Sample File: MD5 hash: d25dcc932a1e35ad7d30d8d474002a9e SHA1 hash: 3759f8e0e93a4b7d35843ba3cc06fdc8fc76abab SHA256 hash: a72e6befaa6cab0d3e5cf38046831d8e0a07c296f9fb5da16f97242e268c4b70 SSDEEP hash: 384:io8AY64U4jONgiIvUyGcSxwAjLMgM084JDHVYc1Pd0jJJltpPXxCTlh3I/Ei:j/ff+qtHVR7aLfxCroE Filename(s): 1.doc Filetype: Word Document Mutex IOCs: - None - Registry Key IOCs: HKEY_CLASSES_ROOT\Licenses HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\VbaCapability HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\RequireDeclaration HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CompileOnDemand HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\NotifyUserBeforeStateLoss HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BackGroundCompile HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnAllErrors HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnServerErrors HKEY_CLASSES_ROOT\TypeLib HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup Domain IOCs: www.rabadaun.com IP IOCs: 186.122.150.107 134.0.11.201 URL IOCs: http://186.122.150.107/cc/index.php https://www.rabadaun.com/wordpress/wp-content/themes/TEMP.so File IOCs: Filenames: C:\ProgramData\AVAST Software C:\ProgramData\360TotalSecurity C:\ProgramData\ESET C:\ProgramData\AVG c:\programdata\a7963\tlworker.exe‡kk”v–p¤j0“8q 0c26b620ab8e6837cbb9527f79a4cd029243b0da2f72c420f257fc4a2c6f4b44 C:\Users\FD1HVy\AppData\Roaming\Microsoft\Windows\Templates\spolsve.exe C:\ProgramData\Panda Security C:\ProgramData\Kaspersky Lab C:\ProgramData\a7963 7017296fe4621fb5765b17dfc94485c7663d18f3cc35159f368899a55cce4ee5 C:\ProgramData\Norton C:\ProgramData\Bitdefender \??\C:\Users\FD1HVy\AppData\Local\Temp\Liebert.bmp 7b4a7c7987a3369a6db20234da3b9789d913048e981d352493cd5608c2316ade System Paging File Normal \??\C:\WINDOWS\SYSTEM32\ntdll.dll C:\Users\FD1HVy\Documents C:\WINDOWS\SysWOW64\cmd.exe C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL C:\ProgramData\Comodo C:\ProgramData\Sophos C:\Users\FD1HVy\Desktop\1.doc \??\C:\Users\FD1HVy\AppData\Roaming\Microsoft\Windows\Templates\spolsve.exe C:\ProgramData\Avira C:\ProgramData\Doctor Web MD5 hashes: d25dcc932a1e35ad7d30d8d474002a9e 4c4e9399be1f937ffccd3e0ac1dba517 335fafc74a1d3a0caebc3e1896c46351 f160c057fded2c01bfdb65bb7aa9dfcc 7955497d0248dbb62f643c3a5a62def5 SHA1 hashes: 3759f8e0e93a4b7d35843ba3cc06fdc8fc76abab 2081f4a1c334b5b498155f5629923f89c16325a6 1ea45f4793f6ac81f252a74dfd6a2423bd66b612 186ba56d73a56d61add69242e113aabfe8d41e46 1e14de870b1c4b09cbf81206562a254c27178d85 SHA256 hashes: efc139dc0e280a374065dc59c55a45b5146f091a85a3abd6f0caf1a9a2f8b060 7017296fe4621fb5765b17dfc94485c7663d18f3cc35159f368899a55cce4ee5 0c26b620ab8e6837cbb9527f79a4cd029243b0da2f72c420f257fc4a2c6f4b44 7b4a7c7987a3369a6db20234da3b9789d913048e981d352493cd5608c2316ade a72e6befaa6cab0d3e5cf38046831d8e0a07c296f9fb5da16f97242e268c4b70 SSDEEP hashes: 384:io8AY64U4jONgiIvUyGcSxwAjLMgM084JDHVYc1Pd0jJJltpPXxCTlh3I/Ei:j/ff+qtHVR7aLfxCroE 6:TMVBd/JdWn8FH2Fic4svquXI9qvyn4mc4sVIHI6/KAEtm:TMHdmnMW0uXI9qvy45IOh4 24:2dmMPmIAvy45SUtXYuwxvqmrxrqTt+YVbOr:cVmIAqySCYuQlowQm 3:A7G0FDTa26XJT4W8YMlgh0Dec:A7G0NDaeYMlVp 6144:deSI8dD+Zp4IWoafJC8WVpH4dx98hNVVjr/:deSI8ha4ItNVVn