1_crimson[.]zip

Resubmissions

08/02/2023, 14:54

230208-r9zgwsbh56 8

27/01/2021, 08:02

210127-knvnt1eryn 10

Sharing

Copy URL Twitter E-mail

General

Target

1_crimson.zip
Size

10.5MB
MD5

fe4dfe4f739bb53dbdde678b8cf73b89
SHA1

f7249082856e2f71f0abd3c5eca5fef7edb49400
SHA256

1524b087a9bfd3566d14f223cd228734601a20e40b0ea0a3d15db0cab2a6a405
SHA512

e00ec16f007838c49418952400444398e9a62bcb88e21e483a73c159aba7ce89e1387a44908ff236b8140fe27f53a95ee2c9790afe62dee2561dbdb6da099962
SSDEEP

196608:ZCeYyNDu4z6dKU1M1BI9/Ua4MY48VKlpVo+5M+rWOEjfQuOgg20kSWPgl:gezNDu4/g+wca4RepVoP+rIjfQPgR0kO

Score

8^/10

macro macro_on_action

Malware Config

Signatures

Office macro that triggers on suspicious action 2 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
static1/unpack001/245ea1a8dc32622ae18fdc7daccbd9ee29c244faf8f6d99d332b513e5a951d26	office_macro_on_action
static1/unpack001/662c3b181467a9d2f40a7b632a4b5fe5ddd201a528ba408badbf7b2375ee3553	office_macro_on_action

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
static1/unpack001/245ea1a8dc32622ae18fdc7daccbd9ee29c244faf8f6d99d332b513e5a951d26

Files

1_crimson.zip
.zip

Password: infected
08c0c431f7f63136091854af58cd7f9e6d229f90a9b0fda813c52232c030f6ea
.dll windows x86

Password: infected

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorDllMain

Sections

.text
Size: 36KB - Virtual size: 35KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 1004B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
113776d3cc8409da498e898bc5e0cafc1762ce1d49e1a86c56b4d841b06efdf8
.exe windows x86

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
245ea1a8dc32622ae18fdc7daccbd9ee29c244faf8f6d99d332b513e5a951d26
.xls windows office2003

Module1

ThisWorkbook

Sheet1

UserForm1

Module2

Sheet2
662c3b181467a9d2f40a7b632a4b5fe5ddd201a528ba408badbf7b2375ee3553
.xls windows office2003

Module1

ThisWorkbook

Sheet1

UserForm1

Module2

Sheet2
7b455b78698f03c0201b2617fe94c70eb89154568b80e0c9d2a871d648ed6665
.exe windows x86

2962da585c964274d70856b8bd7aca0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

user32

MessageBoxA

comctl32

ord17

kernel32

CreateDirectoryA
TlsSetValue
GetExitCodeProcess
WaitForSingleObject
CreateProcessW
GetCommandLineW
GetStartupInfoW
GetVersionExA
GetProcAddress
LoadLibraryA
GetModuleFileNameW
GetModuleFileNameA
GetTempPathA
GetLastError
LoadLibraryExA
Sleep
GetProcessHeap
SetEndOfFile
MultiByteToWideChar
SetStdHandle
EnterCriticalSection
LeaveCriticalSection
GetFileType
SetConsoleCtrlHandler
GetModuleHandleW
ExitProcess
FindClose
FileTimeToSystemTime
FileTimeToLocalFileTime
GetDriveTypeA
FindFirstFileA
HeapFree
HeapAlloc
DeleteFileA
FindNextFileA
GetCommandLineA
GetStartupInfoA
SetEnvironmentVariableA
WideCharToMultiByte
SetEnvironmentVariableW
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
DeleteCriticalSection
SetHandleCount
GetStdHandle
SetLastError
InitializeCriticalSectionAndSpinCount
TlsGetValue
TlsAlloc
RemoveDirectoryA
TlsFree
InterlockedIncrement
GetCurrentThreadId
InterlockedDecrement
RtlUnwind
WriteFile
GetFullPathNameA
GetCurrentDirectoryA
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
GetFileAttributesA
ReadFile
SetFilePointer
CloseHandle
GetConsoleCP
GetConsoleMode
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
FlushFileBuffers
CompareStringA
CompareStringW
HeapSize
GetLocaleInfoA
GetTimeZoneInformation
LCMapStringA
LCMapStringW
CreateFileA
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
GetStringTypeA
GetStringTypeW

ws2_32

ntohl

Sections

.text
Size: 79KB - Virtual size: 79KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 60KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
8e170fab8cdf11b83089706a2bf4a1748844693f4c6f465e7ba89131df089b48
.dll windows x86

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorDllMain

Sections

.text
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 36KB - Virtual size: 35KB

.rsrc Size: 1024B - Virtual size: 1004B

.reloc Size: 512B - Virtual size: 12B

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 12KB - Virtual size: 12KB

.rsrc Size: 4KB - Virtual size: 4KB

.reloc Size: 512B - Virtual size: 12B

Module1

ThisWorkbook

Sheet1

UserForm1

Module2

Sheet2

Module1

ThisWorkbook

Sheet1

UserForm1

Module2

Sheet2

2962da585c964274d70856b8bd7aca0b

Headers

DLL Characteristics

File Characteristics

Imports

user32

comctl32

kernel32

ws2_32

Sections

.text Size: 79KB - Virtual size: 79KB

.rdata Size: 24KB - Virtual size: 23KB

.data Size: 4KB - Virtual size: 13KB

.rsrc Size: 60KB - Virtual size: 60KB

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 5KB - Virtual size: 4KB

.rsrc Size: 4KB - Virtual size: 4KB

.reloc Size: 512B - Virtual size: 12B

.text
Size: 36KB - Virtual size: 35KB

.rsrc
Size: 1024B - Virtual size: 1004B

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 12KB - Virtual size: 12KB

.rsrc
Size: 4KB - Virtual size: 4KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 79KB - Virtual size: 79KB

.rdata
Size: 24KB - Virtual size: 23KB

.data
Size: 4KB - Virtual size: 13KB

.rsrc
Size: 60KB - Virtual size: 60KB

.text
Size: 5KB - Virtual size: 4KB

.rsrc
Size: 4KB - Virtual size: 4KB

.reloc
Size: 512B - Virtual size: 12B