General
-
Target
XLL-EXCEL-EXPLOIT--main.zip
-
Size
33KB
-
Sample
220918-w69kxafebp
-
MD5
c31e5ee554310f6b53daf5dbf473f971
-
SHA1
35dcb804c308004d9de887a7b089cddadfee8d41
-
SHA256
86ea220b5f1a142c4e7442f11d80bae12d158a1427de8b32afa34912685b4ce0
-
SHA512
4f2a9a9ea0444c44cb6cc533f128e9882c8aca041f600b7f59b22e63159ac0c5e6aee3634ebf633d7ab72ac3cd8a1bdcb2875ec06928ddd3fa567a01be9f5341
-
SSDEEP
768:da/kqw3bsyRqxsQR8wwAihYnFyNtPthQDRA9:dabcHMCZAgYFY9J
Static task
static1
Behavioral task
behavioral1
Sample
XLL-EXCEL-EXPLOIT--main/XLL EXCEL EXPLOIT/Icon.vbs
Resource
win10v2004-20220812-en
Behavioral task
behavioral2
Sample
XLL-EXCEL-EXPLOIT--main/XLL EXCEL EXPLOIT/MainWindow.xaml.vbs
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
XLL-EXCEL-EXPLOIT--main/XLL EXCEL EXPLOIT/packages/info.bat
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
XLL-EXCEL-EXPLOIT--main/XLL EXCEL EXPLOIT/projectrcs/Resources.vbs
Resource
win10v2004-20220901-en
Malware Config
Extracted
http://asamyz.com/ini.exe
Extracted
bitrat
1.38
wwww.ddnsgeek.com:59599
-
communication_password
32c93a52f919c37c05b22825e5a57a4a
-
tor_process
tor
Targets
-
-
Target
XLL-EXCEL-EXPLOIT--main/XLL EXCEL EXPLOIT/Icon.vb
-
Size
6KB
-
MD5
02c3d7634bda745586e518ebb6d4c573
-
SHA1
5c0e072de24ab01cc2c2388546fdc1c47b95d693
-
SHA256
1eed5f867361bd7afcdab9bc27df0677848f3a37ea9cf7d3b695d6585895d5b2
-
SHA512
e6fc78c83c0c3e2709b14238624739460673a33f39dd045bf3a2c0c8992018cd86af1e228e780eb5585fb6d4e4c81dd906e203d91ba69a8cfce0f96ab3ced211
-
SSDEEP
192:UTmNrTOky/9ggh+zyp50CiQW7jqDyKyE/vqEbdOyYJj+jDmMw:ZNrTO7/9g2+zyp5ViQW7jqDSE/vqExOn
Score1/10 -
-
-
Target
XLL-EXCEL-EXPLOIT--main/XLL EXCEL EXPLOIT/MainWindow.xaml.vb
-
Size
4KB
-
MD5
d9a7d2413643c13d6c622810861eeb07
-
SHA1
6392ed80ec3c215b55029c5fae0bee4ff7036667
-
SHA256
befd6bca6e67decc2712f4eb3b466ea2870eca8b1e3c497f7a552755ea0f3c91
-
SHA512
ced16ecb7dd0e552780a26bff09f1d64ba0f586f004b586d22726ab92183afe0cef939d10b8eee9383c9a4d4baac367db93192102bf4f2d2bd3b64f77310354d
-
SSDEEP
96:PgL70cYYfw+tuF/yqWWdLZi8hmfbt+BuzZNqWiT+yzQ:CYYf/tC/ybS2t+BuzZniNQ
Score1/10 -
-
-
Target
XLL-EXCEL-EXPLOIT--main/XLL EXCEL EXPLOIT/packages/info.bat
-
Size
5KB
-
MD5
6029bfd4036c00fc9abb4decf00163d7
-
SHA1
f0483462eb8bce5ba67bb08c420cbea4437dd066
-
SHA256
a795f07f8bd65437d65ac3431fcd3e45c92f741bb9b4e24183267533a79a0b2f
-
SHA512
3854c0a6f3552056bd11456843ecc4cd36cfbbf41172278f90df3ac0416a762113d791b348cbedb7b7efff31656ca3abc73e629f5477b2bb61c881287bcccb41
-
SSDEEP
96:hwB9ZsSwiv/DZL7CCUkltOL3eOlZ8n6P19dHdRgbVwTnHApiDMUV:hqwg/cC9OL3eOlZ99dHdRg+TnHn
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
XLL-EXCEL-EXPLOIT--main/XLL EXCEL EXPLOIT/projectrcs/Resources.resx
-
Size
5KB
-
MD5
c07716633f086d91759ae32a18996a1a
-
SHA1
bf3383c20acf6e64ce49f120938456161e5f6cb9
-
SHA256
4e124f5a7694ffe813c60601b1b73c53e47536b1f1c0e798d4d55bfc2ca3774f
-
SHA512
c6ad0ec603ff69d2d1b787db9426f29d44ea1ba45cf1d2b7ec41cc2bd6d5c93af8d2299139cc1c5d10d56718f36daa37d544f8d5411fad91a72efc2e70454cdf
-
SSDEEP
96:ECf+lbD5X5LPXCazYV5Lv6K6uOidfaxwsxuUPFE3qxdRMvDTursrbLAy202W:Zf+tLPfYnLvFVOiFQaUR6
Score1/10 -
-
-
Target
XLL-EXCEL-EXPLOIT--main/XLL EXCEL EXPLOIT/projectnls.scr
-
Size
90KB
-
MD5
f257db29d0439adc56190a15a6336b90
-
SHA1
7e974d2a767fa11832a0ae08f490d26ad552aebb
-
SHA256
21e2dbf71e3f8f5c26914792ef4889d7a85cba85420e467917e7f1bd4ee56dd0
-
SHA512
8503c5e71cb6e9232527431a527b21dccd0d60baa1b69e560a334b2d7a682cd51c8e21942e83e1d1202426fd7434e88da9c7197420ed116c4780e78ef49a4dbe
-
SSDEEP
96:/WKqcNOUKaSG7BzIIt//JROTTcliIG8xmmPM+MSpiME7zGM62l1FsfjvKZtttttz:/W0NOUKaFvaAmH762nmK89u1
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-