General
-
Target
Client.vbs
-
Size
13KB
-
Sample
210111-1xryhp5nse
-
MD5
9ca403f0126aca99dc9a1f58b748ec09
-
SHA1
2cdd3b9af90f1bd5c391b7cb0b2dc27b148e97a5
-
SHA256
8cc59465e09b47aa8c0fa9f06198c9a2e8a94eec0b7bf7c7e63cf1f972f6e88a
-
SHA512
a05eb64c8a08e83a5503cc77f3c91192c93c0c7219f68c2257ef51cb25e37a92e2c7fb2797513cf4db64ab9ae20d6269ac51a5a037bbf9119bcbf46d4b23f22b
Static task
static1
Behavioral task
behavioral1
Sample
Client.vbs
Resource
win7v20201028
Malware Config
Extracted
formbook
http://www.usuallycurious.com/ht8/
lancru-shitadori.xyz
mlppark-ludwigsfelde.com
perteprampram08.com
rjppacking.com
mastermeatkw.com
komalwine.com
plumaroja.com
shodimarket.com
ca15adanaomd9a905.com
fite4beauty.com
eqtyping.com
ketodietmode.com
newbesties.com
freezeaction.com
edgeworksoftskills.com
nutravivid.com
096656.com
ballallnet.com
cosmiccrimes.com
5280vodkaco.com
tontonbou.com
beikaola.com
comercioefectivo.com
blackventurecharity.com
picapak.com
mymeetmelive.site
paracubaexpress.com
thefoildepot.com
vatangaip.xyz
alexisgardensseniorliving.com
wellhungmillionaires.com
yunyingdai88.com
curryacctngandtax.com
organicoind.com
io-tonix.com
best20fasionbrands.com
pinehomeguitars.com
999jjky.com
ivislay.com
sanraeboutique.com
amazonshack.com
winglabz.com
istanbulfinanshaber.com
weblovecc.xyz
watkinslawncare.com
sonicetalon.com
michigancosmeticdoc.com
hellomagicmilk.com
hayriscreativelife.com
toptencolour.com
champagneandlawn.com
axies-leadership.com
mkyiyuan.com
10anex.com
iphose.com
landscapeeasy.guru
houseofkawaii.com
fronthr.com
selectfireapparel.com
lovetravelshappy.com
ibew351.com
dakory.com
artofquiet.net
myhomeintehaleh.com
Targets
-
-
Target
Client.vbs
-
Size
13KB
-
MD5
9ca403f0126aca99dc9a1f58b748ec09
-
SHA1
2cdd3b9af90f1bd5c391b7cb0b2dc27b148e97a5
-
SHA256
8cc59465e09b47aa8c0fa9f06198c9a2e8a94eec0b7bf7c7e63cf1f972f6e88a
-
SHA512
a05eb64c8a08e83a5503cc77f3c91192c93c0c7219f68c2257ef51cb25e37a92e2c7fb2797513cf4db64ab9ae20d6269ac51a5a037bbf9119bcbf46d4b23f22b
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Formbook Payload
-
Blocklisted process makes network request
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-