General
-
Target
PO EME39134.xlsx
-
Size
197KB
-
Sample
201125-8kvlersfbn
-
MD5
f36e2fd82cab99bcaef9ab3a9782a9ef
-
SHA1
a7025bb62c32006928952d001ca41bb203759c6d
-
SHA256
eaafa016e0754ffed792dab0d4ea318ef3db1671ad265a4906978a863f44703f
-
SHA512
919e1909d300e4ae3293d151282790422f1d1b4b9659d1ccf69d1031e90d7adcf6132329ab0305d5611410ad5bf19b1e090b583462e75ed9f4a5944b1ce0d89b
Static task
static1
Behavioral task
behavioral1
Sample
PO EME39134.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO EME39134.xlsx
Resource
win10v20201028
Malware Config
Extracted
formbook
http://www.pethgroup.com/mfg6/
sygsytl.com
nansents.com
hoxtv.com
forevergrace.store
vdevny.com
couturetherapie.com
realnice.media
bio1usa.com
xn--n3cgab8bb5cvabb1bu1bw4y.com
restauranttents.com
dillenburghomeinspection.com
boboyan.com
oyagu.com
flawlessfacess.com
rifatreza.com
sellwiththetwins.com
soulmarkhome.com
digitaluj.com
poladip.online
rtrqoo.com
fsgenk.net
sharemycure.com
webbsolicitors.com
thegoatfederation.com
tigerishterryn.com
nirmanamconsult.com
souryan.com
treatshut.net
fatureonlineja.com
fuquay-varinaweightloss.com
ppc-listing.info
chateauoftheweek.com
unlikethesea.com
kateupon.com
brownskinbird.com
oursishow.com
scoredossonhos.com
sprlua.com
guardianangelsforkids.com
jbeckwith.net
birddogfloral.com
nao-randd.info
wagoncraft.space
achtungisobar.com
grv12000.com
shortwalktopluto.com
intact.media
finkicart.xyz
weinsureclinics.com
muvmiry.com
outlancer.info
philippinesjobbank.com
bostonrealestate.club
etqcghpfz.icu
chattm8.com
jokinu.com
freec2b.com
0397888.com
silkandsoleil.com
ro90s.com
freundhund.com
getmytotalav.com
go4spicy.com
hrreverie.com
Targets
-
-
Target
PO EME39134.xlsx
-
Size
197KB
-
MD5
f36e2fd82cab99bcaef9ab3a9782a9ef
-
SHA1
a7025bb62c32006928952d001ca41bb203759c6d
-
SHA256
eaafa016e0754ffed792dab0d4ea318ef3db1671ad265a4906978a863f44703f
-
SHA512
919e1909d300e4ae3293d151282790422f1d1b4b9659d1ccf69d1031e90d7adcf6132329ab0305d5611410ad5bf19b1e090b583462e75ed9f4a5944b1ce0d89b
-
Formbook Payload
-
Blacklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-