A malicious Excel file using steganography was analyzed, revealing embedded XLS sheets and a complex infection chain. The file downloads an HTA file that creates a BAT file, which in turn generates and executes a VBS file. The VBS file fetches a VBA script that creates and runs a PowerShell script. The PowerShell script downloads an image containing a hidden payload delimited by specific tags. The payload is a Base64-encoded PE file, which is decoded and executed as a DLL. The final payload appears to be a Katz stealer. This analysis highlights the use of multiple file types and steganography techniques to evade detection. Author: AlienVault
Related Tags:
dll
T1059.005
T1059.007
T1027.002
HTA
T1204.002
T1547.001
T1059.001
Excel
Associated Indicators:
C92C761A4C5C3F44E914D6654A678953D56D4D3A2329433AFE1710B59C9ACD3A
5A73927D56C0FD4A805489D5817E1AA4FBD491E5A91ED36F4A2BABEF74158912
601C9F4AB0FE48EEA3F852EA9418EB3F0B3D8F99
5730AA469972B91B05AF9424DC17B63130304DBF
2A1B8592EF9E40CF304968F1F1BB206B
15CC16763E16A1239EAC4F78D5E4F316
http://107.172.235.203/245/wecreatedbestsolutionswithniceworkingskill.hta