Epic Manchego – atypical maldoc delivery brings flurry of infostealers
Tags
Common Information
| Type | Value |
|---|---|
| UUID | d3f7c4c4-ca30-4699-83ce-86d08910b3c6 |
| Fingerprint | b4910b9b8bfe87e2 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Sept. 1, 2020, 1:33 p.m. |
| Added to db | Sept. 11, 2022, 12:38 p.m. |
| Last updated | Nov. 18, 2024, 10:33 a.m. |
| Headline | Epic Manchego – atypical maldoc delivery brings flurry of infostealers |
| Title | Epic Manchego – atypical maldoc delivery brings flurry of infostealers |
| Detected Hints/Tags/Attributes | 104/4/32 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 53 | oledump.py |
|
| Details | File | 29 | vbaproject.bin |
|
| Details | File | 1 | vba.xlsm |
|
| Details | File | 2 | vba.txt |
|
| Details | File | 49 | oledump.py |
|
| Details | File | 1 | list.xlsm |
|
| Details | File | 4 | drawing1.xml |
|
| Details | File | 226 | rockyou.txt |
|
| Details | File | 1 | crefgyu.exe |
|
| Details | File | 1 | _2_09_2020.xlsx |
|
| Details | File | 1 | _2608.xlsm |
|
| Details | File | 9 | workbook.xml |
|
| Details | File | 17 | core.xml |
|
| Details | File | 16 | app.xml |
|
| Details | md5 | 1 | 8857fae198acd87f7581c7ef7227c34d |
|
| Details | md5 | 1 | 7D71F885128A27C00C4D72BF488CD7CC |
|
| Details | md5 | 1 | 551b5dd7aff4ee07f98d11aac910e174 |
|
| Details | sha256 | 1 | 8a863b5f154e1ddba695453fdd0f5b83d9d555bae6cf377963c9009c9fa6c9be |
|
| Details | sha256 | 1 | c40fa887be0159016f3afd43a3bdec6d11078e19974b60028b93def1c2f95726 |
|
| Details | sha256 | 1 | 45cab564386a568a4569d66f6781c6d0b06a9561ae4ac362f0e76a8abfede7bb |
|
| Details | MITRE ATT&CK Techniques | 311 | T1566.001 |
|
| Details | MITRE ATT&CK Techniques | 366 | T1204.002 |
|
| Details | MITRE ATT&CK Techniques | 505 | T1140 |
|
| Details | MITRE ATT&CK Techniques | 183 | T1036.005 |
|
| Details | MITRE ATT&CK Techniques | 34 | T1027.001 |
|
| Details | MITRE ATT&CK Techniques | 160 | T1027.002 |
|
| Details | MITRE ATT&CK Techniques | 26 | T1027.003 |
|
| Details | MITRE ATT&CK Techniques | 59 | T1055.001 |
|
| Details | MITRE ATT&CK Techniques | 40 | T1055.002 |
|
| Details | MITRE ATT&CK Techniques | 97 | T1497.001 |
|
| Details | Url | 1 | http://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers |
|
| Details | Yara rule | 1 | rule xlsm_without_metadata_and_with_date {
meta:
description = "Identifies .xlsm files created with EPPlus"
author = "NVISO (Didier Stevens)"
date = "2020-07-12"
reference = "http://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers"
tlp = "White"
strings:
$opc = "[Content_Types].xml"
$ooxml = "xl/workbook.xml"
$vba = "xl/vbaProject.bin"
$meta1 = "docProps/core.xml"
$meta2 = "docProps/app.xml"
$timestamp = { 50 4B 03 04 ?? ?? ?? ?? ?? ?? 00 00 21 00 }
condition:
uint32be(0) == 0x504B0304 and ($opc and $ooxml and $vba) and not (any of ($meta*) and $timestamp)
} |