Overview

overview

10

Static

static

10

1.dotm

windows7-x64

6

1.dotm

windows10-2004-x64

6

11 (1).ps1

windows7-x64

1

11 (1).ps1

windows10-2004-x64

8

11.dotm

windows7-x64

10

11.dotm

windows10-2004-x64

1

11.ps1

windows7-x64

1

11.ps1

windows10-2004-x64

8

1cdu.doc

windows7-x64

6

1cdu.doc

windows10-2004-x64

1

1pwn.html

windows7-x64

1

1pwn.html

windows10-2004-x64

1

223.ps1

windows7-x64

1

223.ps1

windows10-2004-x64

8

3dd.doc

windows7-x64

6

3dd.doc

windows10-2004-x64

1

5816.ps1

windows7-x64

1

5816.ps1

windows10-2004-x64

8

64bit.dotm

windows7-x64

10

64bit.dotm

windows10-2004-x64

10

77777.dotm

windows7-x64

10

77777.dotm

windows10-2004-x64

10

998.exe

windows7-x64

1

998.exe

windows10-2004-x64

10

Document1.docx

windows7-x64

4

Document1.docx

windows10-2004-x64

1

Ecnnof.scr

windows7-x64

5

Ecnnof.scr

windows10-2004-x64

7

PStest.ps1

windows7-x64

1

PStest.ps1

windows10-2004-x64

1

bgdn.docx

windows7-x64

4

bgdn.docx

windows10-2004-x64

1

Sharing

Copy URL Twitter E-mail

General

  • Target

    batch1.zip

  • Size

    317.9MB

  • MD5

    a406a1680ab0115d948eddd819f8e6dd

  • SHA1

    6d94795a8708ff55809b53c1ed838d381a9e6f27

  • SHA256

    918f670361725343c108b210ca53b503b3d0a4137b7b4acfb9539d80b6e10ad5

  • SHA512

    cefebf3c52078e1883dda8284607227563ed79035eca56085c4e6eb1c97bccb881ad77ac0814bcdcdc10f7a099463b5e1aa59e6cba9edef3d00d9be566f8726b

  • SSDEEP

    6291456:s/gvNYAHnvIQzqIFWe5lKyP304soBktGyLeAI5QGxB4UuHYIv0dU2r/RJ:sIFYAHvIGR8yRdB8xI5txBoHYIqRJ

Score
10/10
macromacro_on_action

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://bitbucket.org/damnman/damn/downloads/Archive.zip

Extracted

Language
ps1
Source
URLs
exe.dropper

https://bitbucket.org/damnman/damn/downloads/putty.zip

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/1074394309446619298/1085646503940464700/putty.exe
exe.dropper

https://musiccenterconference.com/dwl/Debt_bill_for_payment.docx

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://bitbucket.org/damnman/damn/downloads/zxcdbc.zip
exe.dropper

https://bitbucket.org/damnman/damn/downloads/Servicing-invoice-template.pdf

Extracted

Language
ps1
Source
URLs
exe.dropper

https://cdn.discordapp.com/attachments/997157313536344088/1060967578287222886/putty_1.exe

Signatures

  • Office macro that triggers on suspicious action 1 IoCs

    Office document macro which triggers in special circumstances - often malicious.

    macromacro_on_action
  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

    macro
  • Unsigned PE 2 IoCs

    Checks for missing Authenticode signature.

Files

  • batch1.zip
    .zip
  • 1.dotm
    .dotm office2007

    ThisDocument

  • 11 (1).ps1
    .ps1
  • 11.dotm
    .dotm office2007

    ThisDocument

  • 11.ps1
    .ps1
  • 1cdu.doc
    .doc windows office2003

    ThisDocument

  • 1pwn.html
  • 223.ps1
    .ps1
  • 3dd.doc
    .doc windows office2003

    ThisDocument

  • 5816.ps1
    .ps1
  • 64bit.dotm
    .dotm office2007

    ThisDocument

  • 77777.dotm
    .dotm office2007

    ThisDocument

  • 998.car
    .exe windows x86

    4777e1ada873b02cb56db354a7f70062


    Headers

    Imports

    Sections

  • Document1.docx
    .docx office2007
  • Ecnnof.scr
    .exe windows x86

    f34d5f2d4577ed6d9ceec516c1f5a744


    Code Sign

    Headers

    Imports

    Sections

  • PStest.ps1
  • bgdn.docx
    .docx office2007
  • book1.xlsx
    .xlsx office2007
  • cdu1.doc
    .doc windows office2003

    ThisDocument

  • cdu11.doc
    .doc windows office2003

    ThisDocument

  • cgu1.dotm
    .dotm office2007

    ThisDocument

  • ch.dotm
    .dotm office2007

    ThisDocument

  • hdsjh.car
    .exe windows x86

    f821140017da12608c44c709c26211cb


    Headers

    Imports

    Sections

  • lnaq4w6km.car
    .exe windows x86

    bbe161fe5aa80757c2bdcf65d55d1447


    Code Sign

    Headers

    Imports

    Sections

  • pic.doc
    .doc windows office2003

    ThisDocument

  • putty.car
    .exe windows x64

    69573714e11441683ea863c40a1c0d54


    Code Sign

    Headers

    Imports

    Sections

  • pwn.html
    .html
  • simplecryptservice.docx
    .docx office2007
  • simpledimple.xlsx
    .xlsx office2007
  • testdlyailyi_1.doc
    .dotm .doc office2007

    ThisDocument

    Module1

  • winrar.car
    .exe windows x64

    93b9d508050f74b56e67b9b55c5a60f4


    Code Sign

    Headers

    Imports

    Sections

  • winscp.car
    .exe windows x86

    e569e6f445d32ba23766ad67d1e3787f


    Code Sign

    Headers

    Imports

    Exports

    Sections

  • zakupka_TO_autoparka_OOO_Bereza_auto.xlsx
    .xlsx office2007