable
MD5:353C34200A08A57AFE1A5F1D2542BC41
SHA256:407EC4794F860B8F1F0757087FC65254812C8A979EDD566B3956A2D8DA84A216
800nosto.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:7AAD717B64CEA9BFDE2C1F3149D55387
SHA256:370E302BA1B7ECD9FA01631299E9C5F682ACE3F576DE9A47383694460C3DE15B
3616cmd.exeC:\Hromo\Nivadalo\nosto.exeexecutable
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC
SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
544
EXCEL.EXE
GET
200
192.185.91.48:80
http://citycarmen.com/lvhyf/3415201.png
US
executable
222 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
544
EXCEL.EXE
192.185.91.48:80
citycarmen.com
CyrusOne LLC
US
malicious

DNS requests

Domain
IP
Reputation
citycarmen.com
  • 192.185.91.48
whitelisted

Threats

PID
Process
Class
Message
544
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
544
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
544
EXCEL.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
544
EXCEL.EXE
A Network Trojan was detected
AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
544
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
544
EXCEL.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Calculation-1310655331-10162020.xlsb