General
-
Target
EME_PO.39134.xlsx
-
Size
197KB
-
Sample
201125-9nzmn7vh5e
-
MD5
28154b30e4541f8d656895074c181158
-
SHA1
e548322a1a8c28432f6c96d1dd5d145c742bc715
-
SHA256
f435024fb8d9ec80c3b4dc53ed5f953d2d0c7b64c67e1ec69fcc70a677b8087b
-
SHA512
30869e1e9d0f7d198b38c184a2ee1cbc271435afb0dbc02825f42c8d4166c664f64ebe8d3c5adacfea59e803422dcb7d3c4ffc449a76af66e9f200d9297af675
Static task
static1
Behavioral task
behavioral1
Sample
EME_PO.39134.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
EME_PO.39134.xlsx
Resource
win10v20201028
Malware Config
Extracted
formbook
http://www.cna-notary.com/mz59/
shop-mommybag.com
mojoshopapp.com
studentsafetysheild.online
raelynnsteffensmeier.com
sourcemedicine.care
boutiquedinka.com
superdopehouseplant.com
royalsnout.com
batching-plants.net
macijanie.com
tempolasvegas.com
lastlaughcomics.net
bestpodstudio.com
mesonbuild.xyz
avtobluz.net
mamentos.info
smartropeofficial.com
space-ghost.com
dgysmedical.com
pellatrap.net
sagerestaurantscatering.com
defibro.com
zensoulspa.com
long0631.com
noviloq.com
janugerry.com
balinetworkguide.com
greendashnow.com
gwanjo-ji.com
hainlove.com
qf545.com
hostingbisniz.com
jandvglobalmarketing.com
vandelayind.net
voybition.com
cpmadridistas.com
interglobegt.com
superfreebiesuk.com
simcardtonewow.com
at-pr.com
bitcoingreenbond.com
guineaperea.com
jasmintavarez.com
titisoft.net
agenceimmobiliereboisdoingt.com
8no3.com
circumventr.com
cockindabutt.com
supercavpups.com
tennessyherb.com
indirtc.com
fountaintriokc.com
merrillhomeimprovementsllc.com
ellistactical.com
globeairtravels.net
xjcg168.com
naturesdagger.com
wereallaboard.com
opticasgenesis.com
thejakx.com
bestemployeetests.com
projectwellhealth.com
bfzyjy.com
hzuhfef.icu
Targets
-
-
Target
EME_PO.39134.xlsx
-
Size
197KB
-
MD5
28154b30e4541f8d656895074c181158
-
SHA1
e548322a1a8c28432f6c96d1dd5d145c742bc715
-
SHA256
f435024fb8d9ec80c3b4dc53ed5f953d2d0c7b64c67e1ec69fcc70a677b8087b
-
SHA512
30869e1e9d0f7d198b38c184a2ee1cbc271435afb0dbc02825f42c8d4166c664f64ebe8d3c5adacfea59e803422dcb7d3c4ffc449a76af66e9f200d9297af675
-
Formbook Payload
-
Blacklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-