analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2205117369.xlsx

Full analysis: https://app.any.run/tasks/d866d672-8f96-49c9-bfbf-e72b4288dab2
Verdict: Malicious activity
Threats:

WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.

Malware Trends Tracker     >>>
Analysis date: May 20, 2022, 20:49:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
encrypted
opendir
exploit
CVE-2017-11882
loader
trojan
stealer
rat
avemaria
warzone
Indicators:
MIME: application/encrypted
File info: CDFV2 Encrypted
MD5:

071D4E7A0B843084C1C3951646DBA767

SHA1:

8B0A8BD1B70B69F0F88ECD1818E707261559285E

SHA256:

5D74A870ADC170F3FA30C534FAD42B9AD4ACDA3B8E02BBD8F335658CCC03C4AB

SSDEEP:

6144:XUqjVkdMJTexaM/XtlIdQ4/aB1Fa22PZr8mFTZUJhGgK:PVLJ0/tlu/aB1Mvx9yY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • EQNEDT32.EXE (PID: 3672)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3672)

    • Application was dropped or rewritten from another process

      • vbc.exe (PID: 2788)
      • vbc.exe (PID: 2912)

    • AVEMARIA was detected

      • vbc.exe (PID: 2912)

    • Steals credentials from Web Browsers

      • vbc.exe (PID: 2912)

    • Connects to CnC server

      • vbc.exe (PID: 2912)

    • Stealing of credential data

      • vbc.exe (PID: 2912)

    • Actions looks like stealing of personal data

      • vbc.exe (PID: 2912)

    • WARZONE detected by memory dumps

      • vbc.exe (PID: 2912)

  • SUSPICIOUS

    • Reads the computer name

      • EQNEDT32.EXE (PID: 3672)
      • vbc.exe (PID: 2788)
      • vbc.exe (PID: 2912)

    • Executed via COM

      • EQNEDT32.EXE (PID: 3672)

    • Checks supported languages

      • EQNEDT32.EXE (PID: 3672)
      • vbc.exe (PID: 2788)
      • vbc.exe (PID: 2912)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3672)

    • Drops a file with a compile date too recent

      • EQNEDT32.EXE (PID: 3672)

    • Application launched itself

      • vbc.exe (PID: 2788)

    • Creates a directory in Program Files

      • vbc.exe (PID: 2912)

    • Creates files in the user directory

      • vbc.exe (PID: 2912)

    • Loads DLL from Mozilla Firefox

      • vbc.exe (PID: 2912)

  • INFO

    • Checks supported languages

      • EXCEL.EXE (PID: 2468)

    • Reads the computer name

      • EXCEL.EXE (PID: 2468)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2468)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start excel.exe no specs eqnedt32.exe vbc.exe no specs #AVEMARIA vbc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2468"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3672"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2788"C:\Users\Public\vbc.exe" C:\Users\Public\vbc.exeEQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
TFlow
Exit code:
0
Version:
2.3.0.0
2912"C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe
vbc.exe
User:
admin
Integrity Level:
MEDIUM
Description:
TFlow
Version:
2.3.0.0
Total events
2 209
Read events
2 116
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
2
Unknown types
3

Dropped files

PID
Process
Filename
Type
2468EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR4316.tmp.cvr
MD5:
SHA256:
3672EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\.winlogon[1].exeexecutable
MD5:5F19892C01E0A41AE882B29A17F3EC59
SHA256:B5E73C2B8B50B1C740BE595901470CD8EA7DC3354DB310187ABEF4974373CF52
3672EQNEDT32.EXEC:\Users\Public\vbc.exeexecutable
MD5:5F19892C01E0A41AE882B29A17F3EC59
SHA256:B5E73C2B8B50B1C740BE595901470CD8EA7DC3354DB310187ABEF4974373CF52
2468EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B340EA65.emfemf
MD5:894A796F9211E1080192AC72B6D54A9D
SHA256:8232CC0DF629D8D89A7155A1793B35D611073D60F2BEEC4BABBF78179978B71A
2468EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9106BEF4.emfemf
MD5:8E3A74F7AA420B02D34C69E625969C0A
SHA256:0CD83C55739629F98FE6AFD3E25A5BCBB346CBEF58BC592C1260E9F0FA8575A9
2912vbc.exeC:\Users\admin\AppData\Roaming\taduntn.tmptext
MD5:736F7579F0521DAF5695CD8A3B3CDA6A
SHA256:10A24B1012BEF30456C31ABB66DF14CE66BAAA78C450A87E3E647A9E44E31E8E
2912vbc.exeC:\Users\admin\AppData\Roaming\JpCexvy.tmptext
MD5:E7CE898AADD69F4E4280010B7808116E
SHA256:C9214BB54F10242AA254F0758372A440C8D8F49934021F8F08B6DF9FB377EB02
2912vbc.exeC:\Users\admin\AppData\Roaming\GulAwjn.tmpsqlite
MD5:CC104C4E4E904C3AD7AD5C45FBFA7087
SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3672
EQNEDT32.EXE
GET
200
103.139.45.3:80
http://103.139.45.3/fdcloudprotector/.winlogon.exe
unknown
executable
744 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2912
vbc.exe
103.176.113.85:5200
malicious
3672
EQNEDT32.EXE
103.139.45.3:80
suspicious

DNS requests

No data

Threats

PID
Process
Class
Message
3672
EQNEDT32.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3672
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
3672
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3672
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
3672
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
2912
vbc.exe
A Network Trojan was detected
AV TROJAN Ave Maria RAT CnC Response
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2205117369.xlsx