analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Calculation-1327960979-10162020.xlsb

Full analysis: https://app.any.run/tasks/20841b01-4e3a-4563-9295-0a0206068d0c
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: October 20, 2020, 04:50:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
qbot
maldoc-42
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

3F22DE91BE8869F0BC70CF33B3EA20FB

SHA1:

1B56CD760E3A2F51A16E61834E2AAC46EBFE7A37

SHA256:

497D521DA6B747935DF23F6EE343CA07632D659908C306299DEAE71A4B8AE999

SSDEEP:

384:ZiMQ8aoVT0QNuzWKPOzxrni2IxSTzUoJQKo42aGcj9XqWiX1d:BfW+u7OWKQK0aGc1kXv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • nosto.exe (PID: 3476)
      • nosto.exe (PID: 3348)
      • ytfovlym.exe (PID: 3408)
      • ytfovlym.exe (PID: 1844)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2312)
    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 2312)
    • QBOT was detected

      • nosto.exe (PID: 3476)
    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2456)
  • SUSPICIOUS

    • Application launched itself

      • nosto.exe (PID: 3476)
      • ytfovlym.exe (PID: 1844)
    • Creates files in the user directory

      • nosto.exe (PID: 3476)
    • Starts itself from another location

      • nosto.exe (PID: 3476)
    • Executable content was dropped or overwritten

      • nosto.exe (PID: 3476)
      • cmd.exe (PID: 2456)
    • Starts CMD.EXE for commands execution

      • nosto.exe (PID: 3476)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2312)
    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 2312)
    • Dropped object may contain Bitcoin addresses

      • cmd.exe (PID: 2456)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x9f2bf8a2
ZipCompressedSize: 514
ZipUncompressedSize: 2406
ZipFileName: [Content_Types].xml

XML

Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Листы
  • 4
  • Макросы Excel 4.0
  • 1
TitlesOfParts:
  • DocuSign®
  • Лист1
  • Лист2
  • Лист3
  • Лист4
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 14.03
LastModifiedBy: Пользователь Windows
CreateDate: 2006:09:16 00:00:00Z
ModifyDate: 2020:10:19 10:13:38Z

XMP

Creator: Admin
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start excel.exe #QBOT nosto.exe nosto.exe no specs ytfovlym.exe no specs cmd.exe ping.exe no specs ytfovlym.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2312"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3476"C:\Hromo\Nivadalo\nosto.exe" C:\Hromo\Nivadalo\nosto.exe
EXCEL.EXE
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
3348C:\Hromo\Nivadalo\nosto.exe /CC:\Hromo\Nivadalo\nosto.exenosto.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
1844C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exenosto.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
2456"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Hromo\Nivadalo\nosto.exe"C:\Windows\System32\cmd.exe
nosto.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2896ping.exe -n 6 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3408C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /CC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeytfovlym.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
3604C:\Windows\explorer.exeC:\Windows\explorer.exeytfovlym.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
681
Read events
623
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
2
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
2312EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR4115.tmp.cvr
MD5:
SHA256:
3476nosto.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbs
MD5:373995DF5564278778196E45A06D5DC3
SHA256:B3E911AFA839DC0EEB24BE60B4FA94BAC19C58D40D2C7B5BB20120FD18D79198
2312EXCEL.EXEC:\Hromo\Nivadalo\nosto.exeexecutable
MD5:D6B7264971CCAC089AC12B5065002C89
SHA256:73C162B12FFE77DF91CC648B204ABE81B764561A0CA05D88EB7A5A008F179BE5
3476nosto.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeexecutable
MD5:D6B7264971CCAC089AC12B5065002C89
SHA256:73C162B12FFE77DF91CC648B204ABE81B764561A0CA05D88EB7A5A008F179BE5
2312EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\3415201[1].pngexecutable
MD5:D6B7264971CCAC089AC12B5065002C89
SHA256:73C162B12FFE77DF91CC648B204ABE81B764561A0CA05D88EB7A5A008F179BE5
3604explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:A0EB87A38B2D8823D3C074575A9FF84A
SHA256:A0F5675320F44E6012F948C62E32B4E6F32610F5D23A06CF0D1A3856246B0C44
2456cmd.exeC:\Hromo\Nivadalo\nosto.exeexecutable
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC
SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2312
EXCEL.EXE
GET
200
183.181.83.123:80
http://home-delivery-cleaning.net/ecbmuibsl/3415201.png
JP
executable
1.02 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2312
EXCEL.EXE
183.181.83.123:80
home-delivery-cleaning.net
SAKURA Internet Inc.
JP
malicious

DNS requests

Domain
IP
Reputation
home-delivery-cleaning.net
  • 183.181.83.123
malicious

Threats

PID
Process
Class
Message
2312
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2312
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2312
EXCEL.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2312
EXCEL.EXE
A Network Trojan was detected
AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
2312
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
2312
EXCEL.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
No debug info