General
-
Target
payment_invoice_copy_A86gmDlYqpHVq5d3QIMG.xls
-
Size
74KB
-
Sample
211025-rx6qfagcd6
-
MD5
3f99e2f0043b4446380371be2bf7569b
-
SHA1
d32cb945505e054cb3118194a5a804c3ee4c0571
-
SHA256
b536378dd73811960730ca3fd3628ce7376d0f6b3b300a5d34c75bb87c704ef1
-
SHA512
a52f8657c440e8645337970674013e74b8849ada713cf41e95506da02178e37be43614dbc76c9fedaa34dd3c3b79af42ef16c6dc23f3075a316f98f871e9bd58
Static task
static1
Behavioral task
behavioral1
Sample
payment_invoice_copy_A86gmDlYqpHVq5d3QIMG.xls
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
payment_invoice_copy_A86gmDlYqpHVq5d3QIMG.xls
Resource
win10-en-20210920
Malware Config
Extracted
http://18.159.149.5/nbl/joy/11/A86gmDlYqpHVq5d3QIMG.exe
Targets
-
-
Target
payment_invoice_copy_A86gmDlYqpHVq5d3QIMG.xls
-
Size
74KB
-
MD5
3f99e2f0043b4446380371be2bf7569b
-
SHA1
d32cb945505e054cb3118194a5a804c3ee4c0571
-
SHA256
b536378dd73811960730ca3fd3628ce7376d0f6b3b300a5d34c75bb87c704ef1
-
SHA512
a52f8657c440e8645337970674013e74b8849ada713cf41e95506da02178e37be43614dbc76c9fedaa34dd3c3b79af42ef16c6dc23f3075a316f98f871e9bd58
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-